1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-12 09:58:36 +00:00

blacklist: update to NetBSD snapshot on 20191106

Cursory review:	cem
MFC after:	3 months
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D22259
This commit is contained in:
Ed Maste 2019-11-06 16:21:35 +00:00
commit e3a90f49ad
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=354399
7 changed files with 140 additions and 195 deletions

View File

@ -1,4 +1,4 @@
/* $NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $ */
/* $NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: blacklistctl.c,v 1.21 2016/11/02 03:15:07 jnemeth Exp $");
__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $");
#include <stdio.h>
#include <time.h>
@ -67,6 +67,15 @@ usage(int c)
exit(EXIT_FAILURE);
}
static const char *
star(char *buf, size_t len, int val)
{
if (val == -1)
return "*";
snprintf(buf, len, "%d", val);
return buf;
}
int
main(int argc, char *argv[])
{
@ -128,9 +137,10 @@ main(int argc, char *argv[])
"address", remain ? "remaining time" : "last access");
for (i = 1; state_iterate(db, &c, &dbi, i) != 0; i = 0) {
char buf[BUFSIZ];
char mbuf[64], pbuf[64];
if (!all) {
if (blocked) {
if (dbi.count < c.c_nfail)
if (c.c_nfail == -1 || dbi.count < c.c_nfail)
continue;
} else {
if (dbi.count >= c.c_nfail)
@ -138,13 +148,20 @@ main(int argc, char *argv[])
}
}
sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&c.c_ss);
printf("%*.*s/%d:%d\t", wide, wide, buf, c.c_lmask, c.c_port);
if (remain)
fmtydhms(buf, sizeof(buf),
c.c_duration - (ts.tv_sec - dbi.last));
else
fmttime(buf, sizeof(buf), dbi.last);
printf("%s\t%d/%d\t%-s\n", dbi.id, dbi.count, c.c_nfail, buf);
printf("%*.*s/%s:%s\t", wide, wide, buf,
star(mbuf, sizeof(mbuf), c.c_lmask),
star(pbuf, sizeof(pbuf), c.c_port));
if (c.c_duration == -1) {
strlcpy(buf, "never", sizeof(buf));
} else {
if (remain)
fmtydhms(buf, sizeof(buf),
c.c_duration - (ts.tv_sec - dbi.last));
else
fmttime(buf, sizeof(buf), dbi.last);
}
printf("%s\t%d/%s\t%-s\n", dbi.id, dbi.count,
star(mbuf, sizeof(mbuf), c.c_nfail), buf);
}
state_close(db);
return EXIT_SUCCESS;

View File

@ -1,4 +1,4 @@
/* $NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $ */
/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: blacklistd.c,v 1.37 2017/02/18 00:26:16 christos Exp $");
__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@ -408,7 +408,6 @@ rules_restore(void)
for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) {
if (dbi.id[0] == '\0')
continue;
(void)run_change("rem", &c, dbi.id, 0);
(void)run_change("add", &c, dbi.id, sizeof(dbi.id));
}
}
@ -505,7 +504,8 @@ main(int argc, char *argv[])
conf_parse(configfile);
if (flush) {
rules_flush();
flags |= O_TRUNC;
if (!restore)
flags |= O_TRUNC;
}
struct pollfd *pfd = NULL;
@ -536,8 +536,11 @@ main(int argc, char *argv[])
if (state == NULL)
return EXIT_FAILURE;
if (restore)
if (restore) {
if (!flush)
rules_flush();
rules_restore();
}
if (!debug) {
if (daemon(0, 0) == -1)

View File

@ -1,4 +1,4 @@
.\" $NetBSD: blacklistd.conf.5,v 1.5 2016/06/08 12:48:37 wiz Exp $
.\" $NetBSD: blacklistd.conf.5,v 1.7 2017/06/07 13:50:57 wiz Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd June 7, 2016
.Dd June 5, 2017
.Dt BLACKLISTD.CONF 5
.Os
.Sh NAME
@ -36,12 +36,13 @@
.Sh DESCRIPTION
The
.Nm
files contains configuration lines for
.Xr blacklistd 8 .
It contains one entry per line, and is similar to
files contains configuration entries for
.Xr blacklistd 8
in a fashion similar to
.Xr inetd.conf 5 .
There must be an entry for each field of the configuration file, with
entries for each field separated by a tab or a space.
Only one entry per line is permitted.
Every entry must have all fields populated.
Each field can be separated by a tab or a space.
Comments are denoted by a
.Dq #
at the beginning of a line.
@ -109,7 +110,7 @@ The
can be an IPv4 address in numeric format, an IPv6 address
in numeric format and enclosed by square brackets, or an interface name.
Mask modifiers are not allowed on interfaces because interfaces
have multiple address in different protocols where the mask has a different
can have multiple addresses in different protocols where the mask has a different
size.
.Pp
The
@ -150,8 +151,8 @@ If the
contains a
.Dq / ,
the remaining portion of the name is interpreted as the mask to be
applied to the address specified in the rule, so one can block whole
subnets for a single rule violation.
applied to the address specified in the rule, causing a single rule violation to
block the entire subnet for the configured prefix.
.Pp
The
.Va nfail
@ -176,10 +177,11 @@ for days.
.Pp
Matching is done first by checking the
.Va local
rules one by one, from the most specific to the least specific.
rules individually, in the order of the most specific to the least specific.
If a match is found, then the
.Va remote
rules are applied, and if a match is found the
rules are applied.
The
.Va name ,
.Va nfail ,
and
@ -191,15 +193,15 @@ rule that matched.
The
.Va remote
rules can be used for whitelisting specific addresses, changing the mask
size, or the rule that the packet filter uses, the number of failed attempts,
or the blocked duration.
size, the rule that the packet filter uses, the number of failed attempts,
or the block duration.
.Sh FILES
.Bl -tag -width /etc/blacklistd.conf -compact
.It Pa /etc/blacklistd.conf
Configuration file.
.El
.Sh EXAMPLES
.Bd -literal -offset
.Bd -literal -offset 8n
# Block ssh, after 3 attempts for 6 hours on the bnx0 interface
[local]
# location type proto owner name nfail duration

