Re: Blacklistd Issues - Problem Identified

From: Doug Hardie <bc979_at_lafn.org>
Date: Tue, 18 Apr 2023 06:05:21 UTC
-- Doug

> On Apr 17, 2023, at 16:42, Doug Hardie <bc979@lafn.org> wrote:
> 
> After digging through the code for blacklistd I find that postfix and my web server call blacklistd with a type of 1 (BL_ADD) and sure enough, blacklistd calls the helper to add the pf rule.  However. sshd calls with type 4 (BL_BADUSER) and there is a note in the handling of that type that says "Ignore for now".  And that it does, i.e., nothing.  So the problem is in sshd using a type that is not implemented, or in backlistd which does not implement the BADUSER type.  I wonder if Release 13.2 will fix either of those.
> 

The following patch is a temporary fix for the problem:

--- blacklistd.c.orig	2023-04-17 22:58:47.552759000 -0700
+++ blacklistd.c	2023-04-17 22:46:32.069666000 -0700
@@ -225,6 +225,7 @@
 		if (c.c_nfail != -1)
 			dbi.count = c.c_nfail - 1;
 		/*FALLTHROUGH*/
+	case BL_BADUSER:
 	case BL_ADD:
 		dbi.count++;
 		dbi.last = ts.tv_sec;
@@ -260,9 +261,9 @@
 		dbi.count = 0;
 		dbi.last = 0;
 		break;
-	case BL_BADUSER:
-		/* ignore for now */
-		break;
+//	case BL_BADUSER:
+//		/* ignore for now */
+//		break;
 	default:
 		(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); 
 	}


Basically the BADUSER call from sshd is moved to the ADD function.  So instead of what was supposed to be an immediate shutdown on one bad authentication regardless of the conf settings, it now follows the config settings rule.  I am not convinced that sshd should use the BADUSER call.  It causes a single typo to lock you out.  It seems to me that it should use the ADD function so the admin gets to chose the proper number of bad authentications before lockout.

I'd submit a PR on this, but all the PRs I have submitted have been left to wither on the vine.

-- Doug