Date: Thu, 16 Nov 2017 08:27:20 +0100 From: Cos Chan <rosettas@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions <freebsd-questions@freebsd.org>, Michael Ross <gmx@ross.cx>, Kurt Lidl <lidl@freebsd.org> Subject: Re: How to setup IPFW working with blacklistd Message-ID: <CAKV%2BxLCB-ZkU0XNv9COa3p=xXAf3TutLZ=BwhQeu4KTxR1gupw@mail.gmail.com> In-Reply-To: <CAKV%2BxLC=ABe2i3TN8bo4XaVg3KfUbKsS96=6iyVDnsmWw-e8ag@mail.gmail.com> References: <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <20171115185528.V72828@sola.nimnet.asn.au> <CAKV%2BxLC=ABe2i3TN8bo4XaVg3KfUbKsS96=6iyVDnsmWw-e8ag@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>
>> > > You might instead try MaxAuthTries 4 .. sshd_config(5) says:
>> > >
>> > > MaxAuthTries
>> > > Specifies the maximum number of authentication attempts
>> > > permitted
>> > > per connection. Once the number of failures reaches
>> half this
>> > > value, additional failures are logged. The default is
>> 6.
>> > >
>> > > Half of 3 as an integer is only 1, but half of 4 is 2. See if it
>> helps?
>>
>> > I didnt change the MaxAuthTries, since I found something interesting
>> from
>> > the different logs concerning that issue:
>> >
>> > >From blacklistctl dump:
>> >
>> > $ sudo blacklistctl dump
>> > address/ma:port id nfail last access
>> > 78.203.146.34/32:22 0/1 1970/01/01 01:00:00
>> > 195.225.116.21/32:22 0/1 1970/01/01 01:00:00
>> > 123.31.26.123/32:22 0/1 1970/01/01 01:00:00
>> > 112.148.101.13/32:22 0/1 1970/01/01 01:00:00
>> > 93.23.6.18/32:22 0/1 1970/01/01 01:00:00
>> > 5.102.197.124/32:22 0/1 1970/01/01 01:00:00
>> > 193.154.127.32/32:22 0/1 1970/01/01 01:00:00
>> > 113.232.216.41/32:22 0/1 1970/01/01 01:00:00
>> >
>> > >From sshd log:
>> >
>> > Nov 10 17:57:41 res sshd[49839]: Invalid user pi from 193.154.127.32
>> > Nov 10 17:57:41 res sshd[49840]: Invalid user pi from 193.154.127.32
>> > Nov 10 17:57:41 res sshd[49840]: input_userauth_request: invalid user
>> pi
>> > [preauth]
>> > Nov 10 17:57:41 res sshd[49839]: input_userauth_request: invalid user
>> pi
>> > [preauth]
>>
>> Note the two different PIDs on these, indicating sshd handling two
>> separate connections. From above, MaxAuthTries limits the maximum
>> number of attempts _per_connection_. So each of these indicate only one
>> (or possibly two, as again from above, only those greater than half of
>> the maximum (here 3/2 = 1) are supposedly logged by sshd).
>>
>> I don't know just what sshd reports to blacklistd in what circumstances,
>> nor how those are reflected in blacklistd's logging .. Kurt likely does.
>>
>> > Nov 11 03:50:47 res sshd[57896]: Invalid user support from
>> 123.31.26.123
>> > Nov 11 03:50:47 res sshd[57896]: input_userauth_request: invalid user
>> > support [preauth]
>> > Nov 11 03:50:47 res sshd[57896]: error: Received disconnect from
>> > 123.31.26.123 port 55811:3: com.jcraft.jsch.JSchException: Auth fail
>> > [preauth]
>>
>> That's on one PID, ie one connection. Less than three failures on it.
>>
>> > Nov 11 03:50:49 res sshd[57898]: Invalid user admin from 123.31.26.123
>> > Nov 11 03:50:49 res sshd[57898]: input_userauth_request: invalid user
>> admin
>> > [preauth]
>> > Nov 11 03:50:49 res sshd[57898]: error: Received disconnect from
>> > 123.31.26.123 port 57823:3: com.jcraft.jsch.JSchException: Auth fail
>> > [preauth]
>>
>> Ditto.
