The unified diff between revisions [87286233..] and [fdd44441..] is displayed below. It can also be downloaded as a raw diff.
#
#
# add_file "blacklist.c"
# content [7d3ec473ae848769eb2d95c530bec6709ffc58b3]
#
# add_file "blacklist.h"
# content [da5d16e2002a27e64204aad878301e8a9edec0a3]
#
# patch "Makefile.in"
# from [be6288abe8ef5c01177ff3185a1f4ac14b74e56f]
# to [ff949b6955ca9f51ccdcf2a67fb42dd1b259763b]
#
# patch "options.h"
# from [072d78418e9cbade0d6a42530afa806c781237bd]
# to [323eba2e14c100c6ed74e49dd07d1fd2507ab448]
#
# patch "svr-auth.c"
# from [fab10976a9ca57a482a384cedd794de7f0247e40]
# to [afd994b5b2a4169736a052dc874af544c265270b]
#
# patch "svr-main.c"
# from [956679879949d5e02205ac66872e03986c76fc61]
# to [2fc23167fe2aadc2a1fd5199fb071b742ca41ce1]
#
============================================================
--- blacklist.c 7d3ec473ae848769eb2d95c530bec6709ffc58b3
+++ blacklist.c 7d3ec473ae848769eb2d95c530bec6709ffc58b3
@@ -0,0 +1,55 @@
+#include "includes.h"
+#include "options.h"
+#include "dbutil.h"
+
+#define LINE_LENGTH 50
+
+int is_blacklisted (char *remote_ip) {
+
+ char sz_tmp[LINE_LENGTH];
+ FILE *fp_blacklist = NULL;
+
+ fp_blacklist = fopen(BLACKLISTFILE, "r");
+ if (fp_blacklist == NULL) {
+ /* TODO: this could spew log messages. */
+ dropbear_log(LOG_INFO, "Could not open blacklist %s for reading.", BLACKLISTFILE);
+ } else {
+ while (fgets(sz_tmp, LINE_LENGTH - 1, fp_blacklist) != NULL) {
+ if (strlen(sz_tmp) > 0) {
+ sz_tmp[strlen(sz_tmp)-1] = '\0';
+ if (!strcmp(sz_tmp, remote_ip)) {
+ dropbear_log(LOG_INFO, "IP %s is forbidden!", remote_ip);
+ fclose (fp_blacklist);
+ return 1;
+ }
+ }
+ }
+ fclose (fp_blacklist);
+ }
+ return 0;
+}
+
+void blacklist (char *addrstring)
+{
+ int i;
+ FILE *fp_blacklist = NULL;
+ char *remote_ip = NULL;
+
+ remote_ip = m_strdup (addrstring);
+ i = strlen (remote_ip);
+ /* This may not be IPv6 safe if addrstring doesn't have a :port suffix */
+ while (i--) {
+ if (remote_ip[i] == ':') {
+ remote_ip[i] = '\0';
+ break;
+ }
+ }
+ dropbear_log (LOG_INFO, "Blacklisting %s", remote_ip);
+ if ((fp_blacklist = fopen (BLACKLISTFILE, "a")) == NULL) {
+ dropbear_log (LOG_INFO, "Could not open blacklist %s for appending", BLACKLISTFILE);
+ } else {
+ fprintf (fp_blacklist, "%s\n", remote_ip);
+ fclose (fp_blacklist);
+ }
+ m_free (remote_ip);
+}
============================================================
--- blacklist.h da5d16e2002a27e64204aad878301e8a9edec0a3
+++ blacklist.h da5d16e2002a27e64204aad878301e8a9edec0a3
@@ -0,0 +1,7 @@
+#ifndef _BLACKLIST_H_
+#define _BLACKLIST_H_
+
+int is_blacklisted (char *remote_ip);
+void blacklist (char *addrstring);
+
+#endif
============================================================
--- Makefile.in be6288abe8ef5c01177ff3185a1f4ac14b74e56f
+++ Makefile.in ff949b6955ca9f51ccdcf2a67fb42dd1b259763b
@@ -25,7 +25,7 @@ SVROBJS=svr-kex.o svr-algo.o svr-auth.o
SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \
svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \
svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
- svr-tcpfwd.o svr-authpam.o
+ svr-tcpfwd.o svr-authpam.o blacklist.o
CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
cli-session.o cli-service.o cli-runopts.o cli-chansession.o \
============================================================
--- options.h 072d78418e9cbade0d6a42530afa806c781237bd
+++ options.h 323eba2e14c100c6ed74e49dd07d1fd2507ab448
@@ -22,6 +22,9 @@
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
#endif
+/* File to store blacklisted IPs */
+#define BLACKLISTFILE "/var/dropbear/blacklist"
+
/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
* on chosen ports and keeps accepting connections. This is the default.
*
@@ -122,8 +125,8 @@ etc) slower (perhaps by 50%). Recommende
* but there's an interface via a PAM module - don't bother using it otherwise.
* You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
-/*#define ENABLE_SVR_PAM_AUTH*/
+//#define ENABLE_SVR_PASSWORD_AUTH
+#define ENABLE_SVR_PAM_AUTH
#define ENABLE_SVR_PUBKEY_AUTH
#define ENABLE_CLI_PASSWORD_AUTH
@@ -161,7 +164,7 @@ etc) slower (perhaps by 50%). Recommende
/* Maximum number of failed authentication tries (server option) */
#ifndef MAX_AUTH_TRIES
-#define MAX_AUTH_TRIES 10
+#define MAX_AUTH_TRIES 2
#endif
/* The file to store the daemon's process ID, for shutdown scripts etc */
============================================================
--- svr-auth.c fab10976a9ca57a482a384cedd794de7f0247e40
+++ svr-auth.c afd994b5b2a4169736a052dc874af544c265270b
@@ -33,6 +33,7 @@
#include "packet.h"
#include "auth.h"
#include "runopts.h"
+#include "blacklist.h"
static void authclear();
static int checkusername(unsigned char *username, unsigned int userlen);
@@ -338,6 +339,7 @@ void send_msg_userauth_failure(int parti
} else {
userstr = ses.authstate.printableuser;
}
+ blacklist(svr_ses.addrstring);
dropbear_exit("Max auth tries reached - user '%s' from %s",
userstr, svr_ses.addrstring);
}
============================================================
--- svr-main.c 956679879949d5e02205ac66872e03986c76fc61
+++ svr-main.c 2fc23167fe2aadc2a1fd5199fb071b742ca41ce1
@@ -28,6 +28,7 @@
#include "buffer.h"
#include "signkey.h"
#include "runopts.h"
+#include "blacklist.h"
static int listensockets(int *sock, int sockcount, int *maxfd);
static void sigchld_handler(int dummy);
@@ -238,6 +239,11 @@ void main_noinetd() {
}
}
+ if (is_blacklisted(getaddrstring(&remoteaddr, 0)) == 1) {
+ close(childsock);
+ continue;
+ }
+
if (j == MAX_UNAUTH_CLIENTS) {
/* no free connections */
/* TODO - possibly log, though this would be an easy way