Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blacklist Sync with current.
details: https://anonhg.NetBSD.org/src/rev/1cd31832d135
branches: trunk
changeset: 335690:1cd31832d135
user: christos <christos%NetBSD.org@localhost>
date: Wed Jan 21 16:16:00 2015 +0000
description:
Sync with current.
diffstat:
external/bsd/blacklist/Makefile | 5 +
external/bsd/blacklist/Makefile.inc | 6 +
external/bsd/blacklist/README | 71 ++++++++++++
external/bsd/blacklist/bin/Makefile | 21 +-
external/bsd/blacklist/bin/blacklistctl.c | 52 ++++++++
external/bsd/blacklist/bin/blacklistd.8 | 170 +++++++++++++++++++++++++++++
external/bsd/blacklist/bin/blacklistd.c | 86 +++++++++-----
external/bsd/blacklist/bin/conf.c | 66 +++++++---
external/bsd/blacklist/bin/conf.h | 10 +-
external/bsd/blacklist/bin/internal.h | 6 +-
external/bsd/blacklist/bin/run.c | 22 +--
external/bsd/blacklist/bin/run.h | 8 +-
external/bsd/blacklist/bin/state.c | 9 +-
external/bsd/blacklist/bin/state.h | 6 +-
external/bsd/blacklist/include/Makefile | 10 +
external/bsd/blacklist/include/bl.h | 29 ++++-
external/bsd/blacklist/include/blacklist.h | 42 +++++++
external/bsd/blacklist/lib/Makefile | 11 +
external/bsd/blacklist/lib/bl.c | 66 +++-------
external/bsd/blacklist/lib/blacklist.c | 101 +++++++++++++++++
external/bsd/blacklist/lib/libblacklist.3 | 110 ++++++++++++++++++
external/bsd/blacklist/lib/shlib_version | 2 +
external/bsd/blacklist/test/Makefile | 9 +
external/bsd/blacklist/test/cltest.c | 30 +++-
external/bsd/blacklist/test/srvtest.c | 45 +++++--
25 files changed, 823 insertions(+), 170 deletions(-)
diffs (truncated from 1601 to 300 lines):
diff -r 37344b744733 -r 1cd31832d135 external/bsd/blacklist/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/Makefile Wed Jan 21 16:16:00 2015 +0000
@@ -0,0 +1,5 @@
+# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $
+
+SUBDIR = lib .WAIT include bin
+
+.include <bsd.subdir.mk>
diff -r 37344b744733 -r 1cd31832d135 external/bsd/blacklist/Makefile.inc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/Makefile.inc Wed Jan 21 16:16:00 2015 +0000
@@ -0,0 +1,6 @@
+# $NetBSD: Makefile.inc,v 1.1 2015/01/21 16:16:00 christos Exp $
+
+WARNS=6
+LDADD+= -lblacklist
+DPADD+= ${LIBBLACKLIST}
+CPPFLAGS+= -I${.CURDIR}/../include
diff -r 37344b744733 -r 1cd31832d135 external/bsd/blacklist/README
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/README Wed Jan 21 16:16:00 2015 +0000
@@ -0,0 +1,71 @@
+# Tue Jan 20 21:18:54 EST 2015
+
+This package contains library that can be used by network daemons to
+communicate with a packet filter via a daemon to enforce opening and
+closing ports dynamically based on policy.
+
+The interface to the packet filter is in etc/control (this is currently
+designed for npf) and the configuration file (inspired from inetd.conf)
+is in etc/conf.
+
+A patch to OpenSSH is in ssh.diff that adds blacklisting capabilities to
+openssh.
