From owner-svn-src-stable@freebsd.org Fri May 26 15:13:48 2017 Return-Path: Delivered-To: svn-src-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06AD6D82A6D; Fri, 26 May 2017 15:13:48 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CC9311B46; Fri, 26 May 2017 15:13:47 +0000 (UTC) (envelope-from lidl@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4QFDk4Y071764; Fri, 26 May 2017 15:13:46 GMT (envelope-from lidl@FreeBSD.org) Received: (from lidl@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4QFDkh0071759; Fri, 26 May 2017 15:13:46 GMT (envelope-from lidl@FreeBSD.org) Message-Id: <201705261513.v4QFDkh0071759@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: lidl set sender to lidl@FreeBSD.org using -f From: Kurt Lidl Date: Fri, 26 May 2017 15:13:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r318950 - in stable/11/contrib/blacklist: bin include lib X-SVN-Group: stable-11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 May 2017 15:13:48 -0000 Author: lidl Date: Fri May 26 15:13:46 2017 New Revision: 318950 URL: https://svnweb.freebsd.org/changeset/base/318950 Log: MFC r318755: Extend libblacklist support with new action types The original blacklist library supported two notification types: - failed auth attempt, which incremented the failed login count by one for the remote address - successful auth attempt, which reset the failed login count to zero for that remote address When the failed login count reached the limit in the configuration file, the remote address would be blocked by a packet filter. This patch implements a new notification type, "abusive behavior", and accepts, but does not act on an additional type, "bad username". It is envisioned that a system administrator will configure a small list of "known bad usernames" that should be blocked immediately. Sponsored by: The FreeBSD Foundation Modified: stable/11/contrib/blacklist/bin/blacklistd.c stable/11/contrib/blacklist/include/bl.h stable/11/contrib/blacklist/include/blacklist.h stable/11/contrib/blacklist/lib/blacklist.c stable/11/contrib/blacklist/lib/libblacklist.3 Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/blacklist/bin/blacklistd.c ============================================================================== --- stable/11/contrib/blacklist/bin/blacklistd.c Fri May 26 13:09:16 2017 (r318949) +++ stable/11/contrib/blacklist/bin/blacklistd.c Fri May 26 15:13:46 2017 (r318950) @@ -214,6 +214,17 @@ process(bl_t bl) } switch (bi->bi_type) { + case BL_ABUSE: + /* + * If the application has signaled abusive behavior, + * set the number of fails to be one less than the + * configured limit. Fallthrough to the normal BL_ADD + * processing, which will increment the failure count + * to the threshhold, and block the abusive address. + */ + if (c.c_nfail != -1) + dbi.count = c.c_nfail - 1; + /*FALLTHROUGH*/ case BL_ADD: dbi.count++; dbi.last = ts.tv_sec; @@ -249,6 +260,9 @@ process(bl_t bl) dbi.count = 0; dbi.last = 0; break; + case BL_BADUSER: + /* ignore for now */ + break; default: (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); } Modified: stable/11/contrib/blacklist/include/bl.h ============================================================================== --- stable/11/contrib/blacklist/include/bl.h Fri May 26 13:09:16 2017 (r318949) +++ stable/11/contrib/blacklist/include/bl.h Fri May 26 15:13:46 2017 (r318950) @@ -40,7 +40,9 @@ typedef enum { BL_INVALID, BL_ADD, - BL_DELETE + BL_DELETE, + BL_ABUSE, + BL_BADUSER } bl_type_t; typedef struct { Modified: stable/11/contrib/blacklist/include/blacklist.h ============================================================================== --- stable/11/contrib/blacklist/include/blacklist.h Fri May 26 13:09:16 2017 (r318949) +++ stable/11/contrib/blacklist/include/blacklist.h Fri May 26 15:13:46 2017 (r318950) @@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, i const struct sockaddr *, socklen_t, const char *); __END_DECLS +/* action values for user applications */ +#define BLACKLIST_API_ENUM 1 +enum { + BLACKLIST_AUTH_OK = 0, + BLACKLIST_AUTH_FAIL, + BLACKLIST_ABUSIVE_BEHAVIOR, + BLACKLIST_BAD_USER +}; + #endif /* _BLACKLIST_H */ Modified: stable/11/contrib/blacklist/lib/blacklist.c ============================================================================== --- stable/11/contrib/blacklist/lib/blacklist.c Fri May 26 13:09:16 2017 (r318949) +++ stable/11/contrib/blacklist/lib/blacklist.c Fri May 26 15:13:46 2017 (r318950) @@ -61,7 +61,27 @@ int blacklist_sa_r(struct blacklist *bl, int action, int rfd, const struct sockaddr *sa, socklen_t slen, const char *msg) { - return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg); + int internal_action; + + /* internal values are not the same as user application values */ + switch (action) { + case BLACKLIST_AUTH_FAIL: + internal_action = BL_ADD; + break; + case BLACKLIST_AUTH_OK: + internal_action = BL_DELETE; + break; + case BLACKLIST_ABUSIVE_BEHAVIOR: + internal_action = BL_ABUSE; + break; + case BLACKLIST_BAD_USER: + internal_action = BL_BADUSER; + break; + default: + internal_action = BL_INVALID; + break; + } + return bl_send(bl, internal_action, rfd, sa, slen, msg); } int Modified: stable/11/contrib/blacklist/lib/libblacklist.3 ============================================================================== --- stable/11/contrib/blacklist/lib/libblacklist.3 Fri May 26 13:09:16 2017 (r318949) +++ stable/11/contrib/blacklist/lib/libblacklist.3 Fri May 26 15:13:46 2017 (r318950) @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 22, 2015 +.Dd May 5, 2017 .Dt LIBBLACKLIST 3 .Os .Sh NAME @@ -76,13 +76,9 @@ The .Fn blacklist function sends a message to .Xr blacklistd 8 , -with an +with an integer .Ar action -argument specifying -.Dv 1 -for a failed connection or -.Dv 0 -for a successful connection, +argument specifying the type of notification, a file descriptor .Ar fd specifying the accepted file descriptor connected to the client, @@ -91,6 +87,30 @@ and an optional message in the argument. .Pp The +.Ar action +parameter can take these values: +.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR" +.It Va BLACKLIST_AUTH_FAIL +There was an unsuccessful authentication attempt. +.It Va BLACKLIST_AUTH_OK +A user successfully authenticated. +.It Va BLACKLIST_ABUSIVE_BEHAVIOR +The sending daemon has detected abusive behavior +from the remote system. The remote address should +be blocked as soon as possible. +.It Va BLACKLIST_BAD_USER +The sending daemon has determined the username +presented for authentication is invalid. The +.Xr blacklistd 8 +daemon compares the username to a configured list of forbidden +usernames and +blocks the address immediately if a forbidden username matches. +(The +.Ar BLACKLIST_BAD_USER +support is not currently available.) +.El +.Pp +The .Fn blacklist_r function is more efficient because it keeps the blacklist state around. .Pp @@ -102,8 +122,13 @@ functions can be used with unconnected s .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp -All functions log errors to -.Xr syslogd 8 . +By default, +.Xr syslogd 8 +is used for message logging. +The internal +.Fn bl_create +function can be used to create the required internal +state and specify a custom logging function. .Sh RETURN VALUES The function .Fn blacklist_open