Module Name: src
Committed By: christos
Date: Wed Nov 6 20:50:01 UTC 2019
Modified Files:
src/external/bsd/blacklist/bin: blacklistd.c
src/external/bsd/blacklist/include: bl.h blacklist.h
src/external/bsd/blacklist/lib: blacklist.c libblacklist.3
Log Message:
The original blacklist library supported two operations - a
notification of a failed auth attempt, and a notification of a
successful auth attempt.
Implements a third option - notification of abusive behavior, and
accepts, but does not act on a forth type - "bad username". It is
envisioned that a system administrator will configure a small list
of "known bad usernames" that should be blocked immediately.
>From Kurt Lidl @ FreeBSD
To generate a diff of this commit:
cvs rdiff -u -r1.38 -r1.39 src/external/bsd/blacklist/bin/blacklistd.c
cvs rdiff -u -r1.13 -r1.14 src/external/bsd/blacklist/include/bl.h
cvs rdiff -u -r1.3 -r1.4 src/external/bsd/blacklist/include/blacklist.h
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blacklist/lib/blacklist.c
cvs rdiff -u -r1.8 -r1.9 src/external/bsd/blacklist/lib/libblacklist.3
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/bsd/blacklist/bin/blacklistd.c
diff -u src/external/bsd/blacklist/bin/blacklistd.c:1.38 src/external/bsd/blacklist/bin/blacklistd.c:1.39
--- src/external/bsd/blacklist/bin/blacklistd.c:1.38 Tue Feb 26 21:20:18 2019
+++ src/external/bsd/blacklist/bin/blacklistd.c Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */
+/* $NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include "config.h"
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $");
+__RCSID("$NetBSD: blacklistd.c,v 1.39 2019/11/06 20:50:01 christos Exp $");
#include <sys/types.h>
#include <sys/socket.h>
@@ -214,6 +214,17 @@ process(bl_t bl)
}
switch (bi->bi_type) {
+ case BL_ABUSE:
+ /*
+ * If the application has signaled abusive behavior,
+ * set the number of fails to be one less than the
+ * configured limit. Fallthrough to the normal BL_ADD
+ * processing, which will increment the failure count
+ * to the threshhold, and block the abusive address.
+ */
+ if (c.c_nfail != -1)
+ dbi.count = c.c_nfail - 1;
+ /*FALLTHROUGH*/
case BL_ADD:
dbi.count++;
dbi.last = ts.tv_sec;
@@ -249,6 +260,9 @@ process(bl_t bl)
dbi.count = 0;
dbi.last = 0;
break;
+ case BL_BADUSER:
+ /* ignore for now */
+ break;
default:
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
}
Index: src/external/bsd/blacklist/include/bl.h
diff -u src/external/bsd/blacklist/include/bl.h:1.13 src/external/bsd/blacklist/include/bl.h:1.14
--- src/external/bsd/blacklist/include/bl.h:1.13 Fri Mar 11 12:16:40 2016
+++ src/external/bsd/blacklist/include/bl.h Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: bl.h,v 1.13 2016/03/11 17:16:40 christos Exp $ */
+/* $NetBSD: bl.h,v 1.14 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -40,7 +40,9 @@
typedef enum {
BL_INVALID,
BL_ADD,
- BL_DELETE
+ BL_DELETE,
+ BL_ABUSE,
+ BL_BADUSER
} bl_type_t;
typedef struct {
Index: src/external/bsd/blacklist/include/blacklist.h
diff -u src/external/bsd/blacklist/include/blacklist.h:1.3 src/external/bsd/blacklist/include/blacklist.h:1.4
--- src/external/bsd/blacklist/include/blacklist.h:1.3 Fri Jan 23 13:48:56 2015
+++ src/external/bsd/blacklist/include/blacklist.h Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $ */
+/* $NetBSD: blacklist.h,v 1.4 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -43,4 +43,13 @@ int blacklist_sa_r(struct blacklist *, i
const struct sockaddr *, socklen_t, const char *);
__END_DECLS
+/* action values for user applications */
+#define BLACKLIST_API_ENUM 1
+enum {
+ BLACKLIST_AUTH_OK = 0,
+ BLACKLIST_AUTH_FAIL,
+ BLACKLIST_ABUSIVE_BEHAVIOR,
+ BLACKLIST_BAD_USER
+};
+
#endif /* _BLACKLIST_H */
Index: src/external/bsd/blacklist/lib/blacklist.c
diff -u src/external/bsd/blacklist/lib/blacklist.c:1.5 src/external/bsd/blacklist/lib/blacklist.c:1.6
--- src/external/bsd/blacklist/lib/blacklist.c:1.5 Thu Jan 22 11:19:53 2015
+++ src/external/bsd/blacklist/lib/blacklist.c Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $ */
+/* $NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $ */
/*-
* Copyright (c) 2014 The NetBSD Foundation, Inc.