+
+The network daemon (for example sshd) communicates to blacklistd, via
+a unix socket like syslog. The library calls are simple and everything
+is handled by the library. In the simplest form the only thing the
+daemon needs to do is to call:
+
+ blacklist(action, acceptedfd, message);
+
+Where:
+ action = 0 -> successful login clear blacklist state
+ 1 -> failed login, add to the failed count
+ acceptedfd -> the file descriptor where the server is
+ connected to the remote client. It is used
+ to determine the listening socket, and the
+ remote address. This allows any program to
+ contact the blacklist daemon, since the verification
+ if the program has access to the listening
+ socket is done by virtue that the port
+ number is retrieved from the kernel.
+ message -> an optional string that is used in debugging logs.
+
+The configuration file contains entries of the form:
+
+# Blacklist rule
+# Port type protocol owner nfail disable
+ssh stream tcp * 6 60m
+ssh stream tcp6 * 6 60m
+
+Here note that owner is * because the connection is done from the
+child ssh socket which runs with user privs. We also register for
+both tcp and tcp6 since those are different listening sockets and
+addresses. We use nfail = 6, because ssh allows 3 password attempts
+per connection, and this will let us have 2 connections before
+blocking. Finally we block for an hour; we could block forever
+too by specifying * in the duration column.
+
+blacklistd and the library use syslog(3) to report errors. The
+blacklist filter state is persisted automatically in /var/db/blacklistd.db
+so that if the daemon is restarted, it remembers what connections
+is currently handling. To start from a fresh state (if you restart
+npf too for example), you can use -f. To watch the daemon at work,
+you can use -d.
+
+The current control file is designed for npf, and it uses the
+dynamic rule feature. You need to create a dynamic rule in your
+/etc/npf.conf on the group referring to the interface you want to block
+called blacklistd as follows:
+
+ext_if=bge0
+
+group "external" on $ext_if {
+ ...
+ ruleset "blacklistd"
+ ...
+}
+
+Enjoy,
+
+christos
diff -r 37344b744733 -r 1cd31832d135 external/bsd/blacklist/bin/Makefile
--- a/external/bsd/blacklist/bin/Makefile Wed Jan 21 15:19:01 2015 +0000
+++ b/external/bsd/blacklist/bin/Makefile Wed Jan 21 16:16:00 2015 +0000
@@ -1,13 +1,14 @@
-.include <bsd.own.mk>
+# $NetBSD: Makefile,v 1.5 2015/01/21 16:16:00 christos Exp $
+
+BINDIR=/usr/sbin
-WARNS=6
-COPTS=-g
-MKMAN=no
-PROGS=srvtest cltest blacklistd
-SRCS.srvtest = bl.c srvtest.c
-SRCS.cltest = cltest.c
-SRCS.blacklistd = bl.c blacklistd.c conf.c run.c state.c
-LDADD.blacklistd += -lutil
-LPADD.blacklistd += ${LIBUTIL}
+PROGS=blacklistd blacklistctl
+MAN=blacklistd.8
+MLINKS=blacklistd.8 blacklistd.conf.5
+SRCS.blacklistd = blacklistd.c conf.c run.c state.c
+SRCS.blacklistctl = blacklistctl.c conf.c state.c
+
+LDADD+=-lutil
+DPADD+=${LIBUTIL}
.include <bsd.prog.mk>
diff -r 37344b744733 -r 1cd31832d135 external/bsd/blacklist/bin/blacklistctl.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/bin/blacklistctl.c Wed Jan 21 16:16:00 2015 +0000
@@ -0,0 +1,52 @@
+
+#include <stdio.h>
+#include <time.h>
+#include <util.h>
+#include <fcntl.h>
+#include <db.h>
+#include <err.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socket.h>
+
+#include "conf.h"
+#include "state.h"
+#include "internal.h"
+
+static const char *
+fmttime(char *b, size_t l, time_t t)
+{
+ struct tm tm;
+ if (localtime_r(&t, &tm) == NULL)
+ snprintf(b, l, "*%jd*", (intmax_t)t);
