update security/sshlockout

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

update security/sshlockout

Solene Rapenne
here is an update for sshlockout. I took last code from git and hosted it on my
server. This version adds support for max attempts exceeded.

git log sshlockout.c since last version (and it comes with some man page
changes too).

    1e7ff9c9ed sshlockout: Add ipfw(8) table support.
    a94e10475e sshlockout: Style changes; no functional changes.
    880c6c96cb sshlockout - Also lockout on max authentication attempts
    6d9d77bb88 sshlockout - minor cleanup

The main C file required some ipfw parts to be removed in order to compile
correctly. I also patched the man page to remove the ipfw bits.

small additions to the README file for sshlockout, to explain the doas command
must be used (when using doas but I don't see how to use it otherwise) and an
simple example of pf configuration.

works fine on amd64

Index: Makefile
===================================================================
RCS file: /data/cvs/ports/security/sshlockout/Makefile,v
retrieving revision 1.3
diff -u -p -r1.3 Makefile
--- Makefile 4 Sep 2018 12:46:21 -0000 1.3
+++ Makefile 30 Jan 2019 16:42:05 -0000
@@ -2,8 +2,7 @@
 
 COMMENT = protect against brute force attacks on sshd(8)
 
-DISTNAME = sshlockout-0.20170726
-REVISION = 1
+DISTNAME = sshlockout-0.20190130
 
 CATEGORIES = security
 
@@ -17,7 +16,7 @@ WANTLIB += c
 
 # snapshot of
 # https://github.com/DragonFlyBSD/DragonFlyBSD/tree/master/usr.sbin/sshlockout
-MASTER_SITES = http://wxcvbn.org/~jca/distfiles/
+MASTER_SITES = http://distfiles-openbsd.perso.pw/
 
 FAKE_FLAGS = BINDIR=${PREFIX}/sbin \
  MANDIR=${PREFIX}/man/man
Index: distinfo
===================================================================
RCS file: /data/cvs/ports/security/sshlockout/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- distinfo 27 Jul 2017 00:08:17 -0000 1.1.1.1
+++ distinfo 30 Jan 2019 16:42:07 -0000
@@ -1,2 +1,2 @@
-SHA256 (sshlockout-0.20170726.tar.gz) = SUO/dot8nCfeONa+68fuHEWQfRiJWe12yLJfIL7brUA=
-SIZE (sshlockout-0.20170726.tar.gz) = 4753
+SHA256 (sshlockout-0.20190130.tar.gz) = PirmkpH/QO/h+up11SdLeUitzzSqEF79MLglN3t9PE4=
+SIZE (sshlockout-0.20190130.tar.gz) = 5522
Index: patches/patch-sshlockout_8
===================================================================
RCS file: patches/patch-sshlockout_8
diff -N patches/patch-sshlockout_8
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-sshlockout_8 30 Jan 2019 17:54:49 -0000
@@ -0,0 +1,91 @@
+$OpenBSD$
+
+Remove ipfw references
+
+Index: sshlockout.8
+--- sshlockout.8.orig
++++ sshlockout.8
+@@ -52,25 +52,11 @@ block in quick on $ext_if proto tcp from <lockout> to
+
+ # in /etc/syslog.conf
+ #
+-auth.info;authpriv.info          |exec /usr/sbin/sshlockout -pf "lockout"
++auth.info;authpriv.info          |exec /usr/local/sbin/sshlockout -pf "lockout"
+
+ # in root's crontab
+ #
+ 3 3 * * *       pfctl -tlockout -T expire 86400
+-
+-#
+-# ipfw(8) configuration.
+-#
+-ipfw table 0 create
+-ipfw add deny ip from '<0>' to any
+-
+-# in /etc/syslog.conf
+-#
+-auth.info;authpriv.info         |exec /usr/sbin/sshlockout -ipfwtbl 0
+-
+-# in root's crontab
+-#
+-3 3 * * *       ipfw -fq table 0 expire 86400
+ .Ed
+ .Sh DESCRIPTION
+ This program is generally installed in
+@@ -81,31 +67,22 @@ demons error log in realtime.
+ In addition, a root crontab entry should generally be created to clean
+ out stale entries in the
+ .Xr pf 4
+-or
+-.Xr ipfw 8
+ .Ar table
+ at least once a day.
+ Using expire instead of flush will maintain a rolling window of locked out
+ IPs.
+-The
+ .Xr pf 4
+-or
+-.Xr ipfw 8
+-module must be loaded and running with the table and rules properly
++must be loaded and running with the table and rules properly
+ configured.
+ .Pp
+ This program will monitor the ssh syslog output and keep track of attempts
+ to login to unknown users as well as preauth failures.
+ If 5 attempts fail in any one hour period, a permanent entry is added to the
+ .Xr pf 4
+-or
+-.Xr ipfw 8
+ .Ar table
+ for the associated IP address.
+ You still have to add a rule to
+ .Xr pf.conf 5
+-or use
+-.Xr ipfw 8
+ to block IP addresses listed in this table.
+ The cron entry you create cleans the block list out typically once a day.
+ .Pp
+@@ -114,15 +91,11 @@ via ssh.
+ .Pp
+ When setting up the
+ .Xr pf 4
+-or
+-.Xr ipfw 8
+ rules,
+ note that the table will be filled based on failed ssh connections destined
+ to that particular machine.
+ If the machine is acting as a router you can decide whether you want the
+ .Xr pf 4
+-or
+-.Xr ipfw 8
+ rule to lockout that suspect IP to just the machine,
+ or to everything it routes to.
+ We usually recommend an unconditional blocking rule.
+@@ -132,7 +105,6 @@ This program is still a work in progress.
+ .Xr ssh 1 ,
+ .Xr pf 4 ,
+ .Xr syslog.conf 5 ,
+-.Xr ipfw 8 ,
+ .Xr sshd 8
+ .Sh HISTORY
+ The
Index: patches/patch-sshlockout_c
===================================================================
RCS file: /data/cvs/ports/security/sshlockout/patches/patch-sshlockout_c,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-sshlockout_c
--- patches/patch-sshlockout_c 27 Jul 2017 00:08:17 -0000 1.1.1.1
+++ patches/patch-sshlockout_c 30 Jan 2019 17:53:09 -0000
@@ -1,17 +1,64 @@
 $OpenBSD: patch-sshlockout_c,v 1.1.1.1 2017/07/27 00:08:17 jca Exp $
 
