Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/external/bsd/blacklist The original blacklist library suppor...
details: https://anonhg.NetBSD.org/src/rev/388847240328
branches: trunk
changeset: 465124:388847240328
user: christos <christos%NetBSD.org@localhost>
date: Wed Nov 06 20:50:01 2019 +0000
description:
The original blacklist library supported two operations - a
notification of a failed auth attempt, and a notification of a
successful auth attempt.
Implements a third option - notification of abusive behavior, and
accepts, but does not act on a forth type - "bad username". It is
envisioned that a system administrator will configure a small list
of "known bad usernames" that should be blocked immediately.
>From Kurt Lidl @ FreeBSD
diffstat:
external/bsd/blacklist/bin/blacklistd.c | 18 ++++++++++-
external/bsd/blacklist/include/bl.h | 6 ++-
external/bsd/blacklist/include/blacklist.h | 11 ++++++-
external/bsd/blacklist/lib/blacklist.c | 26 +++++++++++++++--
external/bsd/blacklist/lib/libblacklist.3 | 45 +++++++++++++++++++++++------
5 files changed, 88 insertions(+), 18 deletions(-)
diffs (217 lines):
diff -r ac3060d18053 -r 388847240328 external/bsd/blacklist/bin/blacklistd.c
--- a/external/bsd/blacklist/bin/blacklistd.c Wed Nov 06 20:33:30 2019 +0000
+++ b/external/bsd/blacklist/bin/blacklistd.c Wed Nov 06 20:50:01 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -214,6 +214,17 @@
}
switch (bi->bi_type) {
+ case BL_ABUSE:
+ /*
+ * If the application has signaled abusive behavior,
+ * set the number of fails to be one less than the
+ * configured limit. Fallthrough to the normal BL_ADD
+ * processing, which will increment the failure count
+ * to the threshhold, and block the abusive address.
+ */
+ if (c.c_nfail != -1)
+ dbi.count = c.c_nfail - 1;
+ /*FALLTHROUGH*/
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
@@ -249,6 +260,9 @@
dbi.count = 0;
dbi.last = 0;
break;
+ case BL_BADUSER:
+ /* ignore for now */
+ break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
diff -r ac3060d18053 -r 388847240328 external/bsd/blacklist/include/bl.h
--- a/external/bsd/blacklist/include/bl.h Wed Nov 06 20:33:30 2019 +0000
+++ b/external/bsd/blacklist/include/bl.h Wed Nov 06 20:50:01 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.h,v 1.13 2016/03/11 17:16:40 christos Exp $ */
+/* $NetBSD: bl.h,v 1.14 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -40,7 +40,9 @@
typedef enum {
BL_INVALID,
BL_ADD,
- BL_DELETE
+ BL_DELETE,
+ BL_ABUSE,
+ BL_BADUSER
} bl_type_t;
typedef struct {
diff -r ac3060d18053 -r 388847240328 external/bsd/blacklist/include/blacklist.h
--- a/external/bsd/blacklist/include/blacklist.h Wed Nov 06 20:33:30 2019 +0000
+++ b/external/bsd/blacklist/include/blacklist.h Wed Nov 06 20:50:01 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $ */
+/* $NetBSD: blacklist.h,v 1.4 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -43,4 +43,13 @@
const struct sockaddr *, socklen_t, const char *);
__END_DECLS
+/* action values for user applications */
+#define BLACKLIST_API_ENUM 1
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
+};
+
#endif /* _BLACKLIST_H */
diff -r ac3060d18053 -r 388847240328 external/bsd/blacklist/lib/blacklist.c
--- a/external/bsd/blacklist/lib/blacklist.c Wed Nov 06 20:33:30 2019 +0000
+++ b/external/bsd/blacklist/lib/blacklist.c Wed Nov 06 20:50:01 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $");
#include <stdio.h>
#include <bl.h>
@@ -61,7 +61,27 @@
blacklist_sa_r(struct blacklist *bl, int action, int rfd,
const struct sockaddr *sa, socklen_t slen, const char *msg)
{
- return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
+ int internal_action;
+
+ /* internal values are not the same as user application values */
+ switch (action) {
+ case BLACKLIST_AUTH_FAIL:
+ internal_action = BL_ADD;
+ break;
+ case BLACKLIST_AUTH_OK:
+ internal_action = BL_DELETE;
+ break;
+ case BLACKLIST_ABUSIVE_BEHAVIOR:
+ internal_action = BL_ABUSE;
+ break;
+ case BLACKLIST_BAD_USER:
+ internal_action = BL_BADUSER;
+ break;
+ default:
+ internal_action = BL_INVALID;
+ break;
+ }
+ return bl_send(bl, internal_action, rfd, sa, slen, msg);
}
int
diff -r ac3060d18053 -r 388847240328 external/bsd/blacklist/lib/libblacklist.3
--- a/external/bsd/blacklist/lib/libblacklist.3 Wed Nov 06 20:33:30 2019 +0000
+++ b/external/bsd/blacklist/lib/libblacklist.3 Wed Nov 06 20:50:01 2019 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $
+.\" $NetBSD: libblacklist.3,v 1.9 2019/11/06 20:50:01 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 22, 2015
+.Dd May 5, 2017
.Dt LIBBLACKLIST 3
.Os
.Sh NAME
@@ -76,13 +76,9 @@
.Fn blacklist
function sends a message to
.Xr blacklistd 8 ,
-with an
+with an integer
.Ar action
-argument specifying
-.Dv 1
-for a failed connection or
-.Dv 0
-for a successful connection,
+argument specifying the type of notification,
a file descriptor
.Ar fd
specifying the accepted file descriptor connected to the client,
@@ -91,6 +87,30 @@
argument.
.Pp
The
+.Ar action
+parameter can take these values:
+.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR"
+.It Va BLACKLIST_AUTH_FAIL
+There was an unsuccessful authentication attempt.
+.It Va BLACKLIST_AUTH_OK
+A user successfully authenticated.
+.It Va BLACKLIST_ABUSIVE_BEHAVIOR
+The sending daemon has detected abusive behavior
+from the remote system. The remote address should
+be blocked as soon as possible.
+.It Va BLACKLIST_BAD_USER
+The sending daemon has determined the username
+presented for authentication is invalid. The
+.Xr blacklistd 8
+daemon compares the username to a configured list of forbidden
+usernames and
+blocks the address immediately if a forbidden username matches.
+(The
+.Ar BLACKLIST_BAD_USER
+support is not currently available.)
+.El
+.Pp
+The
.Fn blacklist_r
function is more efficient because it keeps the blacklist state around.
.Pp
@@ -102,8 +122,13 @@
.Xr getpeername 2
will not work, the server will pass the peer name in the message.
.Pp
-All functions log errors to
-.Xr syslogd 8 .
+By default,
+.Xr syslogd 8
+is used for message logging.
+The internal
+.Fn bl_create
+function can be used to create the required internal
+state and specify a custom logging function.
.Sh RETURN VALUES
The function
.Fn blacklist_open
Home |
Main Index |
Thread Index |
Old Index