diff --git a/contrib/blacklist/bin/blacklistd.8 b/contrib/blacklist/bin/blacklistd.8 index ec7f8b429d9d..82e1f15f61c9 100644 --- a/contrib/blacklist/bin/blacklistd.8 +++ b/contrib/blacklist/bin/blacklistd.8 @@ -1,248 +1,284 @@ -.\" $NetBSD: blacklistd.8,v 1.18 2016/07/30 06:09:29 dholland Exp $ +.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Christos Zoulas. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd October 5, 2018 +.Dd April 21, 2020 .Dt BLACKLISTD 8 .Os .Sh NAME .Nm blacklistd .Nd block and release ports on demand to avoid DoS abuse .Sh SYNOPSIS .Nm .Op Fl dfrv .Op Fl C Ar controlprog .Op Fl c Ar configfile .Op Fl D Ar dbfile .Op Fl P Ar sockpathsfile .Op Fl R Ar rulename .Op Fl s Ar sockpath .Op Fl t Ar timeout .Sh DESCRIPTION .Nm is a daemon similar to .Xr syslogd 8 that listens to sockets at paths specified in the .Ar sockpathsfile for notifications from other daemons about successful or failed connection attempts. If no such file is specified, then it only listens to the socket path specified by .Ar sockspath or if that is not specified to .Pa /var/run/blacklistd.sock . Each notification contains an (action, port, protocol, address, owner) tuple that identifies the remote connection and the action. This tuple is consulted against entries in .Ar configfile with syntax specified in .Xr blacklistd.conf 5 . If an entry is matched, a state entry is created for that tuple. Each entry contains a number of tries limit and a duration. .Pp +The way +.Nm +does configuration entry matching is by having the client side pass the +file descriptor associated with the connection the client wants to blacklist +as well as passing socket credentials. +.Pp +The file descriptor is used to retrieve information (address and port) +about the remote side with +.Xr getpeername 2 +and the local side with +.Xr getsockname 2 . +.Pp +By examining the port of the local side, +.Nm +can determine if the client program +.Dq owns +the port. +By examining the optional address portion on the local side, it can match +interfaces. +By examining the remote address, it can match specific allow or deny rules. +.Pp +Finally +.Nm +can examine the socket credentials to match the user in the configuration file. +.Pp +While this works well for TCP sockets, it cannot be relied on for unbound +UDP sockets. +It is also less meaningful when it comes to connections using non-privileged +ports. +On the other hand, if we receive a request that has a local endpoint indicating +a UDP privileged port, we can presume that the client was privileged to be +able to acquire that port. +.Pp +Once an entry is matched +.Nm +can perform various actions. If the action is .Dq add and the number of tries limit is reached, then a control script .Ar controlprog is invoked with arguments: .Bd -literal -offset indent control add
.Ed .Pp and should invoke a packet filter command to block the connection specified by the arguments. The .Ar rulename argument can be set from the command line (default .Dv blacklistd ) . The script could print a numerical id to stdout as a handle for the rule that can be used later to remove that connection, but that is not required as all information to remove the rule is kept. .Pp If the action is -.Dq remove +.Dq rem Then the same control script is invoked as: .Bd -literal -offset indent -control remove
+control rem
.Ed .Pp where .Ar id is the number returned from the .Dq add action. .Pp .Nm maintains a database of known connections in .Ar dbfile . On startup it reads entries from that file, and updates its internal state. .Pp .Nm checks the list of active entries every .Ar timeout seconds (default .Dv 15 ) and removes entries and block rules using the control program as necessary. .Pp The following options are available: .Bl -tag -width indent .It Fl C Ar controlprog Use .Ar controlprog to communicate with the packet filter, usually .Pa /usr/libexec/blacklistd-helper . The following arguments are passed to the control program: .Bl -tag -width protocol .It action The action to perform: .Dv add , .Dv rem , or .Dv flush to add, remove or flush a firewall rule. .It name The rule name. .It protocol The optional protocol name (can be empty): .Dv tcp , .Dv tcp6 , .Dv udp , .Dv udp6 . .It address The IPv4 or IPv6 numeric address to be blocked or released. .It mask The numeric mask to be applied to the blocked or released address .It port The optional numeric port to be blocked (can be empty). .It id For packet filters that support removal of rules by rule identifier, the identifier of the rule to be removed. The add command is expected to return the rule identifier string to stdout. .El .It Fl c Ar configuration The name of the configuration file to read, usually .Pa /etc/blacklistd.conf . .It Fl D Ar dbfile The Berkeley DB file where .Nm stores its state, usually .Pa /var/db/blacklistd.db . .It Fl d Normally, .Nm disassociates itself from the terminal unless the .Fl d flag is specified, in which case it stays in the foreground. .It Fl f Truncate the state database and flush all the rules named .Ar rulename