extend blacklist support with new action types
ClosedPublic
Actions

Authored by • lidl on May 4 2017, 9:25 PM.

Details

Reviewers

emaste
asomers

Group Reviewers

manpages

Commits

rS318755: Extend libblacklist support with new action types

Summary

The original blacklist library supported two operations - a notification of a failed auth attempt, and a notification of a successful auth attempt.

This patch implements a third option - notification of abusive behavior, and accepts, but does not
act on a forth type - "bad username". It is envisioned that a system administrator will configure a small list of "known bad usernames" that should be blocked immediately.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 9076
Build 9489: CI src build	Jenkins

Event Timeline

• lidl created this revision.May 4 2017, 9:25 PM

Herald added a reviewer: manpages. · View Herald TranscriptMay 4 2017, 9:25 PM

Herald added a subscriber: imp. · View Herald Transcript

Harbormaster failed remote builds in B9076: Diff 28039!May 4 2017, 9:29 PM

wblock added a subscriber: wblock.May 5 2017, 4:10 PM

wblock added inline comments.

contrib/blacklist/lib/libblacklist.3
30	Bump .Dd for this update.
91	parameter can take these values:
94	s/successful/unsuccessful/ s/authenticatation/authentication/
94	These sentences all start with "Signal", but that is implied from the context. Might make sense to leave out the "Signal that" and just define the values. For example: There was an unsuccessful authentication attempt. A user has successfully authenticated.
106	s/is matched/matches/ Or maybe "is detected". Just not sure about "is matched".
127	Rearranging this makes it a bit more solid: By default, .Fn syslog is used for message logging. The internal .Fn bl_create can be used to create the internal state and specify a custom logging function.

Updated man page changes according to review comments.

• lidl marked 6 inline comments as done.May 5 2017, 5:45 PM

Harbormaster failed remote builds in B9097: Diff 28074!May 5 2017, 5:49 PM

what is the state of this work in NetBSD?
are AUTH_FAIL and BAD_USER not effectively the same result, just with/without the username?

The BLACKLIST_BAD_USER and BLACKLIST_ABUSIVE_BEHAVIOR actions are original work by me. I sent these patches to Christos and his only comment was that it looked useful and he wanted documentation changes. So I documented the new actions in the manpage.

As for the difference between the BAD_USER and AUTH_FAIL:

With AUTH_FAIL, the username is acceptable to the system, and the password is not. This adds one to the count of failed logins for that IP address, and when the configured limit of failed logins is reached, the remote address is blocked.

The BAD_USER support allows an administrator to configure a list of never acceptable usernames (eg. "admin", "support", "ubnt") and then if any of those usernames are flagged via the BAD_USER notification, the remote address can be blocked immediately. It's a mechanism for the administrator to short-circuit the number of attempts that a remote site will have when operating with popular scripts, probing for weak/default usernames.

the difference between the BAD_USER and AUTH_FAIL...

What I mean is that the list of unacceptable usernames is maintained within blacklistd, not the individual application, and the same effect could be achieved with a single notification that a login attempt for user user failed (with the username optional)? I don't object to the approach here (and so will 'accept' the review), I just wonder if it's possible to simplify slightly.

This revision is now accepted and ready to land.May 22 2017, 3:10 AM

Closed by commit rS318755: Extend libblacklist support with new action types (authored by • lidl). · Explain WhyMay 23 2017, 7:03 PM

This revision was automatically updated to reflect the committed changes.