NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/59108: blocklistd/sshd: Allow the nfail counter to be reset once a valid login occurs
>Number: 59108
>Category: bin
>Synopsis: blocklistd/sshd: Allow the nfail counter to be reset once a valid login occurs
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Feb 26 23:00:00 +0000 2025
>Originator: Jose Luis Duran
>Release: 10.1
>Organization:
FreeBSD
>Environment:
NetBSD netbsd101.home.arpa 10.1 NetBSD 10.1 (GENERIC) #0: Mon Dec 16 13:08:11 UTC 2024 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
Allow the nfail (number of failed attempts) blocklistctl counter to be reset once a valid SSH login occurs. Otherwise, the counter never resets, and after a reboot the system could start blocked for a given IP.
>How-To-Repeat:
Follow the procedure detailed in:
https://wiki.netbsd.org/tutorials/setting_up_blocklistd/
For setting up blocklistd.
Provoke a block by failing to ssh many times.
Confirm that the IP is blocked:
netbsd101# blocklistctl dump -b
address/ma:port id nfail last access
192.0.2.1/32:22 1 3/3 2025/02/26 12:00:00
Unblock the host:
/sbin/npfctl rule blocklistd rem-id 1
Now perform a valid ssh login. Notice that the nfail counter is not reset:
blocklistctl dump -b
Reboot the machine. You won't be able to ssh.
>Fix:
This is what is currently done in FreeBSD (adapted to pfilter_notify):
--- a/crypto/external/bsd/openssh/dist/auth.c
+++ b/crypto/external/bsd/openssh/dist/auth.c
@@ -388,8 +388,11 @@ auth_log(struct ssh *ssh, int authenticated, int partial,
authmsg = "Postponed";
else if (partial)
authmsg = "Partial";
- else
+ else {
authmsg = authenticated ? "Accepted" : "Failed";
+ if (authenticated)
+ pfilter_notify(0);
+ }
if ((extra = format_method_key(authctxt)) == NULL) {
if (authctxt->auth_method_info != NULL)
Home |
Main Index |
Thread Index |
Old Index