Re: Blacklistd Issues - Problem Identified
- Reply: Norman Gray : "Re: Blacklistd Issues - Problem Identified"
- Reply: Michael Grimm : "Re: Blacklistd Issues - Problem Identified"
- Reply: Doug Hardie : "Re: Blacklistd Issues - Problem Identified"
- In reply to: Doug Hardie : "Re: Blacklistd Issues - Problem Identified"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 18 Apr 2023 10:08:04 UTC
Doug Hardie <bc979@lafn.org> wrote: >> On Apr 17, 2023, at 16:42, Doug Hardie <bc979@lafn.org> wrote: >> >> After digging through the code for blacklistd I find that postfix and my web server call blacklistd with a type of 1 (BL_ADD) and sure enough, blacklistd calls the helper to add the pf rule. However. sshd calls with type 4 (BL_BADUSER) and there is a note in the handling of that type that says "Ignore for now". And that it does, i.e., nothing. So the problem is in sshd using a type that is not implemented, or in backlistd which does not implement the BADUSER type. I wonder if Release 13.2 will fix either of those. >> > > The following patch is a temporary fix for the problem: > > --- blacklistd.c.orig 2023-04-17 22:58:47.552759000 -0700 > +++ blacklistd.c 2023-04-17 22:46:32.069666000 -0700 > @@ -225,6 +225,7 @@ > if (c.c_nfail != -1) > dbi.count = c.c_nfail - 1; > /*FALLTHROUGH*/ > + case BL_BADUSER: > case BL_ADD: > dbi.count++; > dbi.last = ts.tv_sec; > @@ -260,9 +261,9 @@ > dbi.count = 0; > dbi.last = 0; > break; > - case BL_BADUSER: > - /* ignore for now */ > - break; > +// case BL_BADUSER: > +// /* ignore for now */ > +// break; > default: > (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); > } > > > Basically the BADUSER call from sshd is moved to the ADD function. So instead of what was supposed to be an immediate shutdown on one bad authentication regardless of the conf settings, it now follows the config settings rule. I am not convinced that sshd should use the BADUSER call. It causes a single typo to lock you out. It seems to me that it should use the ADD function so the admin gets to chose the proper number of bad authentications before lockout. > > I'd submit a PR on this, but all the PRs I have submitted have been left to wither on the vine. > > -- Doug Please do so. This has been discussed before [1], and I will definitely support your patch or a solution that makes BADUSER configurable. I am currently testing your patch. [1] https://lists.freebsd.org/archives/freebsd-questions/2023-March/003056.html Thanks and regards, Michael