blocklist

Christos Zoulas Wed, 05 Feb 2025 12:14:38 -0800

Module Name:    src
Committed By:   christos
Date:           Wed Feb  5 20:14:30 UTC 2025


Modified Files:
        src/external/bsd/blocklist/bin: blocklistd.c blocklistd.conf.5
        src/external/bsd/blocklist/lib: libblocklist.3

Log Message:
PR/20: robohack:

BLOCKLIST_BAD_USER (BL_BADUSER internally) was actually unimplemented
and as such unusable, and despite being documented as such it still
gained some users and has lead to confusion.

This change proposes that it be implemented as a failure with a count of
one for "nfails".

To provide a meaningful distinction BLOCKLIST_AUTH_FAIL is also now
be implemented with a count of two for "nfails" -- which seems
appropriate as an "authentication failure" sounds, to my ear at least,
as something more important than a "bad user" failure.

This allows for "bad user" reports (which, say in the case of sshd,
could be caused by a legitimate user making a typo) to be recorded as
failures, but perhaps not to immediately cause them to be locked
out (depending on the current configuration of course).

I think "invalid" should probably have been used here instead of "bad",
but that would now be an API change, as opposed to a minor usage change
and improvement.

BTW, I think the hinted at concept of the blocklist daemon having a list
of disallowed users is not a viable way to go -- it violates the
possibility that several different client daemons might have differing
concepts and policies about whether attempts to use a given username is
really violating some rule. Also we shouldn't conflate the concept of
"username" here with local Unix user names, as they may not be related
at all.


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blocklist/bin/blocklistd.c
cvs rdiff -u -r1.5 -r1.6 src/external/bsd/blocklist/bin/blocklistd.conf.5
cvs rdiff -u -r1.6 -r1.7 src/external/bsd/blocklist/lib/libblocklist.3

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/external/bsd/blocklist/bin/blocklistd.c
diff -u src/external/bsd/blocklist/bin/blocklistd.c:1.6 src/external/bsd/blocklist/bin/blocklistd.c:1.7
--- src/external/bsd/blocklist/bin/blocklistd.c:1.6	Wed Feb  5 15:04:18 2025
+++ src/external/bsd/blocklist/bin/blocklistd.c	Wed Feb  5 15:14:30 2025
@@ -1,4 +1,4 @@
-/*	$NetBSD: blocklistd.c,v 1.6 2025/02/05 20:04:18 christos Exp $	*/
+/*	$NetBSD: blocklistd.c,v 1.7 2025/02/05 20:14:30 christos Exp $	*/
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
 #include "config.h"
 #endif
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: blocklistd.c,v 1.6 2025/02/05 20:04:18 christos Exp $");
+__RCSID("$NetBSD: blocklistd.c,v 1.7 2025/02/05 20:14:30 christos Exp $");
 
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -217,16 +217,19 @@ process(bl_t bl)
 	switch (bi->bi_type) {
 	case BL_ABUSE:
 		/*
-		 * If the application has signaled abusive behavior,
-		 * set the number of fails to be one less than the
-		 * configured limit.  Fallthrough to the normal BL_ADD
-		 * processing, which will increment the failure count
-		 * to the threshhold, and block the abusive address.
+		 * If the application has signaled abusive behavior, set the
+		 * number of fails to be two less than the configured limit.
+		 * Fall through to the normal BL_ADD and BL_BADUSER processing,
+		 * which will increment the failure count to the threshhold, and
+		 * block the abusive address.
 		 */
 		if (c.c_nfail != -1)
-			dbi.count = c.c_nfail - 1;
+			dbi.count = c.c_nfail - 2;
 		/*FALLTHROUGH*/
 	case BL_ADD:
+		dbi.count++;		/* will become += 2 */
+		/*FALLTHROUGH*/
+	case BL_BADUSER:
 		dbi.count++;
 		dbi.last = ts.tv_sec;
 		if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
@@ -255,9 +258,6 @@ process(bl_t bl)
 		dbi.count = 0;
 		dbi.last = 0;
 		break;
-	case BL_BADUSER:
-		/* ignore for now */
-		break;
 	default:
 		(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
 	}

Index: src/external/bsd/blocklist/bin/blocklistd.conf.5
diff -u src/external/bsd/blocklist/bin/blocklistd.conf.5:1.5 src/external/bsd/blocklist/bin/blocklistd.conf.5:1.6
--- src/external/bsd/blocklist/bin/blocklistd.conf.5:1.5	Wed Feb  5 15:07:46 2025
+++ src/external/bsd/blocklist/bin/blocklistd.conf.5	Wed Feb  5 15:14:30 2025
@@ -1,4 +1,4 @@
-.\" $NetBSD: blocklistd.conf.5,v 1.5 2025/02/05 20:07:46 christos Exp $
+.\" $NetBSD: blocklistd.conf.5,v 1.6 2025/02/05 20:14:30 christos Exp $
 .\"
 .\" Copyright (c) 2015, 2025 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd February 3, 2025
+.Dd February 5, 2025
 .Dt BLOCKLISTD.CONF 5
 .Os
 .Sh NAME

Index: src/external/bsd/blocklist/lib/libblocklist.3
diff -u src/external/bsd/blocklist/lib/libblocklist.3:1.6 src/external/bsd/blocklist/lib/libblocklist.3:1.7
--- src/external/bsd/blocklist/lib/libblocklist.3:1.6	Sun Aug 18 12:24:40 2024
+++ src/external/bsd/blocklist/lib/libblocklist.3	Wed Feb  5 15:14:30 2025
@@ -1,4 +1,4 @@
-.\" $NetBSD: libblocklist.3,v 1.6 2024/08/18 16:24:40 christos Exp $
+.\" $NetBSD: libblocklist.3,v 1.7 2025/02/05 20:14:30 christos Exp $
 .\"
 .\" Copyright (c) 2015 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd August 2, 2024
+.Dd February 5, 2025
 .Dt LIBBLOCKLIST 3
 .Os
 .Sh NAME
@@ -106,26 +106,20 @@ The
 .Ar action
 parameter can take these values:
 .Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR"
-.It Dv BLOCKLIST_AUTH_FAIL
+.It Va BLOCKLIST_BAD_USER
+The sending daemon has determined the username presented for
+authentication is invalid.
+This is considered as one failure count.
+.It Va BLOCKLIST_AUTH_FAIL
 There was an unsuccessful authentication attempt.
-.It Dv BLOCKLIST_AUTH_OK
-A user successfully authenticated.
-.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR
-The sending daemon has detected abusive behavior
-from the remote system.
-The remote address should
-be blocked as soon as possible.
-.It Dv BLOCKLIST_BAD_USER
-The sending daemon has determined the username
-presented for authentication is invalid.
-The
-.Xr blocklistd 8
-daemon compares the username to a configured list of forbidden
-usernames and
-blocks the address immediately if a forbidden username matches.
-(The
-.Dv BLOCKLIST_BAD_USER
-support is not currently available.)
+This is considered as two failure counts together.
+.It Va BLOCKLIST_ABUSIVE_BEHAVIOR
+The sending daemon has detected abusive behavior from the remote system.
+This is considered as a total immediate failure.
+The remote address will be blocked as soon as possible.
+.It Va BLOCKLIST_AUTH_OK
+A valid user successfully authenticated.
+Any entry for the remote address will be removed as soon as possible.
 .El
 .Pp
 The

CVS commit: src/external/bsd/blocklist

Reply via email to