From owner-freebsd-questions@freebsd.org Thu Nov 16 21:37:53 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CB20DEA00B for ; Thu, 16 Nov 2017 21:37:53 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 27D766B879; Thu, 16 Nov 2017 21:37:53 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wr0-x22f.google.com with SMTP id p96so396627wrb.7; Thu, 16 Nov 2017 13:37:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ctCLHftkaycdQNZSAmi2AbiqzWfPh98jvdiu7OjM7Pc=; b=GYS2+BTe+eUyR7sg+uYs3LZOmLrLAoh9iromx2Oct2K4NZGVN624G5C9RMlWtiBHzN oir+1yaWvBT+cuIypCJCO30gDjkIKEOBQuxtvLBZQawh9x9KNitwq92YgtyU06ov1Xqk okbHiCRxrB4E8PbSC3hbU7EGSyQ3IBjn2edb8V/LOjwRdRWa6Bgy2ZZZ2aFDknS7iDtO H7VqwuRjNsfNjvmzlobrl57fRObl3laz8BP2T4+MxycZhYE9lhmLKAlpIVrshscHjeDO rtWnVR946WXMk91PkgH1jat4VtneKS2V/jl26dABPhNR802UHOpUKjWCczqvpOancRjv Zbdw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ctCLHftkaycdQNZSAmi2AbiqzWfPh98jvdiu7OjM7Pc=; b=d2TvZ4xMRsyUlxHOum773d/7TSLImgoqF8YzRFX4ZaOMjT6k/2nkxSzrq28nTtfidU Ak+rzXbuaSrrgFapYww0jSqYDymfmgFrNz43g3iXcj9wroRqfoNhMqgVK6R8nStwcYx6 2BzQtpt4vbkFtnxOerpYK4HakGNesO4lVndLLpTZwYni2kH5wepsvyxHtSvLDeQFpSTd MJJEhnHOerbj/3ZSPXZqIE1Tbl9eTIA3rLz0rHC2AMGP3BnclI/Mye1+LNUiB8bF7aCe g28jebMWnQceUNCQdJMZqdeQTY9ReQ1nvskpgaxF6YHTC3bGmHm6nH0oQFCnn7WyBCPH hGuA== X-Gm-Message-State: AJaThX6z0wnDSgj+PmfW2X5tcu36g1q0gAo+9/ln27tHXug+03JdI9vg ZO/K2vQ5Ka18FJgQzP9Zuo1MOm4HrO8/vqhhkJvRiSWu X-Google-Smtp-Source: AGs4zMbZUjzUwL6Etni109mCF6vBN7dDrnRK1CFmKig1ecD1UhII8Ae4ZtVqMdo5BINe96Sua4aTSLnTfEP+VEr7G+w= X-Received: by 10.223.132.129 with SMTP id 1mr2496731wrg.136.1510868270946; Thu, 16 Nov 2017 13:37:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.125.8 with HTTP; Thu, 16 Nov 2017 13:37:49 -0800 (PST) In-Reply-To: <5bfc5ffc-dc78-78e5-4bb8-a166db2027b5@FreeBSD.org> References: <20171106235944.U9710@sola.nimnet.asn.au> <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> <20171108012948.A9710@sola.nimnet.asn.au> <20171111213759.I72828@sola.nimnet.asn.au> <20171115185528.V72828@sola.nimnet.asn.au> <5bfc5ffc-dc78-78e5-4bb8-a166db2027b5@FreeBSD.org> From: Cos Chan Date: Thu, 16 Nov 2017 22:37:49 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Kurt Lidl Cc: Ian Smith , freebsd-questions , Michael Ross Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Nov 2017 21:37:53 -0000 On Thu, Nov 16, 2017 at 3:57 PM, Kurt Lidl wrote: > On 11/16/17 2:27 AM, Cos Chan wrote: > > In that case I test sshd MaxAuthTries=1 and blacklistd nfail=1 and still >> get wired entry. >> >> $ sudo blacklistctl dump >> address/ma:port id nfail last access >> 57.83.1.58/32:22 0/1 1970/01/01 >> 01:00:00 >> >> $ sudo cat auth.log | grep 57.83.1.58 >> Nov 16 07:04:17 res sshd[31112]: Invalid user pi from 57.83.1.58 >> Nov 16 07:04:17 res sshd[31113]: Invalid user pi from 57.83.1.58 >> Nov 16 07:04:17 res sshd[31112]: Connection closed by 57.83.1.58 port >> 51140 [preauth] >> Nov 16 07:04:17 res sshd[31113]: Connection closed by 57.83.1.58 port >> 51144 [preauth] >> >> $ cat blacklistd-helper.log | grep 'Nov 16' >> ... >> Thu Nov 16 07:01:28 CET 2017 /usr/libexec/blacklistd-helper run add >> blacklistd tcp 120.237.88.186 32 22 >> Thu Nov 16 07:14:05 CET 2017 /usr/libexec/blacklistd-helper run add >> blacklistd tcp 139.59.111.224 32 22 >> >> No action from blacklistd-helper? how could that entry be added to >> database? >> >> no logs concerning from blacklistd either >> >> $ cat blacklistd.log | grep 'Nov 16' >> ... >> Nov 16 07:01:28 res blacklistd[23916]: blocked 120.237.88.186/32:22 < >> http://120.237.88.186/32:22> for -1 seconds >> Nov 16 07:14:05 res blacklistd[23916]: blocked 139.59.111.224/32:22 < >> http://139.59.111.224/32:22> for -1 seconds >> > > Pre-auth failures from sshd, where the username isn't found ("Invalid user > pi"), don't count against failed login attempts, because no > authorization was ever attempted by sshd. > > I made the decision not to count these against the limit in blacklistd. > > There is a message sent from sshd to blacklistd when this occurs (bad > username), but this is the part that isn't implemented in the backend, > for banning addresses that hit known-bad usernames. > Sorry maybe forget my previous reply since I saw here something difference? auth.log: Nov 16 21:31:06 res sshd[37726]: Invalid user a from 79.175.154.178 Nov 16 21:31:06 res sshd[37726]: error: maximum authentication attempts exceeded for invalid user a from 79.175.154.178 port 32900 ssh2 [preauth] ... Nov 16 21:46:13 res sshd[37825]: Invalid user oracle from 79.175.154.178 Nov 16 21:46:13 res sshd[37825]: input_userauth_request: invalid user oracle [preauth] Nov 16 21:46:13 res sshd[37825]: error: maximum authentication attempts exceeded for invalid user oracle from 79.175.154.178 port 53278 ssh2 [preauth] Nov 16 21:46:13 res sshd[37825]: Disconnecting: Too many authentication failures [preauth] here says invalid user so should be not registered as failed attempts? But it did. $ sudo blacklistctl dump -b address/ma:port id nfail last access 79.175.154.178/32:22 OK 2/2 2017/11/16 21:46:13 82.135.31.115/32:22 OK 2/2 2017/11/16 21:43:45 The blacklistd-helper.log prove it was added by the invalid user attempts : Thu Nov 16 21:46:13 CET 2017 /usr/libexec/blacklistd-helper run add blacklistd tcp 79.175.154.178 32 22 BTW, here shows exactly what Ian expected. The one "maximum authentication attempts" (=2 failed attempts in my host) means one nfail in blacklistd. That is better to update man page which says "number of failed attempts". And why most of invalid user attempts added as blocked entries but still few similar attempts not added? > > > > -Kurt > -- with kind regards