are deleted by invoking the control script as: .Bd -literal -offset indent control flush .Ed .It Fl P Ar sockspathsfile A file containing a list of pathnames, one per line that .Nm will create sockets to listen to. This is useful for chrooted environments. .It Fl R Ar rulename Specify the default rule name for the packet filter rules, usually .Dv blacklistd . .It Fl r Re-read the firewall rules from the internal database, then remove and re-add them. This helps for packet filters that do not retain state across reboots. .It Fl s Ar sockpath Add .Ar sockpath to the list of Unix sockets .Nm listens to. .It Fl t Ar timeout The interval in seconds .Nm polls the state file to update the rules. .It Fl v Cause .Nm to print diagnostic messages to .Dv stdout instead of .Xr syslogd 8 . .El .Sh SIGNAL HANDLING .Nm deals with the following signals: .Bl -tag -width "USR2" -.It HUP +.It Dv HUP Receipt of this signal causes .Nm to re-read the configuration file. -.It INT, TERM & QUIT +.It Dv INT , Dv TERM & Dv QUIT These signals tell .Nm to exit in an orderly fashion. -.It USR1 +.It Dv USR1 This signal tells .Nm to increase the internal debugging level by 1. -.It USR2 +.It Dv USR2 This signal tells .Nm to decrease the internal debugging level by 1. .El .Sh FILES .Bl -tag -width /usr/libexec/blacklistd-helper -compact .It Pa /usr/libexec/blacklistd-helper Shell script invoked to interface with the packet filter. .It Pa /etc/blacklistd.conf Configuration file. .It Pa /var/db/blacklistd.db Database of current connection entries. .It Pa /var/run/blacklistd.sock Socket to receive connection notifications. .El .Sh SEE ALSO .Xr blacklistd.conf 5 , .Xr blacklistctl 8 , .Xr pfctl 8 , .Xr syslogd 8 .Sh HISTORY .Nm first appeared in .Nx 7 . .Fx support for .Nm was implemented in .Fx 11 . .Sh AUTHORS .An Christos Zoulas diff --git a/contrib/blacklist/bin/blacklistd.conf.5 b/contrib/blacklist/bin/blacklistd.conf.5 index c0e1a2b87380..3a7ecd9be171 100644 --- a/contrib/blacklist/bin/blacklistd.conf.5 +++ b/contrib/blacklist/bin/blacklistd.conf.5 @@ -1,229 +1,229 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $ +.\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Christos Zoulas. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 5, 2017 +.Dd May 18, 2020 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME .Nm blacklistd.conf .Nd configuration file format for blacklistd .Sh DESCRIPTION The .Nm file contains configuration entries for .Xr blacklistd 8 in a fashion similar to .Xr inetd.conf 5 . Only one entry per line is permitted. Every entry must have all fields populated. Each field can be separated by a tab or a space. Comments are denoted by a .Dq # at the beginning of a line. .Pp There are two kinds of configuration lines, .Va local and .Va remote . By default, configuration lines are .Va local , i.e. the address specified refers to the addresses on the local machine. To switch to between .Va local and .Va remote configuration lines you can specify the stanzas: .Dq [local] and .Dq [remote] . .Pp On .Va local and .Va remote lines .Dq * means use the default, or wildcard match. In addition, for .Va remote lines .Dq = means use the values from the matched .Va local configuration line. .Pp The first four fields, .Va location , .Va type , .Va proto , and .Va owner are used to match the .Va local or .Va remote addresses, whereas the last 3 fields .Va name , .Va nfail , and .Va disable are used to modify the filtering action. .Pp The first field denotes the .Va location as an address, mask, and port. The syntax for the .Va location is: .Bd -literal -offset indent [
|][/][:] .Ed .Pp The .Dv address can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces can have multiple addresses in different protocols where the mask has a different size. .Pp The .Dv mask is always numeric, but the .Dv port can be either numeric or symbolic. .Pp The second field is the socket .Va type : .Dv stream , .Dv dgram , or numeric. The third field is the .Va protocol : .Dv tcp , .Dv udp , .Dv tcp6 , .Dv udp6 , or numeric. The fourth field is the effective user .Va ( owner ) of the daemon process reporting the event, either as a username or a userid. .Pp The rest of the fields control the behavior of the filter. .Pp The .Va name field, is the name of the packet filter rule to be used. If the .Va name starts with a .Dq - , then the default rulename is prepended to the given name. If the .Dv name contains a .Dq / , the remaining portion of the name is interpreted as the mask to be applied to the address specified in the rule, causing a single rule violation to block the entire subnet for the configured prefix. .Pp The .Va nfail field contains the number of failed attempts before access is blocked, defaulting to .Dq * meaning never, and the last field .Va disable specifies the amount of time since the last access that the blocking rule should be active, defaulting to .Dq * meaning forever. The default unit for .Va disable is seconds, but one can specify suffixes for different units, such as .Dq m for minutes .Dq h for