Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Nov 2017 08:27:20 +0100
From:      Cos Chan <rosettas@gmail.com>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>, Michael Ross <gmx@ross.cx>, Kurt Lidl <lidl@freebsd.org>
Subject:   Re: How to setup IPFW working with blacklistd
Message-ID:  <CAKV%2BxLCB-ZkU0XNv9COa3p=xXAf3TutLZ=BwhQeu4KTxR1gupw@mail.gmail.com>
In-Reply-To: <CAKV%2BxLC=ABe2i3TN8bo4XaVg3KfUbKsS96=6iyVDnsmWw-e8ag@mail.gmail.com>
References:  <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <20171115185528.V72828@sola.nimnet.asn.au> <CAKV%2BxLC=ABe2i3TN8bo4XaVg3KfUbKsS96=6iyVDnsmWw-e8ag@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
>>
>>  > > You might instead try MaxAuthTries 4 .. sshd_config(5) says:
>>  > >
>>  > >      MaxAuthTries
>>  > >              Specifies the maximum number of authentication attempts
>>  > > permitted
>>  > >              per connection.  Once the number of failures reaches
>> half this
>>  > >              value, additional failures are logged.  The default is
>> 6.
>>  > >
>>  > > Half of 3 as an integer is only 1, but half of 4 is 2.  See if it
>> helps?
>>
>>  > I didnt change the MaxAuthTries, since I found something interesting
>> from
>>  > the different logs concerning that issue:
>>  >
>>  > >From blacklistctl dump:
>>  >
>>  > $ sudo blacklistctl dump
>>  >         address/ma:port id      nfail   last access
>>  >   78.203.146.34/32:22           0/1     1970/01/01 01:00:00
>>  >  195.225.116.21/32:22           0/1     1970/01/01 01:00:00
>>  >   123.31.26.123/32:22           0/1     1970/01/01 01:00:00
>>  >  112.148.101.13/32:22           0/1     1970/01/01 01:00:00
>>  >      93.23.6.18/32:22           0/1     1970/01/01 01:00:00
>>  >   5.102.197.124/32:22           0/1     1970/01/01 01:00:00
>>  >  193.154.127.32/32:22           0/1     1970/01/01 01:00:00
>>  >  113.232.216.41/32:22           0/1     1970/01/01 01:00:00
>>  >
>>  > >From sshd log:
>>  >
>>  > Nov 10 17:57:41 res sshd[49839]: Invalid user pi from 193.154.127.32
>>  > Nov 10 17:57:41 res sshd[49840]: Invalid user pi from 193.154.127.32
>>  > Nov 10 17:57:41 res sshd[49840]: input_userauth_request: invalid user
>> pi
>>  > [preauth]
>>  > Nov 10 17:57:41 res sshd[49839]: input_userauth_request: invalid user
>> pi
>>  > [preauth]
>>
>> Note the two different PIDs on these, indicating sshd handling two
>> separate connections.  From above, MaxAuthTries limits the maximum
>> number of attempts _per_connection_.  So each of these indicate only one
>> (or possibly two, as again from above, only those greater than half of
>> the maximum (here 3/2 = 1) are supposedly logged by sshd).
>>
>> I don't know just what sshd reports to blacklistd in what circumstances,
>> nor how those are reflected in blacklistd's logging .. Kurt likely does.
>>
>>  > Nov 11 03:50:47 res sshd[57896]: Invalid user support from
>> 123.31.26.123
>>  > Nov 11 03:50:47 res sshd[57896]: input_userauth_request: invalid user
>>  > support [preauth]
>>  > Nov 11 03:50:47 res sshd[57896]: error: Received disconnect from
>>  > 123.31.26.123 port 55811:3: com.jcraft.jsch.JSchException: Auth fail
>>  > [preauth]
>>
>> That's on one PID, ie one connection.  Less than three failures on it.
>>
>>  > Nov 11 03:50:49 res sshd[57898]: Invalid user admin from 123.31.26.123
>>  > Nov 11 03:50:49 res sshd[57898]: input_userauth_request: invalid user
>> admin
>>  > [preauth]
>>  > Nov 11 03:50:49 res sshd[57898]: error: Received disconnect from
>>  > 123.31.26.123 port 57823:3: com.jcraft.jsch.JSchException: Auth fail
>>  > [preauth]
>>
>> Ditto.
>>
>>  > Nov 11 03:50:51 res sshd[57900]: Invalid user admin from 123.31.26.123
>>  > Nov 11 03:50:51 res sshd[57900]: input_userauth_request: invalid user
>> admin
>>  > [preauth]
>>  > Nov 11 03:50:51 res sshd[57900]: error: Received disconnect from
>>  > 123.31.26.123 port 59819:3: com.jcraft.jsch.JSchException: Auth fail
>>  > [preauth]
>>
>> Another.
>>
>>  > Nov 11 03:50:53 res sshd[57902]: Invalid user ubnt from 123.31.26.123
>>  > Nov 11 03:50:53 res sshd[57902]: input_userauth_request: invalid user
>> ubnt
>>  > [preauth]
>>  > Nov 11 03:50:53 res sshd[57902]: error: Received disconnect from
>>  > 123.31.26.123 port 61795:3: com.jcraft.jsch.JSchException: Auth fail
>>  > [preauth]
>>
>> Again.
>>
>>  > Nov 11 03:50:55 res sshd[57904]: Invalid user PlcmSpIp from
>> 123.31.26.123
>>  > Nov 11 03:50:55 res sshd[57904]: input_userauth_request: invalid user
>>  > PlcmSpIp [preauth]
>>  > Nov 11 03:50:55 res sshd[57904]: error: Received disconnect from
>>  > 123.31.26.123 port 61920:3: com.jcraft.jsch.JSchException: Auth fail
>>  > [preauth]
>>
>> Again.
>>
>>  > Nov 11 03:50:57 res sshd[57906]: Invalid user admin from 123.31.26.123
>>  > Nov 11 03:50:57 res sshd[57906]: input_userauth_request: invalid user
>> admin
>>  > [preauth]
>>  > Nov 11 03:50:57 res sshd[57906]: error: Received disconnect from
>>  > 123.31.26.123 port 61949:3: com.jcraft.jsch.JSchException: Auth fail
>>  > [preauth]
>>
>> And yet another.  There's no indication that sshd is - or is supposed to
>> be - keeping track of separate connections from the same IP address.
>>
>
> I agree that sshd should not keep track the IP, but blacklistd should do.
>
>
>>
>>  > I see 2 problems:
>>  >
>>  > Problem 1:
>>  > The IP 193.154.127.32 didn't reach sshd maximum authentication (=3),
>> it
>>  > tried only 2 times.
>>
>> Perhaps rather, only once or twice on each of two separate connections?
>>
>>  > But in my opinion it should be recorded to blacklistd as 2/1 instead
>> of 0/1.
>>
>> I gather that it would take 3 failed logins on any _one_ connection to
>> report it as _one_ failure to blacklistd.
>>
>
> is this reasonable? in case one IP was using thousands connections which
> failed once per connection, then it will never be banned by blacklistd
> (unless the maxauth of sshd is 1)?
>

