Hey guys, I'm on 12.0-RELEASE-p3 and I have configured blacklistd with sshd to lock out those random IPs that are probing my server. The problem is, I noticed that in many cases, blacklistd does not put the offending IP on its list.
I've contacted Christos Zoulas in email to see if he has anything to tell about it, and after putting blacklistd in debug mode and reproducing the issue, he suggested to contact you with the it. So here it is. I'll paste a couple lines from the sshd log, I get these, which aren't registered for some reason: Feb 27 00:47:55 ksol sshd[35453]: Invalid user mythtv from 118.151.209.119 port 50560 Feb 27 00:47:55 ksol sshd[35453]: Failed unknown for invalid user mythtv from 118.151.209.119 port 50560 ssh2 Feb 27 00:47:55 ksol sshd[35453]: user NOUSER login class [preauth] Feb 27 00:58:37 ksol sshd[72748]: Connection closed by 115.231.239.155 port 59107 [preauth] Feb 27 00:59:41 ksol sshd[75022]: user sshd login class [preauth] Feb 27 00:59:41 ksol sshd[75022]: Connection closed by authenticating user sshd 175.197.206.221 port 40517 [preauth] Feb 27 01:18:17 ksol sshd[97108]: Invalid user user1 from 86.241.250.150 port 36452 Feb 27 01:18:17 ksol sshd[97108]: Failed unknown for invalid user user1 from 86.241.250.150 port 36452 ssh2 Feb 27 01:18:17 ksol sshd[97108]: user NOUSER login class [preauth] Feb 27 01:18:17 ksol sshd[97108]: Connection closed by invalid user user1 86.241.250.150 port 36452 [preauth] Feb 27 01:39:51 ksol sshd[33033]: Invalid user ubnt from 213.120.170.34 port 58208 Feb 27 01:39:51 ksol sshd[33033]: Failed unknown for invalid user ubnt from 213.120.170.34 port 58208 ssh2 Feb 27 01:39:51 ksol sshd[33033]: user NOUSER login class [preauth] Feb 27 01:39:52 ksol sshd[33033]: Connection closed by invalid user ubnt 213.120.170.34 port 58208 [preauth] Feb 27 02:01:57 ksol sshd[98410]: Invalid user leo from 70.180.210.136 port 36757 Feb 27 02:01:57 ksol sshd[98410]: Failed unknown for invalid user leo from 70.180.210.136 port 36757 ssh2 Feb 27 02:01:57 ksol sshd[98410]: user NOUSER login class [preauth] Feb 27 02:01:57 ksol sshd[98410]: Connection closed by invalid user leo 70.180.210.136 port 36757 [preauth] Feb 27 02:05:28 ksol sshd[51390]: reverse mapping checking getaddrinfo for rev-13-246-20.isp3.alsatis.net [37.1.246.13] failed. Feb 27 02:05:33 ksol sshd[51390]: Invalid user alarm from 37.1.246.13 port 54636 Feb 27 02:05:33 ksol sshd[51390]: Failed unknown for invalid user alarm from 37.1.246.13 port 54636 ssh2 Feb 27 02:05:33 ksol sshd[51390]: user NOUSER login class [preauth] Feb 27 02:05:33 ksol sshd[51390]: Connection closed by invalid user alarm 37.1.246.13 port 54636 [preauth] Out of all these IPs, only the first was registered in blacklistd's inner list. When someone tries to use keyboard-interactive auth and that fails, that seems to get registered. These attempts above on the other hand, do not, or very rarely. We looked at the FreeBSD source and it seems the blacklistd patch was done by Kurt Lidl: https://github.com/freebsd/freebsd/blob/master/contrib/blacklist/diff/ssh.diff https://github.com/freebsd/freebsd/blob/master/crypto/openssh/sshd.c Can someone forward this email to him, or is anybody able to help me here? Cheers, -- László Károlyi https://linkedin.com/in/karolyi
signature.asc
Description: OpenPGP digital signature
