svn commit: r331080 - in stable/11/contrib/blacklist: bin libexec
Kurt Lidl
lidl at FreeBSD.org
Fri Mar 16 23:39:51 UTC 2018
Author: lidl
Date: Fri Mar 16 23:39:49 2018
New Revision: 331080
URL: https://svnweb.freebsd.org/changeset/base/331080
Log:
Revert attempted MFC. It included unwanted changes.
Modified:
stable/11/contrib/blacklist/bin/blacklistd.8
stable/11/contrib/blacklist/bin/blacklistd.c
stable/11/contrib/blacklist/libexec/blacklistd-helper
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/contrib/blacklist/bin/blacklistd.8
==============================================================================
--- stable/11/contrib/blacklist/bin/blacklistd.8 Fri Mar 16 23:34:44 2018 (r331079)
+++ stable/11/contrib/blacklist/bin/blacklistd.8 Fri Mar 16 23:39:49 2018 (r331080)
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd Dec 6, 2017
+.Dd June 7, 2016
.Dt BLACKLISTD 8
.Os
.Sh NAME
@@ -35,7 +35,7 @@
.Nd block and release ports on demand to avoid DoS abuse
.Sh SYNOPSIS
.Nm
-.Op Fl Bdfrv
+.Op Fl dfrv
.Op Fl C Ar controlprog
.Op Fl c Ar configfile
.Op Fl D Ar dbfile
@@ -154,8 +154,6 @@ The Berkeley DB file where
.Nm
stores its state, usually
.Pa /var/run/blacklistd.db .
-.It Fl B
-Disable processing of bad-usernames.
.It Fl d
Normally,
.Nm
Modified: stable/11/contrib/blacklist/bin/blacklistd.c
==============================================================================
--- stable/11/contrib/blacklist/bin/blacklistd.c Fri Mar 16 23:34:44 2018 (r331079)
+++ stable/11/contrib/blacklist/bin/blacklistd.c Fri Mar 16 23:39:49 2018 (r331080)
@@ -76,7 +76,6 @@ static DB *state;
static const char *dbfile = _PATH_BLSTATE;
static sig_atomic_t readconf;
static sig_atomic_t done;
-static int Bflag;
static int vflag;
static void
@@ -165,85 +164,12 @@ getremoteaddress(bl_info_t *bi, struct sockaddr_storag
return 0;
}
-static const char *badnames_email[] = {
- "info",
- "root",
- "admin",
- "support",
- "webmaster",
- "sales",
- "postmaster",
- "marketing",
- "administrator",
- "default",
- "noreply",
- "ftpuser",
- "backup",
- "webadmin",
- "security",
- NULL
-};
-
-static const char *badnames_ssh[] = {
- "admin",
- "support",
- "pi",
- "info",
- "root",
- "guest",
- "webmaster",
- "ubnt",
- "abuse",
- "default",
- "apache",
- "nginx",
- "cisco",
- "administrator",
- "ftpuser",
- "supervisor",
- "mysql",
- "postgres",
- "oracle",
- "security",
- "nagios",
- "webadmin",
- "usuario",
- "uucp",
- "PlcmSpIp",
- " 0101",
- NULL
-};
-
-static int
-lookup_username(int proto, int port, const char *username)
-{
- int i;
- const char **names;
-
- if (proto != IPPROTO_TCP)
- return 0;
-
- if (port == 22)
- names = badnames_ssh;
- else if (port == 25 || port == 587)
- names = badnames_email;
- else
- return 0;
-
- for (i = 0; names[i] != NULL; i++) {
- if (strcmp(username, names[i]) == 0)
- return 1;
- }
- return 0;
-}
-
static void
process(bl_t bl)
{
struct sockaddr_storage rss;
socklen_t rsl;
char rbuf[BUFSIZ];
- int runadd, rundelete;
bl_info_t *bi;
struct conf c;
struct dbinfo dbi;
@@ -287,74 +213,59 @@ process(bl_t bl)
fmttime(b2, sizeof(b2), ts.tv_sec));
}
- runadd = rundelete = 0;
-
switch (bi->bi_type) {
case BL_ABUSE:
/*
* If the application has signaled abusive behavior,
- * set the number of fails to be the configured limit.
+ * set the number of fails to be one less than the
+ * configured limit. Fallthrough to the normal BL_ADD
+ * processing, which will increment the failure count
+ * to the threshhold, and block the abusive address.
*/
if (c.c_nfail != -1)
- dbi.count = c.c_nfail;
- rundelete = 1;
- runadd = 1;
+ dbi.count = c.c_nfail - 1;
+ /*FALLTHROUGH*/
+ case BL_ADD:
+ dbi.count++;
+ dbi.last = ts.tv_sec;
+ if (dbi.id[0]) {
+ /*
+ * We should not be getting this since the rule
+ * should have blocked the address. A possible
+ * explanation is that someone removed that rule,
+ * and another would be that we got another attempt
+ * before we added the rule. In anycase, we remove
+ * and re-add the rule because we don't want to add
+ * it twice, because then we'd lose track of it.
