From owner-freebsd-questions@freebsd.org  Thu Nov 16 21:37:53 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9CB20DEA00B
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Thu, 16 Nov 2017 21:37:53 +0000 (UTC)
 (envelope-from rosettas@gmail.com)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com
 [IPv6:2a00:1450:400c:c0c::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 27D766B879;
 Thu, 16 Nov 2017 21:37:53 +0000 (UTC)
 (envelope-from rosettas@gmail.com)
Received: by mail-wr0-x22f.google.com with SMTP id p96so396627wrb.7;
 Thu, 16 Nov 2017 13:37:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=ctCLHftkaycdQNZSAmi2AbiqzWfPh98jvdiu7OjM7Pc=;
 b=GYS2+BTe+eUyR7sg+uYs3LZOmLrLAoh9iromx2Oct2K4NZGVN624G5C9RMlWtiBHzN
 oir+1yaWvBT+cuIypCJCO30gDjkIKEOBQuxtvLBZQawh9x9KNitwq92YgtyU06ov1Xqk
 okbHiCRxrB4E8PbSC3hbU7EGSyQ3IBjn2edb8V/LOjwRdRWa6Bgy2ZZZ2aFDknS7iDtO
 H7VqwuRjNsfNjvmzlobrl57fRObl3laz8BP2T4+MxycZhYE9lhmLKAlpIVrshscHjeDO
 rtWnVR946WXMk91PkgH1jat4VtneKS2V/jl26dABPhNR802UHOpUKjWCczqvpOancRjv
 Zbdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=ctCLHftkaycdQNZSAmi2AbiqzWfPh98jvdiu7OjM7Pc=;
 b=d2TvZ4xMRsyUlxHOum773d/7TSLImgoqF8YzRFX4ZaOMjT6k/2nkxSzrq28nTtfidU
 Ak+rzXbuaSrrgFapYww0jSqYDymfmgFrNz43g3iXcj9wroRqfoNhMqgVK6R8nStwcYx6
 2BzQtpt4vbkFtnxOerpYK4HakGNesO4lVndLLpTZwYni2kH5wepsvyxHtSvLDeQFpSTd
 MJJEhnHOerbj/3ZSPXZqIE1Tbl9eTIA3rLz0rHC2AMGP3BnclI/Mye1+LNUiB8bF7aCe
 g28jebMWnQceUNCQdJMZqdeQTY9ReQ1nvskpgaxF6YHTC3bGmHm6nH0oQFCnn7WyBCPH
 hGuA==
X-Gm-Message-State: AJaThX6z0wnDSgj+PmfW2X5tcu36g1q0gAo+9/ln27tHXug+03JdI9vg
 ZO/K2vQ5Ka18FJgQzP9Zuo1MOm4HrO8/vqhhkJvRiSWu
X-Google-Smtp-Source: AGs4zMbZUjzUwL6Etni109mCF6vBN7dDrnRK1CFmKig1ecD1UhII8Ae4ZtVqMdo5BINe96Sua4aTSLnTfEP+VEr7G+w=
X-Received: by 10.223.132.129 with SMTP id 1mr2496731wrg.136.1510868270946;
 Thu, 16 Nov 2017 13:37:50 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.125.8 with HTTP; Thu, 16 Nov 2017 13:37:49 -0800 (PST)
In-Reply-To: <5bfc5ffc-dc78-78e5-4bb8-a166db2027b5@FreeBSD.org>
References: <mailman.87.1509969603.28633.freebsd-questions@freebsd.org>
 <20171106235944.U9710@sola.nimnet.asn.au>
 <CAKV+xLCizjt5M+mJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY+4A@mail.gmail.com>
 <20171107033226.M9710@sola.nimnet.asn.au>
 <CAKV+xLBWgU6zmc7tQNA=0+=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com>
 <20171107162914.G9710@sola.nimnet.asn.au>
 <CAKV+xLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com>
 <20171108012948.A9710@sola.nimnet.asn.au>
 <CAKV+xLCQ9NE6+Eg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com>
 <CAKV+xLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N+TBjybMQ@mail.gmail.com>
 <20171111213759.I72828@sola.nimnet.asn.au>
 <CAKV+xLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi+x483=A@mail.gmail.com>
 <20171115185528.V72828@sola.nimnet.asn.au>
 <CAKV+xLC=ABe2i3TN8bo4XaVg3KfUbKsS96=6iyVDnsmWw-e8ag@mail.gmail.com>
 <CAKV+xLCB-ZkU0XNv9COa3p=xXAf3TutLZ=BwhQeu4KTxR1gupw@mail.gmail.com>
 <5bfc5ffc-dc78-78e5-4bb8-a166db2027b5@FreeBSD.org>
From: Cos Chan <rosettas@gmail.com>
Date: Thu, 16 Nov 2017 22:37:49 +0100
Message-ID: <CAKV+xLCAwnh8UKoWW4cDUoixXNk6FzdnA3-qUzjv4r4hp_6_yQ@mail.gmail.com>
Subject: Re: How to setup IPFW working with blacklistd
To: Kurt Lidl <lidl@freebsd.org>
Cc: Ian Smith <smithi@nimnet.asn.au>,
 freebsd-questions <freebsd-questions@freebsd.org>, 
 Michael Ross <gmx@ross.cx>
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Nov 2017 21:37:53 -0000

