blocklist: Revert upstream commit ddf6d71
Upstream commit ddf6d71 ("implement BLOCKLIST_BAD_USER as a "one-count"
failure") introduced BLOCKLIST_BAD_USER with a one-count failure
mechanism. BLOCKLIST_AUTH_FAIL was implemented with a two-count failure
mechanism. Since we have been utilizing BLOCKLIST_AUTH_FAIL, the number
of failed attempts now doubles towards the maximum limit (nfails),
giving system administrators the impression that the number of failed
authentication attempts is inaccurate.
Revert this commit until a consensus has been reached. We do not want
to introduce yet another breaking change with the renaming of the
library.
Approved by: emaste (mentor)
MFC after: 2 days
This commit is contained in:
@@ -222,19 +222,16 @@ process(bl_t bl)
|
||||
switch (bi->bi_type) {
|
||||
case BL_ABUSE:
|
||||
/*
|
||||
* If the application has signaled abusive behavior, set the
|
||||
* number of fails to be two less than the configured limit.
|
||||
* Fall through to the normal BL_ADD and BL_BADUSER processing,
|
||||
* which will increment the failure count to the threshhold, and
|
||||
* block the abusive address.
|
||||
* If the application has signaled abusive behavior,
|
||||
* set the number of fails to be one less than the
|
||||
* configured limit. Fallthrough to the normal BL_ADD
|
||||
* processing, which will increment the failure count
|
||||
* to the threshhold, and block the abusive address.
|
||||
*/
|
||||
if (c.c_nfail != -1)
|
||||
dbi.count = c.c_nfail - 2;
|
||||
dbi.count = c.c_nfail - 1;
|
||||
/*FALLTHROUGH*/
|
||||
case BL_ADD:
|
||||
dbi.count++; /* will become += 2 */
|
||||
/*FALLTHROUGH*/
|
||||
case BL_BADUSER:
|
||||
dbi.count++;
|
||||
dbi.last = ts.tv_sec;
|
||||
if (c.c_nfail != -1 && dbi.count >= c.c_nfail) {
|
||||
@@ -263,6 +260,9 @@ process(bl_t bl)
|
||||
dbi.count = 0;
|
||||
dbi.last = 0;
|
||||
break;
|
||||
case BL_BADUSER:
|
||||
/* ignore for now */
|
||||
break;
|
||||
default:
|
||||
(*lfun)(LOG_ERR, "unknown message %d", bi->bi_type);
|
||||
}
|
||||
|
||||
@@ -106,20 +106,26 @@ The
|
||||
.Ar action
|
||||
parameter can take these values:
|
||||
.Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR"
|
||||
.It Va BLOCKLIST_BAD_USER
|
||||
The sending daemon has determined the username presented for
|
||||
authentication is invalid.
|
||||
This is considered as one failure count.
|
||||
.It Va BLOCKLIST_AUTH_FAIL
|
||||
.It Dv BLOCKLIST_AUTH_FAIL
|
||||
There was an unsuccessful authentication attempt.
|
||||
This is considered as two failure counts together.
|
||||
.It Va BLOCKLIST_ABUSIVE_BEHAVIOR
|
||||
The sending daemon has detected abusive behavior from the remote system.
|
||||
This is considered as a total immediate failure.
|
||||
The remote address will be blocked as soon as possible.
|
||||
.It Va BLOCKLIST_AUTH_OK
|
||||
A valid user successfully authenticated.
|
||||
Any entry for the remote address will be removed as soon as possible.
|
||||
.It Dv BLOCKLIST_AUTH_OK
|
||||
A user successfully authenticated.
|
||||
.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR
|
||||
The sending daemon has detected abusive behavior
|
||||
from the remote system.
|
||||
The remote address should
|
||||
be blocked as soon as possible.
|
||||
.It Dv BLOCKLIST_BAD_USER
|
||||
The sending daemon has determined the username
|
||||
presented for authentication is invalid.
|
||||
The
|
||||
.Xr blocklistd 8
|
||||
daemon compares the username to a configured list of forbidden
|
||||
usernames and
|
||||
blocks the address immediately if a forbidden username matches.
|
||||
(The
|
||||
.Dv BLOCKLIST_BAD_USER
|
||||
support is not currently available.)
|
||||
.El
|
||||
.Pp
|
||||
The
|
||||
|
||||
Reference in New Issue
Block a user