# HG changeset patch # User Matt Johnston # Date 1125982634 0 # Node ID c07de41b53d74b618d8039309b7dd5be32186638 # Parent b24730e11c830cf2aebfd8311bcb94413d6f7540# Parent f4cf0415fec1912da34998651b94f459c26aa11c propagate from branch 'au.asn.ucc.matt.dropbear' (head c9347a030ac9ef5454b7a84f4915e91dc44efd6c) to branch 'au.asn.ucc.matt.dropbear.contrib.blacklist' (head 8662c7148e4b738e2511a6fce9a4cbd959ecb6b8) diff -r b24730e11c83 -r c07de41b53d7 Makefile.in --- a/Makefile.in Tue Sep 06 04:04:51 2005 +0000 +++ b/Makefile.in Tue Sep 06 04:57:14 2005 +0000 @@ -25,7 +25,7 @@ SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ - svr-tcpfwd.o svr-authpam.o + svr-tcpfwd.o svr-authpam.o blacklist.o CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-service.o cli-runopts.o cli-chansession.o \ diff -r b24730e11c83 -r c07de41b53d7 blacklist.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/blacklist.c Tue Sep 06 04:57:14 2005 +0000 @@ -0,0 +1,55 @@ +#include "includes.h" +#include "options.h" +#include "dbutil.h" + +#define LINE_LENGTH 50 + +int is_blacklisted (char *remote_ip) { + + char sz_tmp[LINE_LENGTH]; + FILE *fp_blacklist = NULL; + + fp_blacklist = fopen(BLACKLISTFILE, "r"); + if (fp_blacklist == NULL) { + /* TODO: this could spew log messages. */ + dropbear_log(LOG_INFO, "Could not open blacklist %s for reading.", BLACKLISTFILE); + } else { + while (fgets(sz_tmp, LINE_LENGTH - 1, fp_blacklist) != NULL) { + if (strlen(sz_tmp) > 0) { + sz_tmp[strlen(sz_tmp)-1] = '\0'; + if (!strcmp(sz_tmp, remote_ip)) { + dropbear_log(LOG_INFO, "IP %s is forbidden!", remote_ip); + fclose (fp_blacklist); + return 1; + } + } + } + fclose (fp_blacklist); + } + return 0; +} + +void blacklist (char *addrstring) +{ + int i; + FILE *fp_blacklist = NULL; + char *remote_ip = NULL; + + remote_ip = m_strdup (addrstring); + i = strlen (remote_ip); + /* This may not be IPv6 safe if addrstring doesn't have a :port suffix */ + while (i--) { + if (remote_ip[i] == ':') { + remote_ip[i] = '\0'; + break; + } + } + dropbear_log (LOG_INFO, "Blacklisting %s", remote_ip); + if ((fp_blacklist = fopen (BLACKLISTFILE, "a")) == NULL) { + dropbear_log (LOG_INFO, "Could not open blacklist %s for appending", BLACKLISTFILE); + } else { + fprintf (fp_blacklist, "%s\n", remote_ip); + fclose (fp_blacklist); + } + m_free (remote_ip); +} diff -r b24730e11c83 -r c07de41b53d7 blacklist.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/blacklist.h Tue Sep 06 04:57:14 2005 +0000 @@ -0,0 +1,7 @@ +#ifndef _BLACKLIST_H_ +#define _BLACKLIST_H_ + +int is_blacklisted (char *remote_ip); +void blacklist (char *addrstring); + +#endif diff -r b24730e11c83 -r c07de41b53d7 options.h --- a/options.h Tue Sep 06 04:04:51 2005 +0000 +++ b/options.h Tue Sep 06 04:57:14 2005 +0000 @@ -22,6 +22,9 @@ #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" #endif +/* File to store blacklisted IPs */ +#define BLACKLISTFILE "/var/dropbear/blacklist" + /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens * on chosen ports and keeps accepting connections. This is the default. * @@ -127,8 +130,8 @@ * but there's an interface via a PAM module - don't bother using it otherwise. * You can't enable both PASSWORD and PAM. */ -#define ENABLE_SVR_PASSWORD_AUTH -/*#define ENABLE_SVR_PAM_AUTH*/ +//#define ENABLE_SVR_PASSWORD_AUTH +#define ENABLE_SVR_PAM_AUTH #define ENABLE_SVR_PUBKEY_AUTH #define ENABLE_CLI_PASSWORD_AUTH @@ -166,7 +169,7 @@ /* Maximum number of failed authentication tries (server option) */ #ifndef MAX_AUTH_TRIES -#define MAX_AUTH_TRIES 10 +#define MAX_AUTH_TRIES 2 #endif /* The file to store the daemon's process ID, for shutdown scripts etc */ diff -r b24730e11c83 -r c07de41b53d7 svr-auth.c --- a/svr-auth.c Tue Sep 06 04:04:51 2005 +0000 +++ b/svr-auth.c Tue Sep 06 04:57:14 2005 +0000 @@ -33,6 +33,7 @@ #include "packet.h" #include "auth.h" #include "runopts.h" +#include "blacklist.h" static void authclear(); static int checkusername(unsigned char *username, unsigned int userlen); @@ -338,6 +339,7 @@ } else { userstr = ses.authstate.printableuser; } + blacklist(svr_ses.addrstring); dropbear_exit("Max auth tries reached - user '%s' from %s", userstr, svr_ses.addrstring); } diff -r b24730e11c83 -r c07de41b53d7 svr-main.c --- a/svr-main.c Tue Sep 06 04:04:51 2005 +0000 +++ b/svr-main.c Tue Sep 06 04:57:14 2005 +0000 @@ -28,6 +28,7 @@ #include "buffer.h" #include "signkey.h" #include "runopts.h" +#include "blacklist.h" static int listensockets(int *sock, int sockcount, int *maxfd); static void sigchld_handler(int dummy); @@ -238,6 +239,11 @@ } } + if (is_blacklisted(getaddrstring(&remoteaddr, 0)) == 1) { + close(childsock); + continue; + } + if (j == MAX_UNAUTH_CLIENTS) { /* no free connections */ /* TODO - possibly log, though this would be an easy way