Extend libblacklist support with new action types

The original blacklist library supported two notification types:
 - failed auth attempt, which incremented the failed login count
   by one for the remote address
 - successful auth attempt, which reset the failed login count
   to zero for that remote address

When the failed login count reached the limit in the configuration
file, the remote address would be blocked by a packet filter.

This patch implements a new notification type, "abusive behavior",
and accepts, but does not act on an additional type, "bad username".
It is envisioned that a system administrator will configure a small
list of "known bad usernames" that should be blocked immediately.

Reviewed by:	emaste
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D10604
This commit is contained in:
Kurt Lidl 2017-05-23 19:03:07 +00:00
parent a0320759e7
commit 5de2cc52e9
5 changed files with 81 additions and 11 deletions

View File

@ -214,6 +214,17 @@ process(bl_t bl)
}
switch (bi->bi_type) {
case BL_ABUSE:
/*
* If the application has signaled abusive behavior,
* set the number of fails to be one less than the
* configured limit. Fallthrough to the normal BL_ADD
* processing, which will increment the failure count
* to the threshhold, and block the abusive address.
*/
if (c.c_nfail != -1)
dbi.count = c.c_nfail - 1;
/*FALLTHROUGH*/
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
@ -249,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
case BL_BADUSER:
/* ignore for now */
break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}

View File

@ -40,7 +40,9 @@
typedef enum {
BL_INVALID,
BL_ADD,
BL_DELETE
BL_DELETE,
BL_ABUSE,
BL_BADUSER
} bl_type_t;
typedef struct {

View File

@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, int, int,
const struct sockaddr *, socklen_t, const char *);
__END_DECLS
/* action values for user applications */
#define BLACKLIST_API_ENUM 1
enum {
BLACKLIST_AUTH_OK = 0,
BLACKLIST_AUTH_FAIL,
BLACKLIST_ABUSIVE_BEHAVIOR,
BLACKLIST_BAD_USER
};
#endif /* _BLACKLIST_H */

View File

@ -61,7 +61,27 @@ int
blacklist_sa_r(struct blacklist *bl, int action, int rfd,
const struct sockaddr *sa, socklen_t slen, const char *msg)
{
return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
int internal_action;
/* internal values are not the same as user application values */
switch (action) {
case BLACKLIST_AUTH_FAIL:
internal_action = BL_ADD;
break;
case BLACKLIST_AUTH_OK:
internal_action = BL_DELETE;
break;
case BLACKLIST_ABUSIVE_BEHAVIOR:
internal_action = BL_ABUSE;
break;
case BLACKLIST_BAD_USER:
internal_action = BL_BADUSER;
break;
default:
internal_action = BL_INVALID;
break;
}
return bl_send(bl, internal_action, rfd, sa, slen, msg);
}
int

View File

@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd January 22, 2015
.Dd May 5, 2017
.Dt LIBBLACKLIST 3
.Os
.Sh NAME
@ -76,13 +76,9 @@ The
.Fn blacklist
function sends a message to
.Xr blacklistd 8 ,
with an
with an integer
.Ar action
argument specifying
.Dv 1
for a failed connection or
.Dv 0
for a successful connection,
argument specifying the type of notification,
a file descriptor
.Ar fd
specifying the accepted file descriptor connected to the client,
@ -91,6 +87,30 @@ and an optional message in the
argument.
.Pp
The
.Ar action
parameter can take these values:
.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR"
.It Va BLACKLIST_AUTH_FAIL
There was an unsuccessful authentication attempt.
.It Va BLACKLIST_AUTH_OK
A user successfully authenticated.
.It Va BLACKLIST_ABUSIVE_BEHAVIOR
The sending daemon has detected abusive behavior
from the remote system. The remote address should
be blocked as soon as possible.
.It Va BLACKLIST_BAD_USER
The sending daemon has determined the username
presented for authentication is invalid. The
.Xr blacklistd 8
daemon compares the username to a configured list of forbidden
usernames and
blocks the address immediately if a forbidden username matches.
(The
.Ar BLACKLIST_BAD_USER
support is not currently available.)
.El
.Pp
The
.Fn blacklist_r
function is more efficient because it keeps the blacklist state around.
.Pp
@ -102,8 +122,13 @@ functions can be used with unconnected sockets, where
.Xr getpeername 2
will not work, the server will pass the peer name in the message.
.Pp
All functions log errors to
.Xr syslogd 8 .
By default,
.Xr syslogd 8
is used for message logging.
The internal
.Fn bl_create
function can be used to create the required internal
state and specify a custom logging function.
.Sh RETURN VALUES
The function
.Fn blacklist_open