banishment of nuisance IP addresses

banishment of nuisance IP addresses

[Steve Simon]

[-- Attachment #1: Type: text/plain, Size: 1308 bytes --]

Hi all,

I still run a plan9 server attached to the net. I have always
had attacks from bots, viruses, script kiddies etc. and decided
to do something to reduce the load on my system - some attacks can be
quite persistant.

I have taken the idea from the linux log2ban script but I implemented it
a rather differently. 

I added two functions to libsec (for want of a better place), nuisance()
and banished(). the former allows you to log a failed authentication attempt,
dropped TLS connection etc. the latter tests for too many failures and drops
connections from repeat offenders.

nuisance() adds a single character (indicating the type of failure, 't' for TLS drop,
'a' for authentication failure etc), to an append only file in /lib/ndb/banished
named with the source IP address that is connecting. if that file gets too long
the address is becomes persona non-grata.

I have a cron jonb that deletes banishment files that have not been modified for a month
on the basis that hackers and bots get rounded up eventually.

I added these calls to dnstcp, listen, tlssrv, imap4d, httpd, smtpd, and secstored.
This is enough to cover all the network listners I have, and it works well, but feels
a little crude. I would be interested if anyone has a more elegant solution.

-Steve

[-- Attachment #2: banished.c --]
[-- Type: text/plain, Size: 1041 bytes --]

#include <u.h>
#include <libc.h>

static char *bandir = "/lib/ndb/banished";

/* Log that this ipaddr, (or ipaddr!port) may be causing a nuisance */
int
nuisance(char *addr, char c)
{
	int fd, len;
	char *p, *path;

	if(!addr || !*addr)
		return -1;

	len = strlen(addr);
	if((p = strchr(addr, '!')) != nil)
		len = p - addr;

	path = smprint("%s/%.*s", bandir, len, addr);
	if((fd = open(path, OWRITE)) == -1)
		fd = create(path, OWRITE, 0666|DMAPPEND);
	free(path);

	if(fd == -1){
		return -1;
	}

	write(fd, &c, 1);
	close(fd);
	return 0;
}

/* Has this ipaddr, (or ipaddr!port) caused too much of a nuisance */
int
banished(char *addr, int thresh)
{
	Dir *d;
	int n, len;
	char *p, *path;

	if(!addr || !*addr)
		return 0;

	len = strlen(addr);
	if((p = strchr(addr, '!')) != nil)
		len = p - addr;

	path = smprint("%s/%.*s", bandir, len, addr);
	d = dirstat(path);
	free(path);

	if(d == nil)
		return 0;
	n = d->length;
	free(d);

	if(n < thresh)
		return 0;
	return 1;
}

Re: [9fans] banishment of nuisance IP addresses

[hiro]

from just your description i like how you rely on the filesystem to
store the state, which seems to make it trivial to split multiple
tasks into multiple programs :)

Re: [9fans] banishment of nuisance IP addresses

[Sergey Zhilkin]

[-- Attachment #1: Type: text/plain, Size: 2378 bytes --]

>no “fw” not sure what that is.
firewall :)

вт, 5 нояб. 2019 г. в 13:06, Steve Simon <steve@quintile.net>:

> no “fw” not sure what that is.
>
> as it happens i turned off ipv6 last night. it was causing problems with
> smtp which i fail to understand, maybe tls certificate, i am not sure.
>
> the banishment code works fine for ipv6
>
> -Steve
>
>
> On 5 Nov 2019, at 10:02 am, Sergey Zhilkin <szhilkin@gmail.com> wrote:
>
> 
> I wonder .... if it will be system with IPv6 enabled and connected
> directly to internet.
> There is no fw in plan 9 ....
> May be time to think about it ?
>
> вт, 29 окт. 2019 г. в 14:27, Steve Simon <steve@quintile.net>:
>
>> re: anyone can banish ano IP address
>>
>> You are quite right, not a problem for me, but not a general solution.
>>
>> Ok, chmod og-w /lib/ndb/banished first.
>>
>> I could then write a file server, envoked in cpurc as bootes and thus
>> has rights to update the files in /lib/ndb/banished/*.
>>
>> The file server would have to ensure its /srv/xxx file is not accessable
>> by others.
>>
>> This could be mounted by the network listners before they becomenone() so
>> they retain access. They would also need to ensure they unmount
>> the writable access to the banishment directory before starting their
>> child process (if the incomming connection is successful).
>>
>> ugh. Even _if_ that would work its a real pain.
>>
>> oh well, nice idea, but no bananna.
>>
>> -Steve
>>
>> ------------------------------------------
>> 9fans: 9fans
>> Permalink:
>> https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-M4d3ca138d4a82de48a303955
>> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
>>
>
>
> --
> С наилучшими пожеланиями
> Жилкин Сергей
> With best regards
> Zhilkin Sergey
>
> *9fans <https://9fans.topicbox.com/latest>* / 9fans / see discussions
> <https://9fans.topicbox.com/groups/9fans> + participants
> <https://9fans.topicbox.com/groups/9fans/members> + delivery options
> <https://9fans.topicbox.com/groups/9fans/subscription> Permalink
> <https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-Mf70fb7e29d4e9df88f57dd6e>
>