In that case I test sshd MaxAuthTries=1 and blacklistd nfail=1 and still
get wired entry.

$ sudo blacklistctl dump
        address/ma:port id      nfail   last access
     57.83.1.58/32:22           0/1     1970/01/01 01:00:00

$ sudo cat auth.log | grep 57.83.1.58
Nov 16 07:04:17 res sshd[31112]: Invalid user pi from 57.83.1.58
Nov 16 07:04:17 res sshd[31113]: Invalid user pi from 57.83.1.58
Nov 16 07:04:17 res sshd[31112]: Connection closed by 57.83.1.58 port 51140
[preauth]
Nov 16 07:04:17 res sshd[31113]: Connection closed by 57.83.1.58 port 51144
[preauth]

$ cat blacklistd-helper.log | grep 'Nov 16'
...
Thu Nov 16 07:01:28 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 120.237.88.186 32 22
Thu Nov 16 07:14:05 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 139.59.111.224 32 22

No action from blacklistd-helper? how could that entry be added to database?

no logs concerning from blacklistd either

$ cat blacklistd.log | grep 'Nov 16'
...
Nov 16 07:01:28 res blacklistd[23916]: blocked 120.237.88.186/32:22 for -1
seconds
Nov 16 07:14:05 res blacklistd[23916]: blocked 139.59.111.224/32:22 for -1
seconds


>
>
>>
>> --
with kind regards



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKV%2BxLCB-ZkU0XNv9COa3p=xXAf3TutLZ=BwhQeu4KTxR1gupw>