bin/53309: openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/53309: openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders
From: mayuresh%acm.org@localhost
Date: Wed, 23 May 2018 15:50:00 +0000 (UTC)

>Number:         53309
>Category:       bin
>Synopsis:       openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed May 23 15:50:00 +0000 2018
>Originator:     Mayuresh
>Release:        8.0_RC1
>Organization:
>Environment:
NetBSD localhost 8.0_RC1 NetBSD 8.0_RC1 (GENERIC.201804191727Z) amd64

>Description:
/var/log/authlog is often flooded with "Received disconnect from ... [preauth]" which is not being handled by blacklistd.
>How-To-Repeat:
Set up blacklistd on internet facing server.

Look for /var/log/authlog pattern mentioned above.

Check whether offending ip gets blocked using blacklistctl dump -a
>Fix:
Christos has shared a patch and I have tested it. Found to be working fine.

Would be nice to include this in 8.0

Index: auth-pam.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/auth-pam.c,v
retrieving revision 1.14
diff -u -u -r1.14 auth-pam.c
--- auth-pam.c  6 Apr 2018 18:58:59 -0000       1.14
+++ auth-pam.c  23 May 2018 00:46:27 -0000
@@ -552,6 +552,7 @@
                ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
        else
                ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
+       pfilter_notify(1);
        buffer_free(&buffer);
        pthread_exit(NULL);

@@ -830,6 +831,7 @@
                                free(msg);
                                return (0);
                        }
+                       pfilter_notify(1);
                        error("PAM: %s for %s%.100s from %.100s", msg,
                            sshpam_authctxt->valid ? "" : "illegal user ",
                            sshpam_authctxt->user,
Index: sshd.c
===================================================================
RCS file: /cvsroot/src/crypto/external/bsd/openssh/dist/sshd.c,v
retrieving revision 1.30
diff -u -u -r1.30 sshd.c
--- sshd.c      8 Apr 2018 21:56:48 -0000       1.30
+++ sshd.c      23 May 2018 00:46:28 -0000
@@ -344,6 +344,7 @@
 __dead static void
 grace_alarm_handler(int sig)
 {
+       pfilter_notify(1);
        if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
                kill(pmonitor->m_pid, SIGALRM);

@@ -356,7 +357,6 @@
                killpg(0, SIGTERM);
        }

-       pfilter_notify(1);
        /* Log error and exit. */
        sigdie("Timeout before authentication for %s port %d",
            ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
@@ -2193,6 +2193,9 @@
 {
        struct ssh *ssh = active_state; /* XXX */

+       if (i == 255)
+               pfilter_notify(1);
+
        if (the_authctxt) {
                do_cleanup(ssh, the_authctxt);
                if (use_privsep && privsep_is_preauth &&

Prev by Date: Re: kern/53261: kernel crash during test run
Next by Date: Re: bin/53309 (openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders)
Previous by Thread: Re: port-evbarm/53308 (evbarm-earmv7hf performance regression under qemu)
Next by Thread: Re: bin/53309 (openssh patch for blocklistd to block "Received disconnect .. [preauth]" offenders)
Indexes:

Home | Main Index | Thread Index | Old Index