-- 
С наилучшими пожеланиями
Жилкин Сергей
With best regards
Zhilkin Sergey

[-- Attachment #2: Type: text/html, Size: 4149 bytes --]

Re: [9fans] banishment of nuisance IP addresses

[Steve Simon]

[-- Attachment #1: Type: text/plain, Size: 1830 bytes --]

no “fw” not sure what that is.

as it happens i turned off ipv6 last night. it was causing problems with smtp which i fail to understand, maybe tls certificate, i am not sure.

the banishment code works fine for ipv6

-Steve


> On 5 Nov 2019, at 10:02 am, Sergey Zhilkin <szhilkin@gmail.com> wrote:
> 
> 
> I wonder .... if it will be system with IPv6 enabled and connected directly to internet. 
> There is no fw in plan 9 .... 
> May be time to think about it ?
> 
> вт, 29 окт. 2019 г. в 14:27, Steve Simon <steve@quintile.net>:
>> re: anyone can banish ano IP address
>> 
>> You are quite right, not a problem for me, but not a general solution.
>> 
>> Ok, chmod og-w /lib/ndb/banished first.
>> 
>> I could then write a file server, envoked in cpurc as bootes and thus
>> has rights to update the files in /lib/ndb/banished/*.
>> 
>> The file server would have to ensure its /srv/xxx file is not accessable
>> by others.
>> 
>> This could be mounted by the network listners before they becomenone() so
>> they retain access. They would also need to ensure they unmount
>> the writable access to the banishment directory before starting their
>> child process (if the incomming connection is successful).
>> 
>> ugh. Even _if_ that would work its a real pain.
>> 
>> oh well, nice idea, but no bananna.
>> 
>> -Steve
>> 
>> ------------------------------------------
>> 9fans: 9fans
>> Permalink: https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-M4d3ca138d4a82de48a303955
>> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
> 
> 
> -- 
> С наилучшими пожеланиями
> Жилкин Сергей
> With best regards
> Zhilkin Sergey
> 9fans / 9fans / see discussions + participants + delivery options Permalink

[-- Attachment #2: Type: text/html, Size: 3385 bytes --]

Re: [9fans] banishment of nuisance IP addresses

[Sergey Zhilkin]

[-- Attachment #1: Type: text/plain, Size: 1373 bytes --]

I wonder .... if it will be system with IPv6 enabled and connected directly
to internet.
There is no fw in plan 9 ....
May be time to think about it ?

вт, 29 окт. 2019 г. в 14:27, Steve Simon <steve@quintile.net>:

> re: anyone can banish ano IP address
>
> You are quite right, not a problem for me, but not a general solution.
>
> Ok, chmod og-w /lib/ndb/banished first.
>
> I could then write a file server, envoked in cpurc as bootes and thus
> has rights to update the files in /lib/ndb/banished/*.
>
> The file server would have to ensure its /srv/xxx file is not accessable
> by others.
>
> This could be mounted by the network listners before they becomenone() so
> they retain access. They would also need to ensure they unmount
> the writable access to the banishment directory before starting their
> child process (if the incomming connection is successful).
>
> ugh. Even _if_ that would work its a real pain.
>
> oh well, nice idea, but no bananna.
>
> -Steve
>
> ------------------------------------------
> 9fans: 9fans
> Permalink:
> https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-M4d3ca138d4a82de48a303955
> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
>


-- 
С наилучшими пожеланиями
Жилкин Сергей
With best regards
Zhilkin Sergey

[-- Attachment #2: Type: text/html, Size: 2034 bytes --]

Re: [9fans] banishment of nuisance IP addresses

[Steve Simon]

re: anyone can banish ano IP address

You are quite right, not a problem for me, but not a general solution.

Ok, chmod og-w /lib/ndb/banished first.

I could then write a file server, envoked in cpurc as bootes and thus
has rights to update the files in /lib/ndb/banished/*.

The file server would have to ensure its /srv/xxx file is not accessable
by others.

This could be mounted by the network listners before they becomenone() so
they retain access. They would also need to ensure they unmount
the writable access to the banishment directory before starting their
child process (if the incomming connection is successful).

ugh. Even _if_ that would work its a real pain.

oh well, nice idea, but no bananna.

-Steve

Re: [9fans] banishment of nuisance IP addresses

[cinap_lenrek]

seems tricky with listeners that run as none, no?

so your banish files would need to be world writable in this
case, no? that means everyone can just lock you out of your
box by writing a line there...

--
cinap