+ else
+ strftime(b, l, "%Y/%m/%d %H:%M:%S", &tm);
+ return b;
+}
+
+int
+main(int argc, char *argv[])
+{
+ const char *dbname = _PATH_BLSTATE;
+ DB *db;
+ struct conf c;
+ struct sockaddr_storage ss;
+ struct dbinfo dbi;
+ unsigned int i;
+
+ db = state_open(dbname, O_RDONLY, 0);
+ if (db == NULL)
+ err(EXIT_FAILURE, "Can't open `%s'", dbname);
+
+ for (i = 1; state_iterate(db, &ss, &c, &dbi, i) != 0; i = 0) {
+ char buf[BUFSIZ];
+ printf("conf: %s\n", conf_print(buf, sizeof(buf), "",
+ ":", &c));
+ sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&ss);
+ printf("addr: %s\n", buf);
+ printf("data: count=%d id=%s time=%s\n", dbi.count,
+ dbi.id, fmttime(buf, sizeof(buf), dbi.last));
+ }
+ state_close(db);
+ return EXIT_SUCCESS;
+}
diff -r 37344b744733 -r 1cd31832d135 external/bsd/blacklist/bin/blacklistd.8
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.8 Wed Jan 21 16:16:00 2015 +0000
@@ -0,0 +1,170 @@
+.\" $NetBSD: blacklistd.8,v 1.1 2015/01/21 16:16:00 christos Exp $
+.\"
+.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Christos Zoulas.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd January 19, 2016
+.Dt BLACKLISTD 8
+.Os
+.Sh NAME
+.Nm blacklistd ,
+.Nm blacklistd.conf
+.Nd block and release ports on demand to avoid DoS abuse
+.Sh SYNOPSIS
+.Nm
+.Op Fl df
+.Op Fl c Ar configfile
+.Op Fl C Ar controlprog
+.Op Fl D Ar dbfile
+.Op Fl r Ar rulename
+.Op Fl s Ar sockpath
+.Op Fl t Ar timeout
+.Sh DESCRIPTION
+.Nm
+is a daemon similar to
+.Xr syslogd 8
+that listens to a socket at
+.Ar sockpath
+for notifications from other daemons about successful or failed connection
+attempts.
+Each notification contains a (action, port, protocol, address, owner) tuple
+that identifies the remote connection and the action.
+This tuple is consulted against entries in
+.Ar configfile
+with syntax specified in
+.Xr blacklistd.conf 5 .
+If an entry is matched, a state entry is created for that tuple.
+Each entry contains a number of tries limit and a duration.
+.Pp
+If the action is
+.Dq add
+and the number of tries limit is reached, then a
+control script
+.Ar controlprog
+is invoked with arguments:
+.Bd -literal -offset indent
+control add <rulename> <proto> <port> <address>
+.Ed
+.Pp
+and should invoke a packet filter command to block the connection
+specified by the arguments.
+The
+.Ar rulename
+argument can be set from the command line (default
+.Dv blacklistd ).
+The script should print a numerical id to stdout as a handle for
+the rule that can be used later to remove that connection.
+.Pp
+If the action is
+.Dq remove
+Then the same control script is invoked as:
+.Bd -literal -offset indent
+control rem <rulename> <id>
+.Ed
+.Pp
+where
+.Ar id
+is the number returned from the
+.Dq add
+action.
+.Pp
+.Nm
+maintains a database of known connections in
+.Ar dbfile .
+On startup it reads entries from that file, and updates its internal state.
+If the
+.Fl f
+flag is specified, then the database is truncated an all the rules named
+.Ar rulename
+are deleted by invoking the control script as:
+.Bd -literal -offset indent
+control flush <rulename>
+.Ed
+.Pp
+.Nm
+checks the list of active entries every
+.Ar timeout
+seconds (default
+.Dv 15 )
+and removes entries and block rules using the control program as necessary.
+.Pp
+The configuration file contains one tuple per line, and is similar to
+.Xr inetd.conf .
+There must be an entry for each field of the configuration file, with
+entries for each field separated by a tab or a space.
Home |
Main Index |
Thread Index |
Old Index