From nobody Fri Mar 31 10:01:24 2023
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PnwmX68LJz42G8f
	for <questions@mlmmj.nyi.freebsd.org>; Fri, 31 Mar 2023 10:01:32 +0000 (UTC)
	(envelope-from gray@nxg.name)
Received: from mx1.mythic-beasts.com (mx1.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PnwmW6rWzz3Fpf
	for <questions@freebsd.org>; Fri, 31 Mar 2023 10:01:31 +0000 (UTC)
	(envelope-from gray@nxg.name)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=pass (mx1.freebsd.org: domain of gray@nxg.name designates 2a00:1098:0:86:1000:0:2:1 as permitted sender) smtp.mailfrom=gray@nxg.name;
	dmarc=none
Received: by mailhub-cam-d.mythic-beasts.com with esmtpsa  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <gray@nxg.name>)
	id 1piBZZ-00DWGq-W2; Fri, 31 Mar 2023 11:01:30 +0100
From: Norman Gray <gray@nxg.name>
To: questions@freebsd.org
Subject: Understanding blacklistd blocklists -- 'bad user' doesn't get blocked
Date: Fri, 31 Mar 2023 11:01:24 +0100
X-Mailer: MailMate (1.14r5818)
Message-ID: <91FB3707-BE92-4B35-ACD6-08AB6E8735B5@nxg.name>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
X-BlackCat-Spam-Score: 24
X-Spam-Status: No, score=2.4
X-Spamd-Result: default: False [-3.00 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-0.999];
	NEURAL_HAM_SHORT(-1.00)[-0.999];
	NEURAL_HAM_MEDIUM(-1.00)[-0.998];
	R_MISSING_CHARSET(0.50)[];
	RCVD_IN_DNSWL_MED(-0.20)[2a00:1098:0:86:1000:0:2:1:from];
	R_SPF_ALLOW(-0.20)[+ip6:2a00:1098::86:1000:0:2:0/112];
	MIME_GOOD(-0.10)[text/plain];
	ASN(0.00)[asn:44684, ipnet:2a00:1098::/32, country:GB];
	MLMMJ_DEST(0.00)[questions@freebsd.org];
	FROM_EQ_ENVFROM(0.00)[];
	MIME_TRACE(0.00)[0:+];
	R_DKIM_NA(0.00)[];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	MID_RHS_MATCH_FROM(0.00)[];
	ARC_NA(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_HAS_DN(0.00)[];
	TO_DN_NONE(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	DMARC_NA(0.00)[nxg.name];
	RCVD_TLS_ALL(0.00)[]
X-Rspamd-Queue-Id: 4PnwmW6rWzz3Fpf
X-Spamd-Bar: --
X-ThisMailContainsUnwantedMimeParts: N


Greetings.

I'm trying to understand why some connection attempts to sshd result in b=
lacklistd entries, and some don't.

Looking at sshd logs, on a machine connected to the open internet, I see =
a large number of errors such as

=2E..
Mar 30 20:49:18 <auth.info> haumea sshd[65830]: Invalid user nagios from =
42.225.207.234 port 41804
=2E..
Mar 30 21:32:28 <auth.info> haumea sshd[66203]: Invalid user administrato=
r from 194.55.224.179 port 60145
=2E..

The second one finds its way into the blacklist, but the first, like many=
 others, doesn't.  This surprises me.  As I write, "Mar 30 21:32:28" is c=
omfortably within the last 24 hours.

On investigation, the reason for this is that OpenSSH auth.c [1, around l=
ine 500] logs 'Invalid user...' as BLACKLIST_BAD_USER, which gets transla=
ted by blacklistd [2] into blacklistd's BL_BADUSER, which is handled in b=
lacklistd.c [3, line 257] as /* ignore for now */.

I think that the probes from 42.225.207.234 resulted in a block only beca=
use they appear to have tried to authenticate as root which (via BLACKLIS=
T_AUTH_FAIL) does increment the counter.

That BL_BADUSER notifications are ignored seems the opposite of what I'd =
expect, since someone hammering a login server with large numbers of spec=
ulative logins seems to be the very definition of abusive behaviour.  Doe=
s anyone know the rationale, here?

I suppose one possibility is that (a) if repeatedly connect as user 'foo'=
 and don't get blocked, but (b) I know that the site is using blacklistd,=
 then I can conclude that user 'foo' is valid.  But that seems an _extrem=
ely_ roundabout way of leaking information.

I see that in January last year, 'tanis' noted the same thing in the foru=
m [4], and remarked that a patched version of blacklistd.c, which increme=
nted the wickedness count for such users, didn't cause any surprising pro=
blems.  Is there a case for having BL_BADUSER optionally/configurably inc=
rement the wickedness counter?

Best wishes,

Norman

[1] https://github.com/freebsd/freebsd-src/blob/main/crypto/openssh/auth.=
c
[2] https://github.com/freebsd/freebsd-src/blob/main/contrib/blacklist/li=
b/blacklist.c
[3] https://github.com/freebsd/freebsd-src/blob/main/contrib/blacklist/bi=
n/blacklistd.c
[4] https://forums.freebsd.org/threads/blacklistd-and-sshd-not-acting-imm=
ediately-according-to-logs.82523/


-- =

Norman Gray  :  https://nxg.me.uk