ViewMTN: Diff from [7ad1775e..] to [f1ae6a1f..]

ViewMTN — Everything : Branches | Tags | Help | About | Change DB
Revision [7ad1775e..]: Info | Browse Files | Download (tar)
The unified diff between revisions [7ad1775e..] and [f1ae6a1f..] is displayed below. It can also be downloaded as a raw diff.
#
#
# add_file "blacklist.c"
#  content [7d3ec473ae848769eb2d95c530bec6709ffc58b3]
#
# add_file "blacklist.h"
#  content [da5d16e2002a27e64204aad878301e8a9edec0a3]
#
# patch "Makefile.in"
#  from [112e899589f2fd132a159e6dcf148b544ff8ae91]
#    to [c086817f81d88029a745ce8f18b90515271b858d]
#
# patch "options.h"
#  from [c365717890e92696dd8e3f5821531993ec37ff35]
#    to [2c3e5d02e6eb855a2ae96f34f477baf9916cefb3]
#
# patch "svr-auth.c"
#  from [fab10976a9ca57a482a384cedd794de7f0247e40]
#    to [afd994b5b2a4169736a052dc874af544c265270b]
#
# patch "svr-main.c"
#  from [7bfc54799240f5085443a31e0dc95c64ab4205b8]
#    to [1fb8804d52ee57251be7a4aa62f545a30d182a7b]
#
============================================================
--- blacklist.c	7d3ec473ae848769eb2d95c530bec6709ffc58b3
+++ blacklist.c	7d3ec473ae848769eb2d95c530bec6709ffc58b3
@@ -0,0 +1,55 @@
+#include "includes.h"
+#include "options.h"
+#include "dbutil.h"
+
+#define LINE_LENGTH 50
+
+int is_blacklisted (char *remote_ip) {
+
+	char sz_tmp[LINE_LENGTH];
+	FILE *fp_blacklist = NULL;
+
+	fp_blacklist = fopen(BLACKLISTFILE, "r");
+	if (fp_blacklist == NULL) {
+		/* TODO: this could spew log messages. */
+		dropbear_log(LOG_INFO, "Could not open blacklist %s for reading.", BLACKLISTFILE);
+	} else {
+		while (fgets(sz_tmp, LINE_LENGTH - 1, fp_blacklist) != NULL) {
+			if (strlen(sz_tmp) > 0) {
+				sz_tmp[strlen(sz_tmp)-1] = '\0';
+				if (!strcmp(sz_tmp, remote_ip)) {
+					dropbear_log(LOG_INFO, "IP %s is forbidden!", remote_ip);
+					fclose (fp_blacklist);
+					return 1;
+				}
+			}
+		}
+		fclose (fp_blacklist);
+	}
+	return 0;
+}
+
+void blacklist (char *addrstring)
+{
+        int     i;
+        FILE    *fp_blacklist = NULL;
+        char    *remote_ip = NULL;
+
+        remote_ip = m_strdup (addrstring);
+        i = strlen (remote_ip);
+		/* This may not be IPv6 safe if addrstring doesn't have a :port suffix */
+        while (i--) {
+                if (remote_ip[i] == ':') {
+                        remote_ip[i] = '\0';
+                        break;
+                }
+        }
+        dropbear_log (LOG_INFO, "Blacklisting %s", remote_ip);
+        if ((fp_blacklist = fopen (BLACKLISTFILE, "a")) == NULL) {
+                dropbear_log (LOG_INFO, "Could not open blacklist %s for appending", BLACKLISTFILE);
+        } else {
+                fprintf (fp_blacklist, "%s\n", remote_ip);
+                fclose (fp_blacklist);
+        }
+        m_free (remote_ip);
+}
============================================================
--- blacklist.h	da5d16e2002a27e64204aad878301e8a9edec0a3
+++ blacklist.h	da5d16e2002a27e64204aad878301e8a9edec0a3
@@ -0,0 +1,7 @@
+#ifndef _BLACKLIST_H_
+#define _BLACKLIST_H_
+
+int is_blacklisted (char *remote_ip);
+void blacklist (char *addrstring);
+
+#endif
============================================================
--- Makefile.in	112e899589f2fd132a159e6dcf148b544ff8ae91
+++ Makefile.in	c086817f81d88029a745ce8f18b90515271b858d
@@ -25,7 +25,7 @@ SVROBJS=svr-kex.o svr-algo.o svr-auth.o
 SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
 		svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \
 		svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
-		svr-tcpfwd.o svr-authpam.o
+		svr-tcpfwd.o svr-authpam.o blacklist.o

 CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
 		cli-session.o cli-service.o cli-runopts.o cli-chansession.o \
============================================================
--- options.h	c365717890e92696dd8e3f5821531993ec37ff35
+++ options.h	2c3e5d02e6eb855a2ae96f34f477baf9916cefb3
@@ -22,6 +22,9 @@
 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
 #endif

+/* File to store blacklisted IPs */
+#define BLACKLISTFILE "/var/dropbear/blacklist"
+
 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
  * on chosen ports and keeps accepting connections. This is the default.
  *
@@ -174,7 +177,7 @@ etc) slower (perhaps by 50%). Recommende

 /* Maximum number of failed authentication tries (server option) */
 #ifndef MAX_AUTH_TRIES
-#define MAX_AUTH_TRIES 10
+#define MAX_AUTH_TRIES 2
 #endif

 /* The file to store the daemon's process ID, for shutdown scripts etc */
============================================================
--- svr-auth.c	fab10976a9ca57a482a384cedd794de7f0247e40
+++ svr-auth.c	afd994b5b2a4169736a052dc874af544c265270b
@@ -33,6 +33,7 @@
 #include "packet.h"
 #include "auth.h"
 #include "runopts.h"
+#include "blacklist.h"

 static void authclear();
 static int checkusername(unsigned char *username, unsigned int userlen);
@@ -338,6 +339,7 @@ void send_msg_userauth_failure(int parti
 		} else {
 			userstr = ses.authstate.printableuser;
 		}
+		blacklist(svr_ses.addrstring);
 		dropbear_exit("Max auth tries reached - user '%s' from %s",
 				userstr, svr_ses.addrstring);
 	}
============================================================
--- svr-main.c	7bfc54799240f5085443a31e0dc95c64ab4205b8
+++ svr-main.c	1fb8804d52ee57251be7a4aa62f545a30d182a7b
@@ -28,6 +28,7 @@
 #include "buffer.h"
 #include "signkey.h"
 #include "runopts.h"
+#include "blacklist.h"

 static size_t listensockets(int *sock, size_t sockcount, int *maxfd);
 static void sigchld_handler(int dummy);
@@ -254,6 +255,11 @@ void main_noinetd() {
 				}
 			}

+			if (is_blacklisted(getaddrstring(&remoteaddr, 0)) == 1) {
+				close(childsock);
+				continue;
+			}
+
 			if (num_unauthed_total >= MAX_UNAUTH_CLIENTS
 					|| num_unauthed_for_addr >= MAX_UNAUTH_PER_IP) {
 				goto out;