From nobody Tue Apr 18 10:08:04 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q104F6gvJz44rjg for ; Tue, 18 Apr 2023 10:08:29 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [135.125.211.209]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q104F2lj5z3w6Y for ; Tue, 18 Apr 2023 10:08:29 +0000 (UTC) (envelope-from trashcan@ellael.org) Authentication-Results: mx1.freebsd.org; none Received: from smtpclient.apple (p200300Fb4F12Eb014935b3087726741E.dip0.t-ipconnect.de [IPv6:2003:fb:4f12:eb01:4935:b308:7726:741e]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 4Q104063yfzydY; Tue, 18 Apr 2023 12:08:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ellael.org; s=dkim; t=1681812499; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=XejeGzPViRf9eOCtSLqqMBc40FBiCGGRL/HLshsVlZE=; b=IAGg8pnhm5rIO4XH2yesGENiY4T7Xm35WmWH9VzPbKggIkCaV+wJUSZS7eHn4OL7ay9TCf i7BBcvYZ+np3xIZewJuDU945gU3hzgl81LqeI7QCXKcCPy6+F2tMSHHotOUJ/0cstkx2ig FimFXK9ZswI/TvCU1/An4Qr/YakBhlQZgv1eI7FFUkM+j/SJscZon9306ts2SPjXrBgTwg A1M6INywteNxFOUfvP68WT0FNX5hPVu57LZIju/q5kkuOBsgzatU6NiIxbrF8SEyO233ar cioXMI/48+TCQcnxBNdD2eJ28GCbpZor8S5ME+SftTXrzvLuSLJlLFsVlyPjJw== Content-Type: text/plain; charset=us-ascii List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\)) Subject: Re: Blacklistd Issues - Problem Identified From: Michael Grimm In-Reply-To: <24171551-4181-49C8-B1DE-2C3D9A00DC4C@sermon-archive.info> Date: Tue, 18 Apr 2023 12:08:04 +0200 Cc: Doug Hardie Content-Transfer-Encoding: quoted-printable Message-Id: <6BD45EAE-D626-4B16-8C24-197FFE34E601@ellael.org> References: <8B1C1DCE-75CA-4CE9-A589-329519FB792E@sermon-archive.info> <4E4A4B99-D8DF-4C5C-9700-C56F354A9991@sermon-archive.info> <24171551-4181-49C8-B1DE-2C3D9A00DC4C@sermon-archive.info> To: questions@freebsd.org X-Mailer: Apple Mail (2.3731.500.231) X-Rspamd-Queue-Id: 4Q104F2lj5z3w6Y X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16276, ipnet:135.125.128.0/17, country:FR] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N Doug Hardie wrote: >> On Apr 17, 2023, at 16:42, Doug Hardie wrote: >>=20 >> After digging through the code for blacklistd I find that postfix and = my web server call blacklistd with a type of 1 (BL_ADD) and sure enough, = blacklistd calls the helper to add the pf rule. However. sshd calls = with type 4 (BL_BADUSER) and there is a note in the handling of that = type that says "Ignore for now". And that it does, i.e., nothing. So = the problem is in sshd using a type that is not implemented, or in = backlistd which does not implement the BADUSER type. I wonder if = Release 13.2 will fix either of those. >>=20 >=20 > The following patch is a temporary fix for the problem: >=20 > --- blacklistd.c.orig 2023-04-17 22:58:47.552759000 -0700 > +++ blacklistd.c 2023-04-17 22:46:32.069666000 -0700 > @@ -225,6 +225,7 @@ > if (c.c_nfail !=3D -1) > dbi.count =3D c.c_nfail - 1; > /*FALLTHROUGH*/ > + case BL_BADUSER: > case BL_ADD: > dbi.count++; > dbi.last =3D ts.tv_sec; > @@ -260,9 +261,9 @@ > dbi.count =3D 0; > dbi.last =3D 0; > break; > - case BL_BADUSER: > - /* ignore for now */ > - break; > +// case BL_BADUSER: > +// /* ignore for now */ > +// break; > default: > (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);=20 > } >=20 >=20 > Basically the BADUSER call from sshd is moved to the ADD function. So = instead of what was supposed to be an immediate shutdown on one bad = authentication regardless of the conf settings, it now follows the = config settings rule. I am not convinced that sshd should use the = BADUSER call. It causes a single typo to lock you out. It seems to me = that it should use the ADD function so the admin gets to chose the = proper number of bad authentications before lockout. >=20 > I'd submit a PR on this, but all the PRs I have submitted have been = left to wither on the vine. >=20 > -- Doug Please do so. This has been discussed before [1], and I will definitely = support your patch or a solution that makes BADUSER configurable. I am currently testing your patch. [1] = https://lists.freebsd.org/archives/freebsd-questions/2023-March/003056.htm= l Thanks and regards, Michael=