Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Nov 2017 22:37:49 +0100
From:      Cos Chan <rosettas@gmail.com>
To:        Kurt Lidl <lidl@freebsd.org>
Cc:        Ian Smith <smithi@nimnet.asn.au>, freebsd-questions <freebsd-questions@freebsd.org>,  Michael Ross <gmx@ross.cx>
Subject:   Re: How to setup IPFW working with blacklistd
Message-ID:  <CAKV%2BxLCAwnh8UKoWW4cDUoixXNk6FzdnA3-qUzjv4r4hp_6_yQ@mail.gmail.com>
In-Reply-To: <5bfc5ffc-dc78-78e5-4bb8-a166db2027b5@FreeBSD.org>
References:  <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <20171115185528.V72828@sola.nimnet.asn.au> <CAKV%2BxLC=ABe2i3TN8bo4XaVg3KfUbKsS96=6iyVDnsmWw-e8ag@mail.gmail.com> <CAKV%2BxLCB-ZkU0XNv9COa3p=xXAf3TutLZ=BwhQeu4KTxR1gupw@mail.gmail.com> <5bfc5ffc-dc78-78e5-4bb8-a166db2027b5@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 16, 2017 at 3:57 PM, Kurt Lidl <lidl@freebsd.org> wrote:

> On 11/16/17 2:27 AM, Cos Chan wrote:
>
> In that case I test sshd MaxAuthTries=1 and blacklistd nfail=1 and still
>> get wired entry.
>>
>> $ sudo blacklistctl dump
>>          address/ma:port id      nfail   last access
>> 57.83.1.58/32:22 <http://57.83.1.58/32:22>;           0/1     1970/01/01
>> 01:00:00
>>
>> $ sudo cat auth.log | grep 57.83.1.58
>> Nov 16 07:04:17 res sshd[31112]: Invalid user pi from 57.83.1.58
>> Nov 16 07:04:17 res sshd[31113]: Invalid user pi from 57.83.1.58
>> Nov 16 07:04:17 res sshd[31112]: Connection closed by 57.83.1.58 port
>> 51140 [preauth]
>> Nov 16 07:04:17 res sshd[31113]: Connection closed by 57.83.1.58 port
>> 51144 [preauth]
>>
>> $ cat blacklistd-helper.log | grep 'Nov 16'
>> ...
>> Thu Nov 16 07:01:28 CET 2017 /usr/libexec/blacklistd-helper run add
>> blacklistd tcp 120.237.88.186 32 22
>> Thu Nov 16 07:14:05 CET 2017 /usr/libexec/blacklistd-helper run add
>> blacklistd tcp 139.59.111.224 32 22
>>
>> No action from blacklistd-helper? how could that entry be added to
>> database?
>>
>> no logs concerning from blacklistd either
>>
>> $ cat blacklistd.log | grep 'Nov 16'
>> ...
>> Nov 16 07:01:28 res blacklistd[23916]: blocked 120.237.88.186/32:22 <
>> http://120.237.88.186/32:22>; for -1 seconds
>> Nov 16 07:14:05 res blacklistd[23916]: blocked 139.59.111.224/32:22 <
>> http://139.59.111.224/32:22>; for -1 seconds
>>
>
> Pre-auth failures from sshd, where the username isn't found ("Invalid user
> pi"), don't count against failed login attempts, because no
> authorization was ever attempted by sshd.
>
> I made the decision not to count these against the limit in blacklistd.
>
> There is a message sent from sshd to blacklistd when this occurs (bad
> username), but this is the part that isn't implemented in the backend,
> for banning addresses that hit known-bad usernames.
>

Sorry maybe forget my previous reply since I saw here something difference?

auth.log:
Nov 16 21:31:06 res sshd[37726]: Invalid user a from 79.175.154.178
Nov 16 21:31:06 res sshd[37726]: error: maximum authentication attempts
exceeded for invalid user a from 79.175.154.178 port 32900 ssh2 [preauth]
...
Nov 16 21:46:13 res sshd[37825]: Invalid user oracle from 79.175.154.178
Nov 16 21:46:13 res sshd[37825]: input_userauth_request: invalid user
oracle [preauth]
Nov 16 21:46:13 res sshd[37825]: error: maximum authentication attempts
exceeded for invalid user oracle from 79.175.154.178 port 53278 ssh2
[preauth]
Nov 16 21:46:13 res sshd[37825]: Disconnecting: Too many authentication
failures [preauth]

here says invalid user so should be not registered as failed attempts? But
it did.

$ sudo blacklistctl dump -b
        address/ma:port id      nfail   last access
 79.175.154.178/32:22   OK      2/2     2017/11/16 21:46:13
  82.135.31.115/32:22   OK      2/2     2017/11/16 21:43:45

The blacklistd-helper.log prove it was added by the invalid user attempts :

Thu Nov 16 21:46:13 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 79.175.154.178 32 22

BTW, here shows exactly what Ian expected.
The one "maximum authentication attempts" (=2 failed attempts in my host)
means one nfail in blacklistd.
That is better to update man page which says "number of failed attempts".

And why most of invalid user attempts added as blocked entries but still
few similar attempts not added?


>
>
>
> -Kurt
>



-- 
with kind regards



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKV%2BxLCAwnh8UKoWW4cDUoixXNk6FzdnA3-qUzjv4r4hp_6_yQ>