From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tb-mx1.topicbox.com (localhost.local [127.0.0.1]) by tb-mx1.topicbox.com (Postfix) with ESMTP id 0C19447675C for <9fans@9fans.net>; Tue, 29 Oct 2019 05:13:32 -0400 (EDT) (envelope-from steve@quintile.net) Received: from tb-mx1.topicbox.com (localhost [127.0.0.1]) by tb-mx1.topicbox.com (Authentication Milter) with ESMTP id CF5519573CF; Tue, 29 Oct 2019 05:13:32 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1572340412; b=FRqcpc2rRe4WFrvePcbn89yt2d+PiSmosxQ7akfWSnu6zyfrM+ /yX+Igc3+95bzUBt6rsioS8Nbstk/V3NjvfRqzXOtFqYmqEGmWVFJf0mDfAfQMyR fIQrrBZ3YqQMkXtP1g9jRZzjUv9wb0TMTJl1hTrpoqvuJWlwpwJ/99VfLgu2u+5+ dTpy1T/wpjgG9JfHf27vreX++0Oya4Mp33bb35WZeqZ8byXD7sydzWqI9SZqtAED ZmNkBgP3g+oBV+XXZvIMwNyAeaoQ2lZDXM65voXvepKWuNvIzsI6BGYaZxCMXPHe B4zxUDerTpj2msosI4i53HZKpiWq2n9t2NwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=message-id:subject:from:date:to:mime-version :content-type; s=arcseal; t=1572340412; bh=NeGF9PAVV+UuKrMSs0S1D fVUxtFm7PeRDqt53haTjyA=; b=kj45Bn8+FOJDGpnApL10vGTNda+pCUYoz+KZh ayMlyMiZ+Zrc4ZYZkQZ13UskID84fXIgm+C8PlkuBJEolIuKrMilKgIOzvShvTg5 gZB3jxvkt8PXQa8+v+3oX/B1N6JTd9VdBTF0ilkCGFkgiENk3Vkx1IU36/UiIzlO /5a+/RtFPo3l6gIlbkCTAfZuvGkr1iM1bY/QH+brRUY2nrOnG3p4HQgrBNApBfSr CNV1vH4KPu3FEJe3OoUY3Uwe63Qe6BMPW4Ms0TW8Y6qHF5dNupQ1FUlIBQeF7WJQ fyC2Fdf91x14FbFDI+pGTIXKY8sWA7ydgz8199V/KMUWXs2vQ== ARC-Authentication-Results: i=1; tb-mx1.topicbox.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=quintile.net; iprev=pass smtp.remote-ip=81.187.30.52 (b-painless.mh.aa.net.uk); spf=pass smtp.mailfrom=steve@quintile.net smtp.helo=b-painless.mh.aa.net.uk; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=b-painless.mh.aa.net.uk policy.ptr=b-painless.mh.aa.net.uk; x-return-mx=pass header.domain=quintile.net policy.is_org=yes (MX Record found); x-return-mx=pass smtp.domain=quintile.net policy.is_org=yes (MX Record found); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 Authentication-Results: tb-mx1.topicbox.com; arc=none (no signatures found); dkim=none (no signatures found); dmarc=none policy.published-domain-policy=none policy.applied-disposition=none policy.evaluated-disposition=none (p=none,d=none,d.eval=none) policy.policy-from=p header.from=quintile.net; iprev=pass smtp.remote-ip=81.187.30.52 (b-painless.mh.aa.net.uk); spf=pass smtp.mailfrom=steve@quintile.net smtp.helo=b-painless.mh.aa.net.uk; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=b-painless.mh.aa.net.uk policy.ptr=b-painless.mh.aa.net.uk; x-return-mx=pass header.domain=quintile.net policy.is_org=yes (MX Record found); x-return-mx=pass smtp.domain=quintile.net policy.is_org=yes (MX Record found); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=0 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedufedruddttddgudefudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdp uffrtefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecunecujfgurhepkffuhf ffvfggtgesmhdtjhertddtvdenucfhrhhomhepfdfuthgvvhgvucfuihhmohhnfdcuoehs thgvvhgvsehquhhinhhtihhlvgdrnhgvtheqnecukfhppeekuddrudekjedrfedtrdehvd dpkedurddukeejrdduleekrddufedvnecurfgrrhgrmhepihhnvghtpeekuddrudekjedr fedtrdehvddphhgvlhhopegsqdhprghinhhlvghsshdrmhhhrdgrrgdrnhgvthdruhhkpd hmrghilhhfrhhomhepoehsthgvvhgvsehquhhinhhtihhlvgdrnhgvthequcfukfgkgfep geeffedtnecuvehluhhsthgvrhfuihiivgeptd X-ME-VSCategory: clean Received-SPF: pass (quintile.net: 81.187.30.52 is authorized to use 'steve@quintile.net' in 'mfrom' identity (mechanism 'ip4:81.187.30.52' matched)) receiver=tb-mx1.topicbox.com; identity=mailfrom; envelope-from="steve@quintile.net"; helo=b-painless.mh.aa.net.uk; client-ip=81.187.30.52 Received: from b-painless.mh.aa.net.uk (b-painless.mh.aa.net.uk [81.187.30.