Understanding blacklistd blocklists -- 'bad user' doesn't get blocked

Reply: Michael Grimm : "Re: Understanding blacklistd blocklists -- 'bad user' doesn't get blocked"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Norman Gray <gray_at_nxg.name>
Date: Fri, 31 Mar 2023 10:01:24 UTC

Greetings.

I'm trying to understand why some connection attempts to sshd result in blacklistd entries, and some don't.

Looking at sshd logs, on a machine connected to the open internet, I see a large number of errors such as

...
Mar 30 20:49:18 <auth.info> haumea sshd[65830]: Invalid user nagios from 42.225.207.234 port 41804
...
Mar 30 21:32:28 <auth.info> haumea sshd[66203]: Invalid user administrator from 194.55.224.179 port 60145
...

The second one finds its way into the blacklist, but the first, like many others, doesn't. This surprises me. As I write, "Mar 30 21:32:28" is comfortably within the last 24 hours.

On investigation, the reason for this is that OpenSSH auth.c [1, around line 500] logs 'Invalid user...' as BLACKLIST_BAD_USER, which gets translated by blacklistd [2] into blacklistd's BL_BADUSER, which is handled in blacklistd.c [3, line 257] as /* ignore for now */.

I think that the probes from 42.225.207.234 resulted in a block only because they appear to have tried to authenticate as root which (via BLACKLIST_AUTH_FAIL) does increment the counter.

That BL_BADUSER notifications are ignored seems the opposite of what I'd expect, since someone hammering a login server with large numbers of speculative logins seems to be the very definition of abusive behaviour. Does anyone know the rationale, here?

I suppose one possibility is that (a) if repeatedly connect as user 'foo' and don't get blocked, but (b) I know that the site is using blacklistd, then I can conclude that user 'foo' is valid. But that seems an _extremely_ roundabout way of leaking information.

I see that in January last year, 'tanis' noted the same thing in the forum [4], and remarked that a patched version of blacklistd.c, which incremented the wickedness count for such users, didn't cause any surprising problems. Is there a case for having BL_BADUSER optionally/configurably increment the wickedness counter?

Best wishes,

Norman

[1] https://github.com/freebsd/freebsd-src/blob/main/crypto/openssh/auth.c
[2] https://github.com/freebsd/freebsd-src/blob/main/contrib/blacklist/lib/blacklist.c
[3] https://github.com/freebsd/freebsd-src/blob/main/contrib/blacklist/bin/blacklistd.c
[4] https://forums.freebsd.org/threads/blacklistd-and-sshd-not-acting-immediately-according-to-logs.82523/

--
Norman Gray : https://nxg.me.uk