>>
>> > Nov 11 03:50:51 res sshd[57900]: Invalid user admin from 123.31.26.123
>> > Nov 11 03:50:51 res sshd[57900]: input_userauth_request: invalid user
>> admin
>> > [preauth]
>> > Nov 11 03:50:51 res sshd[57900]: error: Received disconnect from
>> > 123.31.26.123 port 59819:3: com.jcraft.jsch.JSchException: Auth fail
>> > [preauth]
>>
>> Another.
>>
>> > Nov 11 03:50:53 res sshd[57902]: Invalid user ubnt from 123.31.26.123
>> > Nov 11 03:50:53 res sshd[57902]: input_userauth_request: invalid user
>> ubnt
>> > [preauth]
>> > Nov 11 03:50:53 res sshd[57902]: error: Received disconnect from
>> > 123.31.26.123 port 61795:3: com.jcraft.jsch.JSchException: Auth fail
>> > [preauth]
>>
>> Again.
>>
>> > Nov 11 03:50:55 res sshd[57904]: Invalid user PlcmSpIp from
>> 123.31.26.123
>> > Nov 11 03:50:55 res sshd[57904]: input_userauth_request: invalid user
>> > PlcmSpIp [preauth]
>> > Nov 11 03:50:55 res sshd[57904]: error: Received disconnect from
>> > 123.31.26.123 port 61920:3: com.jcraft.jsch.JSchException: Auth fail
>> > [preauth]
>>
>> Again.
>>
>> > Nov 11 03:50:57 res sshd[57906]: Invalid user admin from 123.31.26.123
>> > Nov 11 03:50:57 res sshd[57906]: input_userauth_request: invalid user
>> admin
>> > [preauth]
>> > Nov 11 03:50:57 res sshd[57906]: error: Received disconnect from
>> > 123.31.26.123 port 61949:3: com.jcraft.jsch.JSchException: Auth fail
>> > [preauth]
>>
>> And yet another. There's no indication that sshd is - or is supposed to
>> be - keeping track of separate connections from the same IP address.
>>
>
> I agree that sshd should not keep track the IP, but blacklistd should do.
>
>
>>
>> > I see 2 problems:
>> >
>> > Problem 1:
>> > The IP 193.154.127.32 didn't reach sshd maximum authentication (=3),
>> it
>> > tried only 2 times.
>>
>> Perhaps rather, only once or twice on each of two separate connections?
>>
>> > But in my opinion it should be recorded to blacklistd as 2/1 instead
>> of 0/1.
>>
>> I gather that it would take 3 failed logins on any _one_ connection to
>> report it as _one_ failure to blacklistd.
>>
>
> is this reasonable? in case one IP was using thousands connections which
> failed once per connection, then it will never be banned by blacklistd
> (unless the maxauth of sshd is 1)?
>
In that case I test sshd MaxAuthTries=1 and blacklistd nfail=1 and still
get wired entry.
$ sudo blacklistctl dump
address/ma:port id nfail last access
57.83.1.58/32:22 0/1 1970/01/01 01:00:00
$ sudo cat auth.log | grep 57.83.1.58
Nov 16 07:04:17 res sshd[31112]: Invalid user pi from 57.83.1.58
Nov 16 07:04:17 res sshd[31113]: Invalid user pi from 57.83.1.58
Nov 16 07:04:17 res sshd[31112]: Connection closed by 57.83.1.58 port 51140
[preauth]
Nov 16 07:04:17 res sshd[31113]: Connection closed by 57.83.1.58 port 51144
[preauth]
$ cat blacklistd-helper.log | grep 'Nov 16'
...
Thu Nov 16 07:01:28 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 120.237.88.186 32 22
Thu Nov 16 07:14:05 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 139.59.111.224 32 22
No action from blacklistd-helper? how could that entry be added to database?
no logs concerning from blacklistd either
$ cat blacklistd.log | grep 'Nov 16'
...
Nov 16 07:01:28 res blacklistd[23916]: blocked 120.237.88.186/32:22 for -1
seconds
Nov 16 07:14:05 res blacklistd[23916]: blocked 139.59.111.224/32:22 for -1
seconds
>
>
>>
>> --
with kind regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKV%2BxLCB-ZkU0XNv9COa3p=xXAf3TutLZ=BwhQeu4KTxR1gupw>