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx1.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Tue, 29 Oct 2019 05:13:31 -0400 (EDT) (envelope-from steve@quintile.net) Received: from 132.198.187.81.in-addr.arpa ([81.187.198.132] helo=quintile.net) by b-painless.mh.aa.net.uk with esmtp (Exim 4.92) (envelope-from ) id 1iPNZC-0006O4-63 for 9fans@9fans.net; Tue, 29 Oct 2019 09:13:30 +0000 Message-ID: <40948c2f47e09644a2a6fc2f8e39a616@quintile.net> Subject: banishment of nuisance IP addresses From: "Steve Simon" Date: Tue, 29 Oct 2019 09:13:27 +0000 To: 9fans@9fans.net MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-vhefyajncqqkkbykgxrquhznft" Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 638d8220-fa2c-11e9-8d0a-b24c379d2eec This is a multi-part message in MIME format. --upas-vhefyajncqqkkbykgxrquhznft Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Hi all, I still run a plan9 server attached to the net. I have always had attacks from bots, viruses, script kiddies etc. and decided to do something to reduce the load on my system - some attacks can be quite persistant. I have taken the idea from the linux log2ban script but I implemented it a rather differently. I added two functions to libsec (for want of a better place), nuisance() and banished(). the former allows you to log a failed authentication attempt, dropped TLS connection etc. the latter tests for too many failures and drops connections from repeat offenders. nuisance() adds a single character (indicating the type of failure, 't' for TLS drop, 'a' for authentication failure etc), to an append only file in /lib/ndb/banished named with the source IP address that is connecting. if that file gets too long the address is becomes persona non-grata. I have a cron jonb that deletes banishment files that have not been modified for a month on the basis that hackers and bots get rounded up eventually. I added these calls to dnstcp, listen, tlssrv, imap4d, httpd, smtpd, and secstored. This is enough to cover all the network listners I have, and it works well, but feels a little crude. I would be interested if anyone has a more elegant solution. -Steve --upas-vhefyajncqqkkbykgxrquhznft Content-Disposition: attachment; filename=banished.c Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit #include #include static char *bandir = "/lib/ndb/banished"; /* Log that this ipaddr, (or ipaddr!port) may be causing a nuisance */ int nuisance(char *addr, char c) { int fd, len; char *p, *path; if(!addr || !*addr) return -1; len = strlen(addr); if((p = strchr(addr, '!')) != nil) len = p - addr; path = smprint("%s/%.*s", bandir, len, addr); if((fd = open(path, OWRITE)) == -1) fd = create(path, OWRITE, 0666|DMAPPEND); free(path); if(fd == -1){ return -1; } write(fd, &c, 1); close(fd); return 0; } /* Has this ipaddr, (or ipaddr!port) caused too much of a nuisance */ int banished(char *addr, int thresh) { Dir *d; int n, len; char *p, *path; if(!addr || !*addr) return 0; len = strlen(addr); if((p = strchr(addr, '!')) != nil) len = p - addr; path = smprint("%s/%.*s", bandir, len, addr); d = dirstat(path); free(path); if(d == nil) return 0; n = d->length; free(d); if(n < thresh) return 0; return 1; } --upas-vhefyajncqqkkbykgxrquhznft--