From nobody Mon Apr 17 23:42:32 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q0kBF3fsvz45Mk9 for ; Mon, 17 Apr 2023 23:42:45 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from mail.sermon-archive.info (sermon-archive.info [47.181.130.121]) by mx1.freebsd.org (Postfix) with ESMTP id 4Q0kBD4lgSz3QFc for ; Mon, 17 Apr 2023 23:42:44 +0000 (UTC) (envelope-from bc979@lafn.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of bc979@lafn.org designates 47.181.130.121 as permitted sender) smtp.mailfrom=bc979@lafn.org; dmarc=none Received: from smtpclient.apple (mini [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 4Q0kBC0y9Xz2gF98 for ; Mon, 17 Apr 2023 16:42:43 -0700 (PDT) From: Doug Hardie Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\)) Subject: Re: Blacklistd Issues - Problem Identified Date: Mon, 17 Apr 2023 16:42:32 -0700 References: <8B1C1DCE-75CA-4CE9-A589-329519FB792E@sermon-archive.info> To: questions@freebsd.org In-Reply-To: <8B1C1DCE-75CA-4CE9-A589-329519FB792E@sermon-archive.info> Message-Id: <4E4A4B99-D8DF-4C5C-9700-C56F354A9991@sermon-archive.info> X-Mailer: Apple Mail (2.3731.400.51.1.1) X-Virus-Scanned: clamav-milter 1.0.1 at mail X-Virus-Status: Clean X-Spamd-Result: default: False [-2.69 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.99)[-0.990]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; DMARC_NA(0.00)[lafn.org: no valid DMARC record]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:5650, ipnet:47.181.128.0/18, country:US]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Q0kBD4lgSz3QFc X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N > On Apr 17, 2023, at 15:32, Doug Hardie wrote: >=20 >> On Apr 17, 2023, at 13:38, Doug Hardie wrote: >>=20 >> I have been implementing blacklistd. It works fine with postfix and = my web server. However, sshd is not working. I have enabled the = UseBlacklistd configuration line. However, no amount of invalid = id/passwords generate an entry in either blacklistd or pf. Running = ktrace with invalid web requests on blacklistd shows that it obtains the = endpoints properly and calls the helper to do the work. However, when = sending invalid id/passwords via ssh, blacklistd does receive the proper = packets from sshd and it obtains the endpoints, but just ends. It never = calls the helper. I have the entry in blacklistd.conf for that port, = and blacklistd has been restarted many times. Any ideas what I need to = do to get blacklistd to record the calls. There is no table in pf for = that port. However, it appears there needs to be at least one call to = make the table appear. >=20 > Additional information. I set debug mode in blacklistd and send an = invalid ssh login: >=20 > processing type=3D4 fd=3D6 remote=3D10.0.1.6:52462 msg=3D,.lklkj uid=3D0= gid=3D0 > listening socket: 10.0.1.235:xx > look: target:10.0.1.235:xx, proto:6, family:2, uid:0, name:=3D, = nfail:*, duration:* > check: target:8001, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 > check: target:8000, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 > check: target:587, proto:6, family:*, uid:*, name:*, nfail:3, = duration:300 > check: target:xx, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 > found: target:xx, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 > conf_apply: merge: target:xx, proto:6, family:*, uid:*, name:*, = nfail:2, duration:300 > conf_apply: to: target:10.0.1.235:xx, proto:6, family:2, uid:0, = name:=3D, nfail:*, duration:* > conf_apply: result: target:10.0.1.235:xx, proto:6, family:2, uid:*, = name:*, nfail:2, duration:300 > Applied address 10.0.1.6:xx > Applied address 10.0.1.6:xx > process: initial db state for 10.0.1.6:52462: count=3D0/2 = last=3D1969/12/31 16:00:00 now=3D2023/04/17 15:04:00 > process: final db state for 10.0.1.6:52462: count=3D0/2 = last=3D1969/12/31 16:00:00 now=3D2023/04/17 15:04:00 >=20 > Blacklistd finds the proper ssh entry (port xx - it's not 22). It = does not change the state of that entry though. Running with debug for = an invalid web URL yields basically the same information except that the = initial state show a count and last time. The final state shows the = count incremented. When the web invalid URL count exceeds the = threshold, I do see an entry for "add returns OK". I don't see that for = SSH regardless of the number of attempts. After digging through the code for blacklistd I find that postfix and my = web server call blacklistd with a type of 1 (BL_ADD) and sure enough, = blacklistd calls the helper to add the pf rule. However. sshd calls = with type 4 (BL_BADUSER) and there is a note in the handling of that = type that says "Ignore for now". And that it does, i.e., nothing. So = the problem is in sshd using a type that is not implemented, or in = backlistd which does not implement the BADUSER type. I wonder if = Release 13.2 will fix either of those. -- Doug