Page MenuHomeFreeBSD

blacklist: Adapt NetBSD's probes and changes to OpenSSH
Needs ReviewPublic

Authored by jlduran on Mar 25 2025, 10:07 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Sep 27, 7:29 PM
Unknown Object (File)
Wed, Sep 24, 5:29 PM
Unknown Object (File)
Tue, Sep 16, 4:43 AM
Unknown Object (File)
Mon, Sep 15, 11:18 PM
Unknown Object (File)
Mon, Sep 15, 5:28 PM
Unknown Object (File)
Sat, Sep 13, 11:24 PM
Unknown Object (File)
Sat, Sep 13, 9:35 AM
Unknown Object (File)
Sep 10 2025, 6:38 AM
Subscribers

Details

Reviewers
emaste
dch
Summary

Switch to using NetBSD's probe locations, there is no reason to have
these in different places. We have already submitted all probes that
were better placed or missing. The locations of these probes are a
moving target, depending on upstream OpenSSH changes, by having them in
sync with upstream blocklistd should facilitate upgrades and
maintenance.

Also, exclusively use BLACKLIST_AUTH_FAIL for now. Upstream recently
changed the API and implemented BLACKLIST_BAD_USER, making it count as a
one failure count, and BLACKLIST_AUTH_FAIL as a two failure count. When
this change comes in, we'll change all actions to BLACKLIST_BAD_USER.

Also, set blacklist notify messages to be more descriptive, this
facilitates tracking the right probe when debugging.

It is worth noting that NetBSD switched to using vsyslog_ss(3)[1], this
is an interesting move to pursue as well, to reduce the future chances
of [2].

[1]: https://github.com/NetBSD/src/commit/01636416235e7bcbfc829d372cfadd1cfd5494f8
[2]: https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

I also don't know if there is a trailer for that, but I think it is appropriate to write a few words thanking cperciva for the donation of cloud resources. That allowed us to test and discover a few missing probes, by exposing these ports to the public and examining the logs.

Update patch, upstream has already accepted our fixes.

Update patch, upstream has accepted our fixes.

crypto/openssh/packet.c
2025

This probe is actually reinstated in the following review. It has not yet ben submitted upstream.

crypto/openssh/blacklist.c
102