NetBSD Problem Report #53309

From www@NetBSD.org  Wed May 23 15:45:04 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 399767A1BC
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 23 May 2018 15:45:04 +0000 (UTC)
Message-Id: <20180523154457.E329D7A1DF@mollari.NetBSD.org>
Date: Wed, 23 May 2018 15:44:57 +0000 (UTC)
From: mayuresh@acm.org
Reply-To: mayuresh@acm.org
To: gnats-bugs@NetBSD.org
Subject: openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders
X-Send-Pr-Version: www-1.0

>Number:         53309
>Category:       bin
>Synopsis:       openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          closed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed May 23 15:50:00 +0000 2018
>Closed-Date:    Fri Jun 21 22:32:43 +0000 2024
>Last-Modified:  Fri Jun 21 22:32:43 +0000 2024
>Originator:     Mayuresh
>Release:        8.0_RC1
>Organization:
>Environment:
NetBSD localhost 8.0_RC1 NetBSD 8.0_RC1 (GENERIC.201804191727Z) amd64

>Description:
/var/log/authlog is often flooded with "Received disconnect from ... [preauth]" which is not being handled by blacklistd.
>How-To-Repeat:
Set up blacklistd on internet facing server.

Look for /var/log/authlog pattern mentioned above.

Check whether offending ip gets blocked using blacklistctl dump -a
>Fix:
Christos has shared a patch and I have tested it. Found to be working fine.

Would be nice to include this in 8.0

Index: auth-pam.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
retrieving revision 1.14
diff -u -u -r1.14 auth-pam.c
--- auth-pam.c  6 Apr 2018 18:58:59 -0000       1.14
+++ auth-pam.c  23 May 2018 00:46:27 -0000
@@ -552,6 +552,7 @@
                ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
        else
                ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+       pfilter_notify(1);
        buffer_free(&buffer);
        pthread_exit(NULL);

@@ -830,6 +831,7 @@
                                free(msg);
                                return (0);
                        }
+                       pfilter_notify(1);
                        error("PAM: %s for %s%.100s from %.100s", msg,
                            sshpam_authctxt->valid ? "" : "illegal user ",
                            sshpam_authctxt->user,
Index: sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.30
diff -u -u -r1.30 sshd.c
--- sshd.c      8 Apr 2018 21:56:48 -0000       1.30
+++ sshd.c      23 May 2018 00:46:28 -0000
@@ -344,6 +344,7 @@
 __dead static void
 grace_alarm_handler(int sig)
 {
+       pfilter_notify(1);
        if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
                kill(pmonitor->m_pid, SIGALRM);

@@ -356,7 +357,6 @@
                killpg(0, SIGTERM);
        }

-       pfilter_notify(1);
        /* Log error and exit. */
        sigdie("Timeout before authentication for %s port %d",
            ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
@@ -2193,6 +2193,9 @@
 {
        struct ssh *ssh = active_state; /* XXX */

+       if (i == 255)
+               pfilter_notify(1);
+
        if (the_authctxt) {
                do_cleanup(ssh, the_authctxt);
                if (use_privsep && privsep_is_preauth &&

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->needs-pullups
State-Changed-By: maya@NetBSD.org
State-Changed-When: Wed, 23 May 2018 16:05:20 +0000
State-Changed-Why:
Committed by christos, now we just need it in 8.0 :-)


State-Changed-From-To: needs-pullups->closed
State-Changed-By: riastradh@NetBSD.org
State-Changed-When: Fri, 21 Jun 2024 22:32:43 +0000
State-Changed-Why:
8 is eol


>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2024 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.