Page MenuHomeFreeBSD
Differential D49503

blacklist: Adapt NetBSD's probes and changes to OpenSSH
Needs ReviewPublic
Actions

Authored by jlduran on Tue, Mar 25, 10:07 PM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Apr 3, 8:32 AM
Unknown Object (File)
Thu, Apr 3, 5:00 AM
Unknown Object (File)
Thu, Apr 3, 3:27 AM
Unknown Object (File)
Thu, Apr 3, 12:53 AM
Unknown Object (File)
Wed, Apr 2, 11:15 PM
Unknown Object (File)
Tue, Apr 1, 8:17 AM
Unknown Object (File)
Sat, Mar 29, 7:00 AM
Unknown Object (File)
Wed, Mar 26, 7:04 AM
Subscribers
imp

Details

Reviewers
emaste
dch
Summary

Switch to using NetBSD's probe locations, there is no reason to have
these in different places. We have already submitted all probes that
were better placed or missing. The locations of these probes are a
moving target, depending on upstream OpenSSH changes, by having them in
sync with upstream blocklistd should facilitate upgrades and
maintenance.

Also, exclusively use BLACKLIST_AUTH_FAIL for now. Upstream recently
changed the API and implemented BLACKLIST_BAD_USER, making it count as a
one failure count, and BLACKLIST_AUTH_FAIL as a two failure count. When
this change comes in, we'll change all actions to BLACKLIST_BAD_USER.

Also, set blacklist notify messages to be more descriptive, this
facilitates tracking the right probe when debugging.

It is worth noting that NetBSD switched to using vsyslog_ss(3)[1], this
is an interesting move to pursue as well, to reduce the future chances
of [2].

[1]: https://github.com/NetBSD/src/commit/01636416235e7bcbfc829d372cfadd1cfd5494f8
[2]: https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

jlduran created this revision.Tue, Mar 25, 10:07 PM
Herald added a subscriber: imp. · View Herald TranscriptTue, Mar 25, 10:07 PM
jlduran requested review of this revision.Tue, Mar 25, 10:07 PM
Harbormaster completed remote builds in B63120: Diff 152672.Tue, Mar 25, 10:07 PM
jlduran added a child revision: D49505: blacklist: sshd: Add pending probes.Tue, Mar 25, 10:07 PM
jlduran added a comment.Wed, Mar 26, 12:55 AM

I also don't know if there is a trailer for that, but I think it is appropriate to write a few words thanking cperciva for the donation of cloud resources. That allowed us to test and discover a few missing probes, by exposing these ports to the public and examining the logs.

jlduran updated this revision to Diff 152681.Wed, Mar 26, 1:29 AM

Update patch, upstream has already accepted our fixes.

jlduran updated this revision to Diff 152682.Wed, Mar 26, 1:32 AM

Update patch, upstream has accepted our fixes.

jlduran added inline comments.Wed, Mar 26, 1:34 AM
crypto/openssh/packet.c
2025

This probe is actually reinstated in the following review. It has not yet ben submitted upstream.

jlduran added inline comments.Wed, Mar 26, 3:59 AM
crypto/openssh/blacklist.c
102

Revision Contents
Changeset List

PathSize
crypto/
openssh/
4 lines
6 lines
5 lines
19 lines
1 line
14 lines
2 lines
16 lines

Diff 152682

View Options

crypto/openssh/auth-pam.c

Loading...
View Options

crypto/openssh/auth.c

Loading...
View Options

crypto/openssh/auth2.c

Loading...
View Options

crypto/openssh/blacklist.c

Loading...
View Options

crypto/openssh/blacklist_client.h

Loading...
View Options

crypto/openssh/monitor.c

Loading...
View Options

crypto/openssh/packet.c

Loading...
View Options

crypto/openssh/sshd-session.c

Loading...