On Thu, Nov 16, 2017 at 3:57 PM, Kurt Lidl <lidl@freebsd.org> wrote:

> On 11/16/17 2:27 AM, Cos Chan wrote:
>
> In that case I test sshd MaxAuthTries=1 and blacklistd nfail=1 and still
>> get wired entry.
>>
>> $ sudo blacklistctl dump
>>          address/ma:port id      nfail   last access
>> 57.83.1.58/32:22 <http://57.83.1.58/32:22>           0/1     1970/01/01
>> 01:00:00
>>
>> $ sudo cat auth.log | grep 57.83.1.58
>> Nov 16 07:04:17 res sshd[31112]: Invalid user pi from 57.83.1.58
>> Nov 16 07:04:17 res sshd[31113]: Invalid user pi from 57.83.1.58
>> Nov 16 07:04:17 res sshd[31112]: Connection closed by 57.83.1.58 port
>> 51140 [preauth]
>> Nov 16 07:04:17 res sshd[31113]: Connection closed by 57.83.1.58 port
>> 51144 [preauth]
>>
>> $ cat blacklistd-helper.log | grep 'Nov 16'
>> ...
>> Thu Nov 16 07:01:28 CET 2017 /usr/libexec/blacklistd-helper run add
>> blacklistd tcp 120.237.88.186 32 22
>> Thu Nov 16 07:14:05 CET 2017 /usr/libexec/blacklistd-helper run add
>> blacklistd tcp 139.59.111.224 32 22
>>
>> No action from blacklistd-helper? how could that entry be added to
>> database?
>>
>> no logs concerning from blacklistd either
>>
>> $ cat blacklistd.log | grep 'Nov 16'
>> ...
>> Nov 16 07:01:28 res blacklistd[23916]: blocked 120.237.88.186/32:22 <
>> http://120.237.88.186/32:22> for -1 seconds
>> Nov 16 07:14:05 res blacklistd[23916]: blocked 139.59.111.224/32:22 <
>> http://139.59.111.224/32:22> for -1 seconds
>>
>
> Pre-auth failures from sshd, where the username isn't found ("Invalid user
> pi"), don't count against failed login attempts, because no
> authorization was ever attempted by sshd.
>
> I made the decision not to count these against the limit in blacklistd.
>
> There is a message sent from sshd to blacklistd when this occurs (bad
> username), but this is the part that isn't implemented in the backend,
> for banning addresses that hit known-bad usernames.
>

Sorry maybe forget my previous reply since I saw here something difference?

auth.log:
Nov 16 21:31:06 res sshd[37726]: Invalid user a from 79.175.154.178
Nov 16 21:31:06 res sshd[37726]: error: maximum authentication attempts
exceeded for invalid user a from 79.175.154.178 port 32900 ssh2 [preauth]
...
Nov 16 21:46:13 res sshd[37825]: Invalid user oracle from 79.175.154.178
Nov 16 21:46:13 res sshd[37825]: input_userauth_request: invalid user
oracle [preauth]
Nov 16 21:46:13 res sshd[37825]: error: maximum authentication attempts
exceeded for invalid user oracle from 79.175.154.178 port 53278 ssh2
[preauth]
Nov 16 21:46:13 res sshd[37825]: Disconnecting: Too many authentication
failures [preauth]

here says invalid user so should be not registered as failed attempts? But
it did.

$ sudo blacklistctl dump -b
        address/ma:port id      nfail   last access
 79.175.154.178/32:22   OK      2/2     2017/11/16 21:46:13
  82.135.31.115/32:22   OK      2/2     2017/11/16 21:43:45

The blacklistd-helper.log prove it was added by the invalid user attempts :

Thu Nov 16 21:46:13 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 79.175.154.178 32 22

BTW, here shows exactly what Ian expected.
The one "maximum authentication attempts" (=2 failed attempts in my host)
means one nfail in blacklistd.
That is better to update man page which says "number of failed attempts".

And why most of invalid user attempts added as blocked entries but still
few similar attempts not added?


>
>
>
> -Kurt
>



-- 
with kind regards