Re: blocklistd detects a failure for a killed ssh session

[christos%astron.com@localhost (Christos Zoulas)]

In article <25467.63948.210578.997038%gargle.gargle.HOWL@localhost>,
Anthony Mallet  <anthony.mallet%laas.fr@localhost> wrote:
>Hi,
>
>I have the feeling that killing (SIGTERM) an ssh session triggers a
>blocklistd failure on the server:
>
>In authlog:
>Nov 21 22:37:58 cactus sshd[16361]: Received disconnect from 10.1.0.15
>port 57148:11: disconnected by user
>Nov 21 22:37:58 cactus sshd[16361]: Disconnected from user me 10.1.0.15
>port 57148
>
>And in blocklistd:
>cactus[~] # blocklistctl dump -a | grep '10[.]1'
>      10.1.0.15/32:22           3/4     2022/11/21 22:37:58
>
>The same also happens if I just close the laptop's lid and the
>connection eventually times out :
>
>Nov 21 23:01:59 cactus sshd[18107]: debug2: channel 0: read failed rfd
>11 maxlen 32768: Broken pipe
>Nov 21 23:01:59 cactus sshd[18107]: debug2: channel 0: read failed
>...
>Nov 21 23:01:59 cactus sshd[18107]: Close session: user me from
>10.1.0.15 port 51772 id 0
>
>cactus[~] # blocklistctl dump -a | grep '10[.]1'
>      10.1.0.15/32:22   4       4/4     2022/11/21 23:01:59
>
>This a bit annoying, since those are legitimate connections that where
>properly authentified. This happens to me frequently (but I just
>started using blocklistd) for me for instance by logging out an X11
>session without closing all terminals, or just closing the laptop ...
>
>Would there be a way to improve this, by detecting properly
>established connections and not notify blacklistd anymore about these?

Well the code seems to be doing the right thing: in clientloop.c it
calls cleanup_exit(254) from ssh_packet_disconnect() and that should not
call pfilter_notify().

christos