[Bug 241917] blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Nov 12 15:18:31 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241917

            Bug ID: 241917
           Summary: blacklistd not accounting for failed sshd login
                    attempts which failed reverse mapping checking
           Product: Base System
           Version: 12.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: sebastian.wyder at me.com

blacklistd (or sshd) seems to not count failed sshd login attempts which failed
the reverse mapping check of sshd.

As you can see by looking at the following examples, the failed login attempts
from IP 171.251.29.248 that failed the reverse mapping check does not end up in
blacklistd's table.

Example from /var/log/auth.log:

Nov 12 15:31:38 neptun sshd[7737]: Invalid user ching from 203.232.210.195 port
45908
Nov 12 15:31:38 neptun sshd[7737]: Failed unknown for invalid user ching from
203.232.210.195 port 45908 ssh2
Nov 12 15:31:38 neptun sshd[7737]: user NOUSER login class  [preauth]
Nov 12 15:31:38 neptun sshd[7737]: Received disconnect from 203.232.210.195
port 45908:11: Bye Bye [preauth]
Nov 12 15:31:38 neptun sshd[7737]: Disconnected from invalid user ching
203.232.210.195 port 45908 [preauth]
Nov 12 15:31:43 neptun sshd[7747]: reverse mapping checking getaddrinfo for
dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 15:31:48 neptun sshd[7747]: user root login class  [preauth]
Nov 12 15:31:48 neptun sshd[7747]: Connection closed by authenticating user
root 171.251.29.248 port 55562 [preauth]
Nov 12 15:44:25 neptun sshd[7917]: reverse mapping checking getaddrinfo for
dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 15:44:30 neptun sshd[7917]: user root login class  [preauth]
Nov 12 15:44:30 neptun sshd[7917]: Connection closed by authenticating user
root 171.251.29.248 port 51998 [preauth]
Nov 12 15:48:39 neptun sshd[7921]: reverse mapping checking getaddrinfo for
r-dfa.uhu.es [150.214.168.161] failed.
Nov 12 15:48:40 neptun sshd[7921]: user root login class  [preauth]
Nov 12 15:48:40 neptun sshd[7921]: Received disconnect from 150.214.168.161
port 43510:11: Normal Shutdown, Thank you for playing [preauth]
Nov 12 15:48:40 neptun sshd[7921]: Disconnected from authenticating user root
150.214.168.161 port 43510 [preauth]
Nov 12 15:52:47 neptun sshd[7925]: user root login class  [preauth]
Nov 12 15:52:48 neptun sshd[7925]: Received disconnect from 192.144.164.167
port 36350:11: Bye Bye [preauth]
Nov 12 15:52:48 neptun sshd[7925]: Disconnected from authenticating user root
192.144.164.167 port 36350 [preauth]
Nov 12 15:54:46 neptun sshd[7927]: reverse mapping checking getaddrinfo for
dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 15:54:48 neptun sshd[7927]: Invalid user test from 171.251.29.248 port
18776
Nov 12 15:54:48 neptun sshd[7927]: Failed unknown for invalid user test from
171.251.29.248 port 18776 ssh2
Nov 12 15:54:48 neptun sshd[7927]: user NOUSER login class  [preauth]
Nov 12 15:54:48 neptun sshd[7927]: Connection closed by invalid user test
171.251.29.248 port 18776 [preauth]
Nov 12 16:08:18 neptun sshd[7980]: reverse mapping checking getaddrinfo for
dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 16:08:24 neptun sshd[7980]: Invalid user tmax from 171.251.29.248 port
63488
Nov 12 16:08:24 neptun sshd[7980]: Failed unknown for invalid user tmax from
171.251.29.248 port 63488 ssh2
Nov 12 16:08:24 neptun sshd[7980]: user NOUSER login class  [preauth]
Nov 12 16:08:25 neptun sshd[7980]: Connection closed by invalid user tmax
171.251.29.248 port 63488 [preauth]

Example output from `blacklistctl dump -a`:

        address/ma:port id      nfail   last access
  83.142.110.41/32:22           1/3     2019/11/12 14:40:44
203.232.210.195/32:22           1/3     2019/11/12 15:31:38
    14.225.3.47/32:22           1/3     2019/11/12 14:47:11
  106.54.95.188/32:22           1/3     2019/11/12 14:16:38
  2.139.215.255/32:22           1/3     2019/11/12 14:29:34
 164.132.81.106/32:22           1/3     2019/11/12 15:06:29
192.144.164.167/32:22           1/3     2019/11/12 15:52:47
    51.83.78.56/32:22           1/3     2019/11/12 14:23:44
  103.76.22.115/32:22           1/3     2019/11/12 14:49:15
  81.246.190.95/32:22           1/3     2019/11/12 15:22:22
150.214.168.161/32:22           1/3     2019/11/12 15:48:40
175.213.185.129/32:22           1/3     2019/11/12 14:49:57
  36.66.149.211/32:22           1/3     2019/11/12 15:06:02
  68.251.142.26/32:22           1/3     2019/11/12 13:54:48
 108.161.129.25/32:22           2/3     2019/11/12 14:52:51

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list