Mercurial > dropbear
changeset 246:f4cf0415fec1 contrib-blacklist
- blacklisting patch from Michael Deiters
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 06 Sep 2005 04:52:46 +0000 |
parents | 1dbd2473482f |
children | c07de41b53d7 |
files | Makefile.in blacklist.c blacklist.h options.h svr-auth.c svr-main.c |
diffstat | 6 files changed, 77 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/Makefile.in Fri Jul 08 19:20:10 2005 +0000 +++ b/Makefile.in Tue Sep 06 04:52:46 2005 +0000 @@ -25,7 +25,7 @@ SVROBJS=svr-kex.o svr-algo.o svr-auth.o sshpty.o \ svr-authpasswd.o svr-authpubkey.o svr-session.o svr-service.o \ svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\ - svr-tcpfwd.o svr-authpam.o + svr-tcpfwd.o svr-authpam.o blacklist.o CLIOBJS=cli-algo.o cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \ cli-session.o cli-service.o cli-runopts.o cli-chansession.o \
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/blacklist.c Tue Sep 06 04:52:46 2005 +0000 @@ -0,0 +1,55 @@ +#include "includes.h" +#include "options.h" +#include "dbutil.h" + +#define LINE_LENGTH 50 + +int is_blacklisted (char *remote_ip) { + + char sz_tmp[LINE_LENGTH]; + FILE *fp_blacklist = NULL; + + fp_blacklist = fopen(BLACKLISTFILE, "r"); + if (fp_blacklist == NULL) { + /* TODO: this could spew log messages. */ + dropbear_log(LOG_INFO, "Could not open blacklist %s for reading.", BLACKLISTFILE); + } else { + while (fgets(sz_tmp, LINE_LENGTH - 1, fp_blacklist) != NULL) { + if (strlen(sz_tmp) > 0) { + sz_tmp[strlen(sz_tmp)-1] = '\0'; + if (!strcmp(sz_tmp, remote_ip)) { + dropbear_log(LOG_INFO, "IP %s is forbidden!", remote_ip); + fclose (fp_blacklist); + return 1; + } + } + } + fclose (fp_blacklist); + } + return 0; +} + +void blacklist (char *addrstring) +{ + int i; + FILE *fp_blacklist = NULL; + char *remote_ip = NULL; + + remote_ip = m_strdup (addrstring); + i = strlen (remote_ip); + /* This may not be IPv6 safe if addrstring doesn't have a :port suffix */ + while (i--) { + if (remote_ip[i] == ':') { + remote_ip[i] = '\0'; + break; + } + } + dropbear_log (LOG_INFO, "Blacklisting %s", remote_ip); + if ((fp_blacklist = fopen (BLACKLISTFILE, "a")) == NULL) { + dropbear_log (LOG_INFO, "Could not open blacklist %s for appending", BLACKLISTFILE); + } else { + fprintf (fp_blacklist, "%s\n", remote_ip); + fclose (fp_blacklist); + } + m_free (remote_ip); +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/blacklist.h Tue Sep 06 04:52:46 2005 +0000 @@ -0,0 +1,7 @@ +#ifndef _BLACKLIST_H_ +#define _BLACKLIST_H_ + +int is_blacklisted (char *remote_ip); +void blacklist (char *addrstring); + +#endif
--- a/options.h Fri Jul 08 19:20:10 2005 +0000 +++ b/options.h Tue Sep 06 04:52:46 2005 +0000 @@ -22,6 +22,9 @@ #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" #endif +/* File to store blacklisted IPs */ +#define BLACKLISTFILE "/var/dropbear/blacklist" + /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens * on chosen ports and keeps accepting connections. This is the default. * @@ -122,8 +125,8 @@ * but there's an interface via a PAM module - don't bother using it otherwise. * You can't enable both PASSWORD and PAM. */ -#define ENABLE_SVR_PASSWORD_AUTH -/*#define ENABLE_SVR_PAM_AUTH*/ +//#define ENABLE_SVR_PASSWORD_AUTH +#define ENABLE_SVR_PAM_AUTH #define ENABLE_SVR_PUBKEY_AUTH #define ENABLE_CLI_PASSWORD_AUTH @@ -161,7 +164,7 @@ /* Maximum number of failed authentication tries (server option) */ #ifndef MAX_AUTH_TRIES -#define MAX_AUTH_TRIES 10 +#define MAX_AUTH_TRIES 2 #endif /* The file to store the daemon's process ID, for shutdown scripts etc */
--- a/svr-auth.c Fri Jul 08 19:20:10 2005 +0000 +++ b/svr-auth.c Tue Sep 06 04:52:46 2005 +0000 @@ -33,6 +33,7 @@ #include "packet.h" #include "auth.h" #include "runopts.h" +#include "blacklist.h" static void authclear(); static int checkusername(unsigned char *username, unsigned int userlen); @@ -338,6 +339,7 @@ } else { userstr = ses.authstate.printableuser; } + blacklist(svr_ses.addrstring); dropbear_exit("Max auth tries reached - user '%s' from %s", userstr, svr_ses.addrstring); }
--- a/svr-main.c Fri Jul 08 19:20:10 2005 +0000 +++ b/svr-main.c Tue Sep 06 04:52:46 2005 +0000 @@ -28,6 +28,7 @@ #include "buffer.h" #include "signkey.h" #include "runopts.h" +#include "blacklist.h" static int listensockets(int *sock, int sockcount, int *maxfd); static void sigchld_handler(int dummy); @@ -238,6 +239,11 @@ } } + if (is_blacklisted(getaddrstring(&remoteaddr, 0)) == 1) { + close(childsock); + continue; + } + if (j == MAX_UNAUTH_CLIENTS) { /* no free connections */ /* TODO - possibly log, though this would be an easy way