At Sat, 25 Jan 2025 14:49:31 -0800, "Greg A. Woods" <[email protected]> wrote: Subject: odd ssh connections with "Failed password" results not going to blocklistd > > So, I've been noticing a rash of SSH connections getting a "failed > password for root" recently, and yet they're not being caught and > blocked by blocklistd.
Just when you get debugging all set up the abuser gives up!
Anyway, finally, ah ha! The problem seems to be fixed by the following
change, which I didn't yet have in production:
RCS file:
/cvs/master/m-NetBSD/main/src/crypto/external/bsd/openssh/dist/monitor.c,v
Working file: monitor.c
----------------------------
revision 1.44
date: 2024-06-25 09:58:24 -0700; author: christos; state: Exp; lines: +7 -3;
commitid: ZoqhLtZ1YXfw0ofF;
Don't call pfilter_notify for each authentication attempt, only call it
once we failed to authenticate.
----------------------------
In particular the real fix is the part where it calls pfilter_notify()
before calling any function that will cause and exit(). Previously the
sshd was reporting a failure and exiting immediately before any call to
pfilter_notify().
I'm still a bit confused by the way the "monitor.c" stuff works,
i.e. how the "[preauth]" suffix appears on log messages.
It would seem from the debugging output there are now two calls to
pfilter_notify(), one from auth.c:getpwnamallow(), and another from
auth2.c:userauth_finish():
Connection from 211.39.130.134 port 60968 on 10.0.1.129 port 22
debug1: HPN Disabled: 0, HPN Buffer Size: 262144
debug1: Local version string SSH-2.0-OpenSSH_8.5
NetBSD_Secure_Shell-20210304-hpn13v14-lpk
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: compat_banner: match: OpenSSH_7.4 pat
OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7*
compat 0x04000002
debug1: permanently_set_uid: 16/16 [preauth]
debug1: list_hostkey_types:
rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp521,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: diffie-hellman-group14-sha256 [preauth]
debug1: kex: host key algorithm: ecdsa-sha2-nistp521 [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
[preauth]
SSH: Server;Ltype: Kex;Remote: 211.39.130.134-60968;Enc: aes128-ctr;MAC:
hmac-sha1;Comp: none [preauth]
debug1: REQUESTED ENC.NAME is 'aes128-ctr' [preauth]
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
[preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
debug1: rekey out after 4294967296 blocks [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: Sending SSH2_MSG_EXT_INFO [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: rekey in after 4294967296 blocks [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user support service ssh-connection method
password [preauth]
SSH: Server;Ltype: Authname;Remote: 211.39.130.134-60968;Name: support [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: Config token is logingracetime
debug1: Config token is authorizedkeysfile
debug1: Config token is x11forwarding
debug1: Config token is tcpkeepalive
debug1: Config token is clientaliveinterval
debug1: Config token is clientalivecountmax
debug1: Config token is subsystem
debug1: Config token is acceptenv
debug1: pfilter_notify: attempting to notify blocklistd for 2
Invalid user support from 211.39.130.134 port 60968
debug1: pfilter_notify: attempting to notify blocklistd for 2 [preauth]
Failed password for invalid user support from 211.39.130.134 port 60968 ssh2
debug1: pfilter_notify: attempting to notify blocklistd for 1
debug1: pfilter_notify: attempting to notify blocklistd for 1 [preauth]
debug1: userauth-request for user support service ssh-connection method
keyboard-interactive [preauth]
debug1: attempt 1 failures 1 [preauth]
debug1: keyboard-interactive devs [preauth]
debug1: auth2_challenge: user=support devs= [preauth]
debug1: kbdint_alloc: devices '' [preauth]
debug1: pfilter_notify: attempting to notify blocklistd for 1 [preauth]
Connection closed by invalid user support 211.39.130.134 port 60968 [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 2489
BTW:
Index: crypto/external/bsd/openssh/dist/pfilter.h
===================================================================
RCS file:
/cvs/master/m-NetBSD/main/src/crypto/external/bsd/openssh/dist/pfilter.h,v
retrieving revision 1.2
diff -u -r1.2 pfilter.h
--- crypto/external/bsd/openssh/dist/pfilter.h 6 Apr 2018 18:59:00 -0000
1.2
+++ crypto/external/bsd/openssh/dist/pfilter.h 9 Dec 2024 00:44:55 -0000
@@ -1,4 +1,6 @@
/* $NetBSD: pfilter.h,v 1.2 2018/04/06 18:59:00 christos Exp $ */
+#include <blocklist.h>
+
void pfilter_notify(int);
void pfilter_init(void);
Then use the enum identifiers for the pfilter_notify() arguments!
--
Greg A. Woods <[email protected]>
Kelowna, BC +1 250 762-7675 RoboHack <[email protected]>
Planix, Inc. <[email protected]> Avoncote Farms <[email protected]>
pgpHMmO_8j7KG.pgp
Description: OpenPGP Digital Signature
