[PATCH 0/1] *** SUBJECT HERE ***

Steffen Nurpmeso steffen at sdaoden.eu
Fri Mar 13 06:32:28 AEDT 2020

Thomas Koeller wrote in
<13cc6076-ba37-2eb2-7536-fe56fde935ee at koeller.dyndns.org>:
 |On 12.03.20 19:09, Christoph Anton Mitterer wrote:
 |> On Wed, 2020-03-11 at 21:39 +0100, Thomas Koeller wrote:
 |> IMO, the idea itself sounds not the best... one must assume that such
 |> invoked programs are not written "safe"... and thus an attacker could
 |> potentially cause the system to run such programs a huge number of
 |> times.
 |As the anticipated action of the program is to blacklist hosts, this 
 |would require some kind of DDOS attack, using a botnet or the like.
 |> Maybe they take a while to finish (or in error case: do not finish a
 |> all) thus causing DoS.
 |> Not to talk about further complex scenarios where such invocation might
 |> be used for analysis or other forms of attacks.
 |While it is certainly true that poorly written programs can do harm, 
 |please keep in mind that the only way for an attacker to interact with 
 |the spawned program is to cause it to run. He cannot influence what the 
 |program does, so any problems it may cause are the writer's fault.

Christos Zoulas wrote the blacklistd for NetBSD, now also in
FreeBSD, which does this for ssh and postfix at least.
It is fantastic, it is tremendous, it is an improvement that
i longed for a decade ago.  It is sheer nonsense that you need to
parse log files to collect information that the server had in the
moment he made a decision.  Waste of CPU cycles, waste of energy,
waste of thought.  Sheer nonsense.

It is only a pity that blacklistd only does this for
authentication faults.  This is not enough to get my postfix
problems done, where i get "nonsense" or "evil" connections which
try to do whatever, sending mail for example, or simply hang.
These are catched by smtpd_soft_error_limit = 1,
smtpd_hard_error_limit = 1 and timeout settings, but are not
covered by blacklistd.
So i said so many years ago how cool it would be to have such
hooks executing by then, with some ARGV info, but otherwise exec+
Then again i never stood up and went.  Zoulas did, though.

|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the openssh-unix-dev mailing list