Date: Wed, 27 Feb 2019 02:52:32 +0100 From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> To: freebsd-bugs@freebsd.org Subject: Blacklistd not recognizing probing attemtps Message-ID: <cf0f5a82-b15e-64b9-53de-c0bf7de9ce10@karolyi.hu>
next in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS Content-Type: multipart/mixed; boundary="syftUZkuy2BygRnWNEx7pfPurAg61WhQ5"; protected-headers="v1" From: =?UTF-8?B?TMOhc3psw7MgS8Ohcm9seWk=?= <laszlo@karolyi.hu> To: freebsd-bugs@freebsd.org Message-ID: <cf0f5a82-b15e-64b9-53de-c0bf7de9ce10@karolyi.hu> Subject: Blacklistd not recognizing probing attemtps --syftUZkuy2BygRnWNEx7pfPurAg61WhQ5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Content-Language: en-US Hey guys, I'm on 12.0-RELEASE-p3 and I have configured blacklistd with sshd to lock out those random IPs that are probing my server. The problem is, I noticed that in many cases, blacklistd does not put the offending IP on its list. I've contacted Christos Zoulas in email to see if he has anything to tell about it, and after putting blacklistd in debug mode and reproducing the issue, he suggested to contact you with the it. So here it is. I'll paste a couple lines from the sshd log, I get these, which aren't registered for some reason: Feb 27 00:47:55 ksol sshd[35453]: Invalid user mythtv from 118.151.209.119 port 50560 Feb 27 00:47:55 ksol sshd[35453]: Failed unknown for invalid user mythtv from 118.151.209.119 port 50560 ssh2 Feb 27 00:47:55 ksol sshd[35453]: user NOUSER login class=C2=A0 [preauth]= Feb 27 00:58:37 ksol sshd[72748]: Connection closed by 115.231.239.155 port 59107 [preauth] Feb 27 00:59:41 ksol sshd[75022]: user sshd login class=C2=A0 [preauth] Feb 27 00:59:41 ksol sshd[75022]: Connection closed by authenticating user sshd 175.197.206.221 port 40517 [preauth] Feb 27 01:18:17 ksol sshd[97108]: Invalid user user1 from 86.241.250.150 port 36452 Feb 27 01:18:17 ksol sshd[97108]: Failed unknown for invalid user user1 from 86.241.250.150 port 36452 ssh2 Feb 27 01:18:17 ksol sshd[97108]: user NOUSER login class=C2=A0 [preauth]= Feb 27 01:18:17 ksol sshd[97108]: Connection closed by invalid user user1 86.241.250.150 port 36452 [preauth] Feb 27 01:39:51 ksol sshd[33033]: Invalid user ubnt from 213.120.170.34 port 58208 Feb 27 01:39:51 ksol sshd[33033]: Failed unknown for invalid user ubnt from 213.120.170.34 port 58208 ssh2 Feb 27 01:39:51 ksol sshd[33033]: user NOUSER login class=C2=A0 [preauth]= Feb 27 01:39:52 ksol sshd[33033]: Connection closed by invalid user ubnt 213.120.170.34 port 58208 [preauth] Feb 27 02:01:57 ksol sshd[98410]: Invalid user leo from 70.180.210.136 port 36757 Feb 27 02:01:57 ksol sshd[98410]: Failed unknown for invalid user leo from 70.180.210.136 port 36757 ssh2 Feb 27 02:01:57 ksol sshd[98410]: user NOUSER login class=C2=A0 [preauth]= Feb 27 02:01:57 ksol sshd[98410]: Connection closed by invalid user leo 70.180.210.136 port 36757 [preauth] Feb 27 02:05:28 ksol sshd[51390]: reverse mapping checking getaddrinfo for rev-13-246-20.isp3.alsatis.net [37.1.246.13] failed. Feb 27 02:05:33 ksol sshd[51390]: Invalid user alarm from 37.1.246.13 port 54636 Feb 27 02:05:33 ksol sshd[51390]: Failed unknown for invalid user alarm from 37.1.246.13 port 54636 ssh2 Feb 27 02:05:33 ksol sshd[51390]: user NOUSER login class=C2=A0 [preauth]= Feb 27 02:05:33 ksol sshd[51390]: Connection closed by invalid user alarm 37.1.246.13 port 54636 [preauth] Out of all these IPs, only the first was registered in blacklistd's inner list. When someone tries to use keyboard-interactive auth and that fails, that seems to get registered. These attempts above on the other hand, do not, or very rarely. We looked at the FreeBSD source and it seems the blacklistd patch was done by Kurt Lidl: https://github.com/freebsd/freebsd/blob/master/contrib/blacklist/diff/ssh= =2Ediff https://github.com/freebsd/freebsd/blob/master/crypto/openssh/sshd.c Can someone forward this email to him, or is anybody able to help me here= ? Cheers, -- L=C3=A1szl=C3=B3 K=C3=A1rolyi https://linkedin.com/in/karolyi --syftUZkuy2BygRnWNEx7pfPurAg61WhQ5-- --PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJDBs1Ro4InYgi/tCLcryXlVzW/4FAlx17WEACgkQLcryXlVz W/6zsw/6A0Q0i4fVnrB6oDx3hrpD8JtDfbtoHHgR/QPs0xvaEECIhxsiaONK6Elv GSMpHriWlgTx9vVoTy4xWHSuk7NHCrmeyUaPzO3mf9zARI1F2FOY+irLuPFdMcGX gfh8kYPVUHe6VI0yo5Ui2aryVJNfvogVxkvTgSrpdp+az9mvij88g/3bV+WGqxo8 g9FSPbwIJK+Haw0w+gJ08XJO/RngsSAGvFlJEfAslpaIrDgIFW3LuPntQpQ+TWSn kr90OGwwIIfuwkXbQDL+UwRzepvy/jTgVIsp+ur2ftwuICqMfQjfQrpz4K+4a+Ow jKKSczQTpvS8KenEQP7x78gWUGmdGfrQEI9uBPUgMXVbPLEIH8LThAsA7aw36yEs MKI4LNGW43Vm6zYQ11tnYz8HCnuPeKvDmcmKYocUrtlSMZAg6CFZO6sdD7WE3mTq uuc9kEkctqmh2a8uTjiSk96Zkyd+11HNI5U7U1Wukd3riQTWzDM+Y0oYb6kyBtMZ jBilKRZ7zIcck7vC0Bg2nJgmMoZ1VleJP8vVXG2ibciAcijCt5zvAFhz252DNTay 2vWlTQ7GmhxM+LxJztMVnESA3uaSjuNjvdVVdZAktw4uA0CLYkCNMbQxqQBPPwz7 EuWu5dK+czPmOyJHKcUXdTGrPL6qF3aYv0dUcLsNM74rF6uyzro= =FDjM -----END PGP SIGNATURE----- --PddpAkDSQckSjuGYWp0CgPmDGIGWWHPCS--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cf0f5a82-b15e-64b9-53de-c0bf7de9ce10>