@@ -33,7 +33,7 @@
#endif
#include <sys/cdefs.h>
-__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $");
+__RCSID("$NetBSD: blacklist.c,v 1.6 2019/11/06 20:50:01 christos Exp $");
#include <stdio.h>
#include <bl.h>
@@ -61,7 +61,27 @@ int
blacklist_sa_r(struct blacklist *bl, int action, int rfd,
const struct sockaddr *sa, socklen_t slen, const char *msg)
{
- return bl_send(bl, action ? BL_ADD : BL_DELETE, rfd, sa, slen, msg);
+ int internal_action;
+
+ /* internal values are not the same as user application values */
+ switch (action) {
+ case BLACKLIST_AUTH_FAIL:
+ internal_action = BL_ADD;
+ break;
+ case BLACKLIST_AUTH_OK:
+ internal_action = BL_DELETE;
+ break;
+ case BLACKLIST_ABUSIVE_BEHAVIOR:
+ internal_action = BL_ABUSE;
+ break;
+ case BLACKLIST_BAD_USER:
+ internal_action = BL_BADUSER;
+ break;
+ default:
+ internal_action = BL_INVALID;
+ break;
+ }
+ return bl_send(bl, internal_action, rfd, sa, slen, msg);
}
int
Index: src/external/bsd/blacklist/lib/libblacklist.3
diff -u src/external/bsd/blacklist/lib/libblacklist.3:1.8 src/external/bsd/blacklist/lib/libblacklist.3:1.9
--- src/external/bsd/blacklist/lib/libblacklist.3:1.8 Sun Oct 22 06:31:57 2017
+++ src/external/bsd/blacklist/lib/libblacklist.3 Wed Nov 6 15:50:01 2019
@@ -1,4 +1,4 @@
-.\" $NetBSD: libblacklist.3,v 1.8 2017/10/22 10:31:57 abhinav Exp $
+.\" $NetBSD: libblacklist.3,v 1.9 2019/11/06 20:50:01 christos Exp $
.\"
.\" Copyright (c) 2015 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 22, 2015
+.Dd May 5, 2017
.Dt LIBBLACKLIST 3
.Os
.Sh NAME
@@ -76,13 +76,9 @@ The
.Fn blacklist
function sends a message to
.Xr blacklistd 8 ,
-with an
+with an integer
.Ar action
-argument specifying
-.Dv 1
-for a failed connection or
-.Dv 0
-for a successful connection,
+argument specifying the type of notification,
a file descriptor
.Ar fd
specifying the accepted file descriptor connected to the client,
@@ -91,6 +87,30 @@ and an optional message in the
argument.
.Pp
The
+.Ar action
+parameter can take these values:
+.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR"
+.It Va BLACKLIST_AUTH_FAIL
+There was an unsuccessful authentication attempt.
+.It Va BLACKLIST_AUTH_OK
+A user successfully authenticated.
+.It Va BLACKLIST_ABUSIVE_BEHAVIOR
+The sending daemon has detected abusive behavior
+from the remote system. The remote address should
+be blocked as soon as possible.
+.It Va BLACKLIST_BAD_USER
+The sending daemon has determined the username
+presented for authentication is invalid. The
+.Xr blacklistd 8
+daemon compares the username to a configured list of forbidden
+usernames and
+blocks the address immediately if a forbidden username matches.
+(The
+.Ar BLACKLIST_BAD_USER
+support is not currently available.)
+.El
+.Pp
+The
.Fn blacklist_r
function is more efficient because it keeps the blacklist state around.
.Pp
@@ -102,8 +122,13 @@ functions can be used with unconnected s
.Xr getpeername 2
will not work, the server will pass the peer name in the message.
.Pp
-All functions log errors to
-.Xr syslogd 8 .
+By default,
+.Xr syslogd 8
+is used for message logging.
+The internal
+.Fn bl_create
+function can be used to create the required internal
+state and specify a custom logging function.
.Sh RETURN VALUES
The function
.Fn blacklist_open