+- add pledge
+- remove some ipfw code in order to make sshlock compile
+
 Index: sshlockout.c
 --- sshlockout.c.orig
 +++ sshlockout.c
-@@ -199,6 +199,11 @@ main(int ac, char **av)
+@@ -56,7 +56,6 @@
+ #include <arpa/inet.h>
+ #include <netinet/in.h>
+ #include <net/if.h>
+-#include <net/ipfw/ip_fw.h>
+
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -108,8 +107,6 @@ static void delete_iph(iphist_t *ip);
+ static void
+ block_ip(const char *ips)
+ {
+- struct ipfw_ioc_tblcont ent;
+- struct ipfw_ioc_tblent *te;
+ char buf[128];
+ int r = 0;
+
+@@ -124,26 +121,6 @@ block_ip(const char *ips)
+ "ipfw add %s deny tcp from %s to me 22",
+ args.arg1, ips);
+ break;
+-
+- case FW_IS_IPFWTBL:
+- memset(&ent, 0, sizeof(ent));
+- ent.tableid = args.arg2;
+- ent.entcnt = 1;
+- te = &ent.ent[0];
+-
+- r = inet_pton(AF_INET, ips, &te->key.sin_addr);
+- if (r <= 0)
+- break;
+- te->key.sin_family = AF_INET;
+- te->key.sin_len = sizeof(struct sockaddr_in);
+-
+- if (setsockopt(ipfw_sock, IPPROTO_IP, IP_FW_TBL_ADD,
+-    &ent, sizeof(ent)) < 0) {
+- r = -1;
+- break;
+- }
+- /* Done */
+- return;
+ }
+
+ if (r > 0 && (int)strlen(buf) == r) {
+@@ -245,6 +222,11 @@ main(int ac, char **av)
+ syslog(LOG_ERR, "sshlockout starting up");
  freopen("/dev/null", "w", stdout);
  freopen("/dev/null", "w", stderr);
-
++
 + if (pledge("stdio proc exec", NULL) == -1) {
 + syslog(LOG_ERR, "sshlockout: pledge: %m");
 + return(1);
 + }
-+
+
  while (fgets(buf, sizeof(buf), stdin) != NULL) {
  if (strstr(buf, "sshd") == NULL)
- continue;
Index: pkg/README
===================================================================
RCS file: /data/cvs/ports/security/sshlockout/pkg/README,v
retrieving revision 1.2
diff -u -p -r1.2 README
--- pkg/README 4 Sep 2018 12:46:21 -0000 1.2
+++ pkg/README 30 Jan 2019 17:05:43 -0000
@@ -9,3 +9,15 @@ should be run as root in order to modify
 be used to gain back root privileges:
 
   permit nopass _syslogd as root cmd ${TRUEPREFIX}/sbin/sshlockout
+
+
+When using doas, the following lines is required in /etc/syslogd.conf:
+
+  auth.info;authpriv.info | exec /usr/bin/doas -n /usr/local/sbin/sshlockout -pf lockout
+
+
+A rule must be added to /etc/pf.conf in order to block addresses within the
+default lockout table:
+
+  table <lockout> persist
+  block in quick on egress proto tcp from <lockout> to port ssh

Reply | Threaded
Open this post in threaded view
|

Re: update security/sshlockout

Bryan Linton
On 2019-01-30 19:04:39, Solene Rapenne <[hidden email]> wrote:
> here is an update for sshlockout. I took last code from git and hosted it on my
> server. This version adds support for max attempts exceeded.
>
> [...]
>
> works fine on amd64
>

Also tested on amd64.

Seems to be working fine.  Both a "tail -f /var/log/authlog" and a
"pfctl -t lockout -T show" indicate that IPs are being detected
and successfully locked out.

--
Bryan