View File

@ -1,4 +1,4 @@
/* $NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $ */
/* $NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
__RCSID("$NetBSD: support.c,v 1.8 2016/04/04 15:52:56 christos Exp $");
__RCSID("$NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $");
#include <time.h>
#include <string.h>
@ -105,12 +105,16 @@ fmtydhms(char *b, size_t l, time_t t)
s = t % 60;
t /= 60;
m = t % 60;
t /= 60;
h = t % 60;
h = t % 24;
t /= 24;
d = t % 24;
t /= 356;
d = t % 365;
t /= 365;
y = t;
z = 0;

View File

@ -1,6 +1,6 @@
--- /dev/null 2015-01-22 23:10:33.000000000 -0500
+++ dist/pfilter.c 2015-01-22 23:46:03.000000000 -0500
@@ -0,0 +1,28 @@
@@ -0,0 +1,32 @@
+#include "namespace.h"
+#include "includes.h"
+#include "ssh.h"
@ -28,6 +28,10 @@
+ // XXX: 3?
+ fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3;
+ (void)blacklist_r(blstate, a, fd, "ssh");
+ if (a == 0) {
+ blacklist_close(blstate);
+ blstate = NULL;
+ }
+}
--- /dev/null 2015-01-20 21:14:44.000000000 -0500
+++ dist/pfilter.h 2015-01-20 20:16:20.000000000 -0500
@ -58,132 +62,10 @@ diff -u -u -r1.10 Makefile
+
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
Index: dist/auth.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
retrieving revision 1.10
diff -u -u -r1.10 auth.c
--- dist/auth.c 19 Oct 2014 16:30:58 -0000 1.10
+++ dist/auth.c 22 Jan 2015 21:39:22 -0000
@@ -62,6 +62,7 @@
#include "monitor_wrap.h"
#include "krl.h"
#include "compat.h"
+#include "pfilter.h"
#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
@@ -362,6 +363,8 @@
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
+ if (!authctxt->postponed)
+ pfilter_notify(!authenticated);
free(authctxt->info);
authctxt->info = NULL;
}
Index: dist/sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.15
diff -u -u -r1.15 sshd.c
--- dist/sshd.c 28 Oct 2014 21:36:16 -0000 1.15
+++ dist/sshd.c 22 Jan 2015 21:39:22 -0000
@@ -109,6 +109,7 @@
#include "roaming.h"
#include "ssh-sandbox.h"
#include "version.h"
+#include "pfilter.h"
#ifdef LIBWRAP
#include <tcpd.h>
@@ -364,6 +365,7 @@
killpg(0, SIGTERM);
}
+ pfilter_notify(1);
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
@@ -1160,6 +1162,7 @@
for (i = 0; i < options.max_startups; i++)
startup_pipes[i] = -1;
+ pfilter_init();
/*
* Stay listening for connections until the system crashes or
* the daemon is killed with a signal.
Index: auth1.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
retrieving revision 1.9
diff -u -u -r1.9 auth1.c
--- auth1.c 19 Oct 2014 16:30:58 -0000 1.9
+++ auth1.c 14 Feb 2015 15:40:51 -0000
@@ -41,6 +41,7 @@
#endif
#include "monitor_wrap.h"
#include "buffer.h"
+#include "pfilter.h"
/* import */
extern ServerOptions options;
@@ -445,6 +446,7 @@
else {
debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
+ pfilter_notify(1);
}
/* Configuration may have changed as a result of Match */
Index: auth2.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth2.c,v
retrieving revision 1.9
diff -u -u -r1.9 auth2.c
--- auth2.c 19 Oct 2014 16:30:58 -0000 1.9
+++ auth2.c 14 Feb 2015 15:40:51 -0000
@@ -52,6 +52,7 @@
#include "pathnames.h"
#include "buffer.h"
#include "canohost.h"
+#include "pfilter.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -256,6 +257,7 @@
} else {
logit("input_userauth_request: invalid user %s", user);
authctxt->pw = fakepw();
+ pfilter_notify(1);
}
#ifdef USE_PAM
if (options.use_pam)
Index: sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.16
diff -u -r1.16 sshd.c
--- sshd.c 25 Jan 2015 15:52:44 -0000 1.16
+++ sshd.c 14 Feb 2015 09:55:06 -0000
@@ -628,6 +628,8 @@
explicit_bzero(pw->pw_passwd, strlen(pw->pw_passwd));
endpwent();
+ pfilter_init();
+
/* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
Index: auth-pam.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