+ */
+ (*lfun)(LOG_DEBUG, "rule exists %s", dbi.id);
+ (void)run_change("rem", &c, dbi.id, 0);
+ dbi.id[0] = '\0';
+ }
+ if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
+ int res = run_change("add", &c, dbi.id, sizeof(dbi.id));
+ if (res == -1)
+ goto out;
+ sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
+ (void *)&rss);
+ (*lfun)(LOG_INFO,
+ "blocked %s/%d:%d for %d seconds",
+ rbuf, c.c_lmask, c.c_port, c.c_duration);
+
+ }
break;
case BL_DELETE:
if (dbi.last == 0)
goto out;
dbi.count = 0;
dbi.last = 0;
- rundelete = 1;
break;
case BL_BADUSER:
- (*lfun)(LOG_DEBUG, "BL_BADUSER: username %s", bi->bi_msg);
- dbi.count--;
- if (Bflag == 0 && lookup_username(c.c_proto, c.c_port, bi->bi_msg) == 1) {
- dbi.count = c.c_nfail - 1;
- (*lfun)(LOG_DEBUG, "BL_BADUSER: found %s on list (port: %d)", bi->bi_msg, c.c_port);
- }
- /* FALLTHROUGH */
- case BL_ADD:
- dbi.count++;
- dbi.last = ts.tv_sec;
- if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
- rundelete = 1;
- runadd = 1;
- }
+ /* ignore for now */
break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
-
- if (rundelete && c.c_duration != -1) {
- /*
- * We should not be getting this since the rule
- * should have blocked the address. A possible
- * explanation is that someone removed that rule,
- * and another would be that we got another attempt
- * before we added the rule. In anycase, we remove
- * and re-add the rule because we don't want to add
- * it twice, because then we'd lose track of it.
- */
- if (dbi.id[0]) {
- (*lfun)(LOG_INFO, "rule exists %s", dbi.id);
- (void)run_change("rem", &c, dbi.id, 0);
- dbi.id[0] = '\0';
- }
- }
- if (runadd) {
- int res = run_change("add", &c, dbi.id, sizeof(dbi.id));
- if (res == -1)
- goto out;
- sockaddr_snprintf(rbuf, sizeof(rbuf), "%a",
- (void *)&rss);
- (*lfun)(LOG_INFO,
- "blocked %s/%d:%d for %d seconds",
- rbuf, c.c_lmask, c.c_port, c.c_duration);
- }
-
- /* persist the data */
state_put(state, &c, &dbi);
out:
@@ -493,16 +404,13 @@ rules_restore(void)
struct conf c;
struct dbinfo dbi;
unsigned int f;
- static int addremove;
for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) {
if (dbi.id[0] == '\0')
continue;
(void)run_change("rem", &c, dbi.id, 0);
(void)run_change("add", &c, dbi.id, sizeof(dbi.id));
- addremove++;
}
- (*lfun)(LOG_INFO, "removed and re-added %d addresses", addremove);
}
int
@@ -521,11 +429,8 @@ main(int argc, char *argv[])
restore = 0;
tout = 0;
flags = O_RDWR|O_EXCL|O_CLOEXEC;
- while ((c = getopt(argc, argv, "BC:c:D:dfP:rR:s:t:v")) != -1) {
+ while ((c = getopt(argc, argv, "C:c:D:dfP:rR:s:t:v")) != -1) {
switch (c) {
- case 'B':
- Bflag++;
- break;
case 'C':
controlprog = optarg;
break;
Modified: stable/11/contrib/blacklist/libexec/blacklistd-helper
==============================================================================
--- stable/11/contrib/blacklist/libexec/blacklistd-helper Fri Mar 16 23:34:44 2018 (r331079)
+++ stable/11/contrib/blacklist/libexec/blacklistd-helper Fri Mar 16 23:39:49 2018 (r331080)
@@ -80,8 +80,8 @@ add)
echo "block in quick $proto from <port$6> to any $port" | \
/sbin/pfctl -a "$2/$6" -f -
# insert $ip/$mask into per-protocol/port anchored table
- /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \
- /sbin/pfctl -q -k $addr && echo OK
+ /sbin/pfctl -a "$2/$6" -t "port$6" -T add "$addr/$mask" && \
+ echo OK
;;
esac
;;
@@ -101,7 +101,7 @@ rem)
/sbin/npfctl rule "$2" rem-id "$7"
;;
pf)
- /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
+ /sbin/pfctl -a "$2/$6" -t "port$6" -T delete "$addr/$mask" && \
echo OK
;;
esac
@@ -118,13 +118,7 @@ flush)
/sbin/npfctl rule "$2" flush
;;
pf)
- # dynamically determine which anchors exist
- anchors=$(/sbin/pfctl -a $2 -s Anchors)
- for anchor in $anchors; do
- /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush
- /sbin/pfctl -a $anchor -F rules
- done
- echo OK
+ /sbin/pfctl -a "$2/$6" -t "port$6" -T flush && echo OK
;;
esac
;;
More information about the svn-src-stable-11
mailing list