Thomas Koeller wrote in <13cc6076-ba37-2eb2-7536-fe56fde935ee@xxxxxxxxxxxxxxxxxx>: |On 12.03.20 19:09, Christoph Anton Mitterer wrote: |> On Wed, 2020-03-11 at 21:39 +0100, Thomas Koeller wrote: |> IMO, the idea itself sounds not the best... one must assume that such |> invoked programs are not written "safe"... and thus an attacker could |> potentially cause the system to run such programs a huge number of |> times. |As the anticipated action of the program is to blacklist hosts, this |would require some kind of DDOS attack, using a botnet or the like. | |> |> Maybe they take a while to finish (or in error case: do not finish a |> all) thus causing DoS. |> |> Not to talk about further complex scenarios where such invocation might |> be used for analysis or other forms of attacks. |While it is certainly true that poorly written programs can do harm, |please keep in mind that the only way for an attacker to interact with |the spawned program is to cause it to run. He cannot influence what the |program does, so any problems it may cause are the writer's fault. Christos Zoulas wrote the blacklistd for NetBSD, now also in FreeBSD, which does this for ssh and postfix at least. It is fantastic, it is tremendous, it is an improvement that i longed for a decade ago. It is sheer nonsense that you need to parse log files to collect information that the server had in the moment he made a decision. Waste of CPU cycles, waste of energy, waste of thought. Sheer nonsense. It is only a pity that blacklistd only does this for authentication faults. This is not enough to get my postfix problems done, where i get "nonsense" or "evil" connections which try to do whatever, sending mail for example, or simply hang. These are catched by smtpd_soft_error_limit = 1, smtpd_hard_error_limit = 1 and timeout settings, but are not covered by blacklistd. So i said so many years ago how cool it would be to have such hooks executing by then, with some ARGV info, but otherwise exec+ forget. Then again i never stood up and went. Zoulas did, though. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev