tg123/sshpiper

Plugin failtoban doesn't block connections without any pipe/upstream connection

vholer opened this issue · 2 comments

vholer commented

I'm checking the changes you did to support automated blocking, thank you very much. Two comments.

  1. Although usage tells it's only for password auth., it works for me even for SSH keys authentication.

    sshpiper/plugin/failtoban/main.go

    Line 20 in 694d09a

    Usage: "sshpiperd fixed plugin, only password auth is supported",

  2. Only failures on password/public key authentications are counted, so if the downstream client is guessing the usernames, it still is not blocked and overloads the server, e.g.:

[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:1797 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:19443 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:6866 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:1222 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:3001 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:38980 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:8095 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:49874 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:9527 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:7209 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"
[sshpiper-d9fc77c4f-tc4jm] time="2023-08-30T13:50:39Z" level=error msg="cannot create upstream for 192.168.39.189:35011 (username [test-abcXXXX]) with public key auth: rpc error: code = Unknown desc = no matching pipe for username [test-abcXXXX] found"

but for existing pipe (username) it blocks after (default) 5 failures as expected:

[sshpiper-d9fc77c4f-hl88j] time="2023-08-30T13:51:44Z" level=debug msg="failtoban: 192.168.39.189 auth failed 1 times, max allowed 5"
[sshpiper-d9fc77c4f-hl88j] time="2023-08-30T13:51:44Z" level=debug msg="failtoban: 192.168.39.189 auth failed 2 times, max allowed 5"
[sshpiper-d9fc77c4f-hl88j] time="2023-08-30T13:51:44Z" level=debug msg="failtoban: 192.168.39.189 auth failed 3 times, max allowed 5"
[sshpiper-d9fc77c4f-hl88j] time="2023-08-30T13:51:45Z" level=debug msg="failtoban: 192.168.39.189 auth failed 4 times, max allowed 5"
[sshpiper-d9fc77c4f-hl88j] time="2023-08-30T13:51:45Z" level=debug msg="failtoban: 192.168.39.189 auth failed 5 times, max allowed 5"
[sshpiper-d9fc77c4f-hl88j] time="2023-08-30T13:51:45Z" level=error msg="cannot create challenge context rpc error: code = Unknown desc = failtoban: ip 192.168.39.189 too auth many failures"

I guess it's not easy to distinguish upstream error types in the callback, between the case above (when configuration doesn't exist at all and downstream client should be blocked) from different upstream server issues (e.g., upstream server unreachability should NOT be counted as a failure for client).

tg123 commented

1 copy/paste from fixed and will be fixed
2 will support find upstream err ban

tg123 commented

hmm need somewhat big refactor to support this