Re: blacklistd not reacting to postfix/smtpd AUTH failures

To: imil%home.imil.net@localhost, netbsd-users%netbsd.org@localhost
Subject: Re: blacklistd not reacting to postfix/smtpd AUTH failures
From: neitzel%hackett.marshlabs.gaertner.de@localhost (Martin Neitzel)
Date: Fri, 7 Aug 2020 18:53:02 +0200 (CEST)

iMil> smtpd is indeed linked over libblacklist:
iMil>
iMil> $ ldd /usr/libexec/postfix/smtpd |grep black
iMil>          -lblacklist.0 => /usr/lib/libblacklist.so.0

iMil> Anything I am missing here?

A daemon may well notify blacklistd about a possible attack at some
places along the code path but not at others, even when an issue
gets logged at the "other" place.  In particular, the blacklist(3)
API requires the connection to the client to be still active when
registering an mis-behavior.  This is a bit stupid, IMHO, because
it prevents the blacklist registration of any clients which pull
out early.

I had noticed this with sshd: it just logged lots of "client closed
connection [preauth]" probes without notifying blacklistd.  A look
into the sshd source showed that this was a case of "fd already
closed" and not fixable.

In fact, only allowing public key access kept many stupid clients
knocking at the door.  Allowing password-based access gets rid of
them quickly because those attempts *do* trigger blacklistd.

You have to check the smtpd source to see if blacklist{,_r,_sa}
could be called at the point where the issue is logged.

						Martin Neitzel

Follow-Ups:
- Re: blacklistd not reacting to postfix/smtpd AUTH failures
  - From: Emile `iMil' Heitor

References:
- blacklistd not reacting to postfix/smtpd AUTH failures
  - From: Emile `iMil' Heitor

Prev by Date: dhcpcd refreshing lease very often.
Next by Date: Re: Booting CDs in Qemu
Previous by Thread: blacklistd not reacting to postfix/smtpd AUTH failures
Next by Thread: Re: blacklistd not reacting to postfix/smtpd AUTH failures
Indexes:

Home | Main Index | Thread Index | Old Index