Bug 241917 - blacklistd not accounting for failed sshd login attempts which failed reverse mapping checking
Summary: blacklistd not accounting for failed sshd login attempts which failed reverse...
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 12.1-RELEASE
Hardware: amd64 Any
: --- Affects Some People
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-12 15:18 UTC by Sebastian Wyder
Modified: 2022-11-07 18:02 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Wyder 2019-11-12 15:18:31 UTC
blacklistd (or sshd) seems to not count failed sshd login attempts which failed the reverse mapping check of sshd.

As you can see by looking at the following examples, the failed login attempts from IP 171.251.29.248 that failed the reverse mapping check does not end up in blacklistd's table.

Example from /var/log/auth.log:

Nov 12 15:31:38 neptun sshd[7737]: Invalid user ching from 203.232.210.195 port 45908
Nov 12 15:31:38 neptun sshd[7737]: Failed unknown for invalid user ching from 203.232.210.195 port 45908 ssh2
Nov 12 15:31:38 neptun sshd[7737]: user NOUSER login class  [preauth]
Nov 12 15:31:38 neptun sshd[7737]: Received disconnect from 203.232.210.195 port 45908:11: Bye Bye [preauth]
Nov 12 15:31:38 neptun sshd[7737]: Disconnected from invalid user ching 203.232.210.195 port 45908 [preauth]
Nov 12 15:31:43 neptun sshd[7747]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 15:31:48 neptun sshd[7747]: user root login class  [preauth]
Nov 12 15:31:48 neptun sshd[7747]: Connection closed by authenticating user root 171.251.29.248 port 55562 [preauth]
Nov 12 15:44:25 neptun sshd[7917]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 15:44:30 neptun sshd[7917]: user root login class  [preauth]
Nov 12 15:44:30 neptun sshd[7917]: Connection closed by authenticating user root 171.251.29.248 port 51998 [preauth]
Nov 12 15:48:39 neptun sshd[7921]: reverse mapping checking getaddrinfo for r-dfa.uhu.es [150.214.168.161] failed.
Nov 12 15:48:40 neptun sshd[7921]: user root login class  [preauth]
Nov 12 15:48:40 neptun sshd[7921]: Received disconnect from 150.214.168.161 port 43510:11: Normal Shutdown, Thank you for playing [preauth]
Nov 12 15:48:40 neptun sshd[7921]: Disconnected from authenticating user root 150.214.168.161 port 43510 [preauth]
Nov 12 15:52:47 neptun sshd[7925]: user root login class  [preauth]
Nov 12 15:52:48 neptun sshd[7925]: Received disconnect from 192.144.164.167 port 36350:11: Bye Bye [preauth]
Nov 12 15:52:48 neptun sshd[7925]: Disconnected from authenticating user root 192.144.164.167 port 36350 [preauth]
Nov 12 15:54:46 neptun sshd[7927]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 15:54:48 neptun sshd[7927]: Invalid user test from 171.251.29.248 port 18776
Nov 12 15:54:48 neptun sshd[7927]: Failed unknown for invalid user test from 171.251.29.248 port 18776 ssh2
Nov 12 15:54:48 neptun sshd[7927]: user NOUSER login class  [preauth]
Nov 12 15:54:48 neptun sshd[7927]: Connection closed by invalid user test 171.251.29.248 port 18776 [preauth]
Nov 12 16:08:18 neptun sshd[7980]: reverse mapping checking getaddrinfo for dynamic-ip-adsl.viettel.vn [171.251.29.248] failed.
Nov 12 16:08:24 neptun sshd[7980]: Invalid user tmax from 171.251.29.248 port 63488
Nov 12 16:08:24 neptun sshd[7980]: Failed unknown for invalid user tmax from 171.251.29.248 port 63488 ssh2
Nov 12 16:08:24 neptun sshd[7980]: user NOUSER login class  [preauth]
Nov 12 16:08:25 neptun sshd[7980]: Connection closed by invalid user tmax 171.251.29.248 port 63488 [preauth]

Example output from `blacklistctl dump -a`:

        address/ma:port	id	nfail	last access
  83.142.110.41/32:22		1/3	2019/11/12 14:40:44
203.232.210.195/32:22		1/3	2019/11/12 15:31:38
    14.225.3.47/32:22		1/3	2019/11/12 14:47:11
  106.54.95.188/32:22		1/3	2019/11/12 14:16:38
  2.139.215.255/32:22		1/3	2019/11/12 14:29:34
 164.132.81.106/32:22		1/3	2019/11/12 15:06:29
192.144.164.167/32:22		1/3	2019/11/12 15:52:47
    51.83.78.56/32:22		1/3	2019/11/12 14:23:44
  103.76.22.115/32:22		1/3	2019/11/12 14:49:15
  81.246.190.95/32:22		1/3	2019/11/12 15:22:22
150.214.168.161/32:22		1/3	2019/11/12 15:48:40
175.213.185.129/32:22		1/3	2019/11/12 14:49:57
  36.66.149.211/32:22		1/3	2019/11/12 15:06:02
  68.251.142.26/32:22		1/3	2019/11/12 13:54:48
 108.161.129.25/32:22		2/3	2019/11/12 14:52:51
Comment 1 Ed Maste freebsd_committer freebsd_triage 2019-11-14 21:25:15 UTC
Thanks for the report, I will try to take a look shortly.
Comment 2 Jose Luis Duran 2022-11-07 18:02:33 UTC
FreeBSD's default sshd configuration has:

    UseDNS yes

It instructs sshd to look up the remote host name and check that the resolved host name for the remote IP address maps back to the very same IP address.

In the meantime, a potential workaround, could be to set:

    UseDNS no

which is the default setting upstream. However, only addresses and not host names may be used in ~/.ssh/authorized_keys from and sshd_config Match Host directives.

I will, eventually, test the possibility of adding a few

    BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_FAIL, "ssh");

to auth.c (especially under remote_hostname()).