At Sat, 25 Jan 2025 14:49:31 -0800, "Greg A. Woods" <woods%planix.ca@localhost> wrote: Subject: odd ssh connections with "Failed password" results not going to blocklistd > > So, I've been noticing a rash of SSH connections getting a "failed > password for root" recently, and yet they're not being caught and > blocked by blocklistd. Just when you get debugging all set up the abuser gives up! Anyway, finally, ah ha! The problem seems to be fixed by the following change, which I didn't yet have in production: RCS file: /cvs/master/m-NetBSD/main/src/crypto/external/bsd/openssh/dist/monitor.c,v Working file: monitor.c ---------------------------- revision 1.44 date: 2024-06-25 09:58:24 -0700; author: christos; state: Exp; lines: +7 -3; commitid: ZoqhLtZ1YXfw0ofF; Don't call pfilter_notify for each authentication attempt, only call it once we failed to authenticate. ---------------------------- In particular the real fix is the part where it calls pfilter_notify() before calling any function that will cause and exit(). Previously the sshd was reporting a failure and exiting immediately before any call to pfilter_notify(). I'm still a bit confused by the way the "monitor.c" stuff works, i.e. how the "[preauth]" suffix appears on log messages. It would seem from the debugging output there are now two calls to pfilter_notify(), one from auth.c:getpwnamallow(), and another from auth2.c:userauth_finish(): Connection from 211.39.130.134 port 60968 on 10.0.1.129 port 22 debug1: HPN Disabled: 0, HPN Buffer Size: 262144 debug1: Local version string SSH-2.0-OpenSSH_8.5 NetBSD_Secure_Shell-20210304-hpn13v14-lpk debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: compat_banner: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002 debug1: permanently_set_uid: 16/16 [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp521,ssh-ed25519 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: algorithm: diffie-hellman-group14-sha256 [preauth] debug1: kex: host key algorithm: ecdsa-sha2-nistp521 [preauth] debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth] debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none [preauth] SSH: Server;Ltype: Kex;Remote: 211.39.130.134-60968;Enc: aes128-ctr;MAC: hmac-sha1;Comp: none [preauth] debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth] debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth] debug1: rekey out after 4294967296 blocks [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: Sending SSH2_MSG_EXT_INFO [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: rekey in after 4294967296 blocks [preauth] debug1: KEX done [preauth] debug1: userauth-request for user support service ssh-connection method password [preauth] SSH: Server;Ltype: Authname;Remote: 211.39.130.134-60968;Name: support [preauth] debug1: attempt 0 failures 0 [preauth] debug1: Config token is logingracetime debug1: Config token is authorizedkeysfile debug1: Config token is x11forwarding debug1: Config token is tcpkeepalive debug1: Config token is clientaliveinterval debug1: Config token is clientalivecountmax debug1: Config token is subsystem debug1: Config token is acceptenv debug1: pfilter_notify: attempting to notify blocklistd for 2 Invalid user support from 211.39.130.134 port 60968 debug1: pfilter_notify: attempting to notify blocklistd for 2 [preauth] Failed password for invalid user support from 211.39.130.134 port 60968 ssh2 debug1: pfilter_notify: attempting to notify blocklistd for 1 debug1: pfilter_notify: attempting to notify blocklistd for 1 [preauth] debug1: userauth-request for user support service ssh-connection method keyboard-interactive [preauth] debug1: attempt 1 failures 1 [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=support devs= [preauth] debug1: kbdint_alloc: devices '' [preauth] debug1: pfilter_notify: attempting to notify blocklistd for 1 [preauth] Connection closed by invalid user support 211.39.130.134 port 60968 [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: Killing privsep child 2489 BTW: Index: crypto/external/bsd/openssh/dist/pfilter.h =================================================================== RCS file: /cvs/master/m-NetBSD/main/src/crypto/external/bsd/openssh/dist/pfilter.h,v retrieving revision 1.2 diff -u -r1.2 pfilter.h --- crypto/external/bsd/openssh/dist/pfilter.h 6 Apr 2018 18:59:00 -0000 1.2 +++ crypto/external/bsd/openssh/dist/pfilter.h 9 Dec 2024 00:44:55 -0000 @@ -1,4 +1,6 @@ /* $NetBSD: pfilter.h,v 1.2 2018/04/06 18:59:00 christos Exp $ */ +#include <blocklist.h> + void pfilter_notify(int); void pfilter_init(void); Then use the enum identifiers for the pfilter_notify() arguments! -- Greg A. Woods <gwoods%acm.org@localhost> Kelowna, BC +1 250 762-7675 RoboHack <woods%robohack.ca@localhost> Planix, Inc. <woods%planix.com@localhost> Avoncote Farms <woods%avoncote.ca@localhost>
Attachment:
pgpLQzyabrT5R.pgp
Description: OpenPGP Digital Signature