Re: blocklistd detects a failure for a killed ssh session

To: tech-net%netbsd.org@localhost
Subject: Re: blocklistd detects a failure for a killed ssh session
From: Anthony Mallet <anthony.mallet%laas.fr@localhost>
Date: Fri, 25 Nov 2022 00:49:04 +0100

On Thursday 24 Nov 2022, at 14:52, Christos Zoulas wrote:
> In article <25467.63948.210578.997038%gargle.gargle.HOWL@localhost>,
> Anthony Mallet  <anthony.mallet%laas.fr@localhost> wrote:
> >Would there be a way to improve this, by detecting properly
> >established connections and not notify blacklistd anymore about these?
>
> Well the code seems to be doing the right thing: in clientloop.c it
> calls cleanup_exit(254) from ssh_packet_disconnect() and that should not
> call pfilter_notify().

I'm not sure, but I guess clientloop.c does not contain any code run
by sshd. I would guess that serverloop.c is what sshd runs.

But according to the logged messages ("Received disconnect from ..."),
the code path taken necessarily is in ssh_packet_read_poll_seqnr() in
packet.c, that returns SSH_ERR_DISCONNECTED. It's easy to see that
this leads to a call to fatal_fr(), which is a wrapper for sshfatal,
which calls cleanup_exit(255).

I'm running the suggested patch in my previous e-mail since a few days
now and the issue did not trigger anymore (and of course blocklistd is
still blocking other harmful "attacks", AFAICT).

Follow-Ups:
- Re: blocklistd detects a failure for a killed ssh session
  - From: Anthony Mallet

References:
- blocklistd detects a failure for a killed ssh session
  - From: Anthony Mallet
- Re: blocklistd detects a failure for a killed ssh session
  - From: Christos Zoulas

Prev by Date: Re: blocklistd detects a failure for a killed ssh session
Next by Date: Re: Remove plip(4)?
Previous by Thread: Re: blocklistd detects a failure for a killed ssh session
Next by Thread: Re: blocklistd detects a failure for a killed ssh session
Indexes:

Home | Main Index | Thread Index | Old Index