retrieving revision 1.7
diff -u -u -r1.7 auth-pam.c
--- auth-pam.c 3 Jul 2015 00:59:59 -0000 1.7
+++ auth-pam.c 23 Jan 2016 00:01:16 -0000
@@ -114,6 +114,7 @@
diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c
--- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400
+++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400
@@ -103,6 +103,7 @@
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
@ -191,7 +73,15 @@ diff -u -u -r1.7 auth-pam.c
extern ServerOptions options;
extern Buffer loginmsg;
@@ -809,6 +810,7 @@
@@ -526,6 +527,7 @@
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
else
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+ pfilter_notify(1);
buffer_free(&buffer);
pthread_exit(NULL);
@@ -804,6 +806,7 @@
free(msg);
return (0);
}
@ -199,33 +89,62 @@ diff -u -u -r1.7 auth-pam.c
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
Index: auth.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth.c,v
retrieving revision 1.15
diff -u -u -r1.15 auth.c
--- auth.c 21 Aug 2015 08:20:59 -0000 1.15
+++ auth.c 23 Jan 2016 00:01:16 -0000
@@ -656,6 +656,7 @@
pw = getpwnam(user);
if (pw == NULL) {
+ pfilter_notify(1);
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
return (NULL);
Index: auth1.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth1.c,v
retrieving revision 1.12
diff -u -u -r1.12 auth1.c
--- auth1.c 3 Jul 2015 00:59:59 -0000 1.12
+++ auth1.c 23 Jan 2016 00:01:16 -0000
@@ -376,6 +376,7 @@
char *msg;
size_t len;
diff -ru openssh-7.7p1/auth2.c dist/auth2.c
--- openssh-7.7p1/auth2.c 2018-04-02 01:38:28.000000000 -0400
+++ dist/auth2.c 2018-05-23 11:57:31.022197317 -0400
@@ -51,6 +51,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "buffer.h"
+#include "pfilter.h"
#ifdef GSSAPI
#include "ssh-gss.h"
@@ -242,6 +243,7 @@
} else {
/* Invalid user, fake password information */
authctxt->pw = fakepw();
+ pfilter_notify(1);
error("Access denied for user %s by PAM account "
"configuration", authctxt->user);
len = buffer_len(&loginmsg);
#ifdef SSH_AUDIT_EVENTS
PRIVSEP(audit_event(SSH_INVALID_USER));
#endif
Only in dist: pfilter.c
Only in dist: pfilter.h
diff -ru openssh-7.7p1/sshd.c dist/sshd.c
--- openssh-7.7p1/sshd.c 2018-04-02 01:38:28.000000000 -0400
+++ dist/sshd.c 2018-05-23 11:59:39.573197347 -0400
@@ -122,6 +122,7 @@
#include "auth-options.h"
#include "version.h"
#include "ssherr.h"
+#include "pfilter.h"
/* Re-exec fds */
#define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1)
@@ -346,6 +347,7 @@
static void
grace_alarm_handler(int sig)
{
+ pfilter_notify(1);
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
kill(pmonitor->m_pid, SIGALRM);
@@ -1835,6 +1837,8 @@
if (test_flag)
exit(0);
+ pfilter_init();
+
/*
* Clear out any supplemental groups we may have inherited. This
* prevents inadvertent creation of files with bad modes (in the
@@ -2280,6 +2284,9 @@
{
struct ssh *ssh = active_state; /* XXX */
+ if (i == 255)
+ pfilter_notify(1);
+
if (the_authctxt) {
do_cleanup(ssh, the_authctxt);
if (use_privsep && privsep_is_preauth &&

View File

@ -1,11 +1,11 @@
# $NetBSD: Makefile,v 1.6 2016/01/05 13:07:46 christos Exp $
# $NetBSD: Makefile,v 1.7 2019/03/08 20:40:05 christos Exp $
.include <bsd.own.mk>
USE_SHLIBDIR= yes
CPPFLAGS+=-D_REENTRANT
LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread
#LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread
LIB=blacklist
SRCS=bl.c blacklist.c
MAN=libblacklist.3

View File

@ -1,4 +1,4 @@
.\" $NetBSD: libblacklist.3,v 1.7 2017/02/04 23:33:56 wiz Exp $
.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@ -35,7 +35,7 @@
.Nm blacklist_close ,
.Nm blacklist_r ,
.Nm blacklist ,
.Nm blacklist_sa
.Nm blacklist_sa ,
.Nm blacklist_sa_r
.Nd Blacklistd notification library
.Sh LIBRARY