NetBSD Problem Report #53309
From www@NetBSD.org Wed May 23 15:45:04 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 399767A1BC
for <gnats-bugs@gnats.NetBSD.org>; Wed, 23 May 2018 15:45:04 +0000 (UTC)
Message-Id: <20180523154457.E329D7A1DF@mollari.NetBSD.org>
Date: Wed, 23 May 2018 15:44:57 +0000 (UTC)
From: mayuresh@acm.org
Reply-To: mayuresh@acm.org
To: gnats-bugs@NetBSD.org
Subject: openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders
X-Send-Pr-Version: www-1.0
>Number: 53309
>Category: bin
>Synopsis: openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bin-bug-people
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed May 23 15:50:00 +0000 2018
>Closed-Date: Fri Jun 21 22:32:43 +0000 2024
>Last-Modified: Fri Jun 21 22:32:43 +0000 2024
>Originator: Mayuresh
>Release: 8.0_RC1
>Organization:
>Environment:
NetBSD localhost 8.0_RC1 NetBSD 8.0_RC1 (GENERIC.201804191727Z) amd64
>Description:
/var/log/authlog is often flooded with "Received disconnect from ... [preauth]" which is not being handled by blacklistd.
>How-To-Repeat:
Set up blacklistd on internet facing server.
Look for /var/log/authlog pattern mentioned above.
Check whether offending ip gets blocked using blacklistctl dump -a
>Fix:
Christos has shared a patch and I have tested it. Found to be working fine.
Would be nice to include this in 8.0
Index: auth-pam.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
retrieving revision 1.14
diff -u -u -r1.14 auth-pam.c
--- auth-pam.c 6 Apr 2018 18:58:59 -0000 1.14
+++ auth-pam.c 23 May 2018 00:46:27 -0000
@@ -552,6 +552,7 @@
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
else
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ pfilter_notify(1);
buffer_free(&buffer);
pthread_exit(NULL);
@@ -830,6 +831,7 @@
free(msg);
return (0);
}
+ pfilter_notify(1);
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
Index: sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.30
diff -u -u -r1.30 sshd.c
--- sshd.c 8 Apr 2018 21:56:48 -0000 1.30
+++ sshd.c 23 May 2018 00:46:28 -0000
@@ -344,6 +344,7 @@
__dead static void
grace_alarm_handler(int sig)
{
+ pfilter_notify(1);
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
kill(pmonitor->m_pid, SIGALRM);
@@ -356,7 +357,6 @@
killpg(0, SIGTERM);
}
- pfilter_notify(1);
/* Log error and exit. */
sigdie("Timeout before authentication for %s port %d",
ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
@@ -2193,6 +2193,9 @@
{
struct ssh *ssh = active_state; /* XXX */
+ if (i == 255)
+ pfilter_notify(1);
+
if (the_authctxt) {
do_cleanup(ssh, the_authctxt);
if (use_privsep && privsep_is_preauth &&
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 23 May 2018 16:05:20 +0000
State-Changed-Why:
Committed by christos, now we just need it in 8.0 :-)
State-Changed-From-To: needs-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 21 Jun 2024 22:32:43 +0000
State-Changed-Why:
8 is eol
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.