hours and .Dq d for days. .Pp Matching is done first by checking the .Va local rules individually, in the order of the most specific to the least specific. If a match is found, then the .Va remote rules are applied. The .Va name , .Va nfail , and .Va disable fields can be altered by the .Va remote rule that matched. .Pp The .Va remote -rules can be used for whitelisting specific addresses, changing the mask +rules can be used for allowing specific addresses, changing the mask size, the rule that the packet filter uses, the number of failed attempts, or the block duration. .Sh FILES .Bl -tag -width /etc/blacklistd.conf -compact .It Pa /etc/blacklistd.conf Configuration file. .El .Sh EXAMPLES .Bd -literal -offset 8n # Block ssh, after 3 attempts for 6 hours on the bnx0 interface [local] # location type proto owner name nfail duration bnx0:ssh * * * * 3 6h [remote] # Never block 1.2.3.4 1.2.3.4:ssh * * * * * * # For addresses coming from 8.8.0.0/16 block class C networks instead # individual hosts, but keep the rest of the blocking parameters the same. 8.8.0.0/16:ssh * * * /24 = = .Ed .Sh SEE ALSO .Xr blacklistctl 8 , .Xr blacklistd 8 .Sh HISTORY .Nm first appeared in .Nx 7 . .Fx support for .Nm was implemented in .Fx 11 . .Sh AUTHORS .An Christos Zoulas diff --git a/contrib/blacklist/lib/libblacklist.3 b/contrib/blacklist/lib/libblacklist.3 index aaf809469e6a..146915c8dc31 100644 --- a/contrib/blacklist/lib/libblacklist.3 +++ b/contrib/blacklist/lib/libblacklist.3 @@ -1,157 +1,167 @@ -.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $ +.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation .\" by Christos Zoulas. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 5, 2017 +.Dd March 30, 2020 .Dt LIBBLACKLIST 3 .Os .Sh NAME .Nm blacklist_open , .Nm blacklist_close , .Nm blacklist_r , .Nm blacklist , .Nm blacklist_sa , .Nm blacklist_sa_r .Nd Blacklistd notification library .Sh LIBRARY .Lb libblacklist .Sh SYNOPSIS .In blacklist.h .Ft struct blacklist * .Fn blacklist_open "void" .Ft void .Fn blacklist_close "struct blacklist *cookie" .Ft int .Fn blacklist "int action" "int fd" "const char *msg" .Ft int .Fn blacklist_r "struct blacklist *cookie" "int action" "int fd" "const char *msg" .Ft int .Fn blacklist_sa "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" .Ft int .Fn blacklist_sa_r "struct blacklist *cookie" "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" .Sh DESCRIPTION These functions can be used by daemons to notify .Xr blacklistd 8 about successful and failed remote connections so that blacklistd can block or release port access to prevent Denial of Service attacks. .Pp The function .Fn blacklist_open creates the necessary state to communicate with .Xr blacklistd 8 and returns a pointer to it, or .Dv NULL on failure. .Pp The .Fn blacklist_close function frees all memory and resources used. .Pp The .Fn blacklist function sends a message to .Xr blacklistd 8 , with an integer .Ar action argument specifying the type of notification, a file descriptor .Ar fd specifying the accepted file descriptor connected to the client, and an optional message in the .Ar msg argument. .Pp The .Ar action parameter can take these values: .Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR" .It Va BLACKLIST_AUTH_FAIL There was an unsuccessful authentication attempt. .It Va BLACKLIST_AUTH_OK A user successfully authenticated. .It Va BLACKLIST_ABUSIVE_BEHAVIOR The sending daemon has detected abusive behavior -from the remote system. The remote address should +from the remote system. +The remote address should be blocked as soon as possible. .It Va BLACKLIST_BAD_USER The sending daemon has determined the username -presented for authentication is invalid. The +presented for authentication is invalid. +The .Xr blacklistd 8 daemon compares the username to a configured list of forbidden usernames and blocks the address immediately if a forbidden username matches. (The .Ar BLACKLIST_BAD_USER support is not currently available.) .El .Pp The .Fn blacklist_r function is more efficient because it keeps the blacklist state around. .Pp The .Fn blacklist_sa and .Fn blacklist_sa_r functions can be used with unconnected sockets, where .Xr getpeername 2 will not work, the server will pass the peer name in the message. .Pp +In all cases the file descriptor passed in the +.Fa fd +argument must be pointing to a valid socket so that +.Xr blacklistd 8 +can establish ownership of the local endpoint +using +.Xr getsockname 2 . +.Pp By default, .Xr syslogd 8 is used for message logging. The internal .Fn bl_create function can be used to create the required internal state and specify a custom logging function. .Sh RETURN VALUES The function .Fn blacklist_open returns a cookie on success and .Dv NULL on failure setting .Dv errno to an appropriate value. .Pp The functions .Fn blacklist , .Fn blacklist_sa , and .Fn blacklist_sa_r return .Dv 0 on success and .Dv \-1 on failure setting .Dv errno to an appropriate value. .Sh SEE ALSO .Xr blacklistd.conf 5 , .Xr blacklistd 8 .Sh AUTHORS .An Christos Zoulas