markus
/
ssh-sentryd


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305
							/*
 * Copyright (c) 2020 Markus Hennecke <markus-hennecke@markus-hennecke.de>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/types.h>
#include <sys/event.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <sys/param.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <net/pfvar.h>
#include <err.h>
#include <errno.h>
#include <regex.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <syslog.h>
#include <unistd.h>

#include "log.h"

int	 run = 1;
char	*blacklist_table = "blacklist";

regex_t rx_failed_invalid_user;

/*
 * Simplified regex match for IPv6 addresses, the code in add_address()
 * will check for a valid IPv4/IPv6 address anyway so keep the regex
 * simple.
 */
#define RX_FAILED_INVALID_USER	"Failed password for " \
    "(invalid user [^ ]+|root) from "				\
    "("								\
    "([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})"	\
    "|"								\
    "([0-9A-Fa-f][0-9A-Fa-f:]+)"				\
    ")"								\
    " port [0-9]+ ssh"

#define AUTHLOG_FILENAME	"/var/log/authlog"
#define MAXLINELEN		1024


static int	 add_address(int, const char *, const char *);
static char	*rx_error_string(int, regex_t *);
static void	 sighandler(int);
static void	 usage(void);
static void	 handle_authlog(int, FILE *);


__dead void
usage(void)
{
	fprintf(stderr, "usage: %s [-dv]\n", getprogname());
	exit(1);
}


char *
rx_error_string(int rc, regex_t *rx)
{
	static char error[1024];
	regerror(rc, rx, error, sizeof(error));
	return error;
}


void
sighandler(int sig)
{
	switch (sig) {
	case SIGTERM:
	case SIGINT:
		run = 0;
		break;
	default:
		break;
	}
}


void
handle_authlog(int dev, FILE *authlog)
{
	char line[MAXLINELEN];

	while ((fgets(line, MAXLINELEN, authlog)) != NULL) {
		regmatch_t match[3];
		int rc = regexec(&rx_failed_invalid_user, line, 3, match, 0);
		switch (rc) {
		case REG_NOMATCH:
			break;
		case 0: {
				const regmatch_t *m = &match[2];
				const size_t len = m->rm_eo - m->rm_so;
				char *ip = strndup(line + m->rm_so, len);
				int n = add_address(dev, ip, blacklist_table);
				if (n == 1)
					log_info("Added %s to <%s>", ip,
					    blacklist_table);
				free(ip);
			}
			break;
		default:
			log_warn("regexec: %s",
			    rx_error_string(rc, &rx_failed_invalid_user));
			break;
		}
	}
	if (feof(authlog))
		clearerr(authlog);
	else if (ferror(authlog))
		fatal(NULL);
}


int
add_address(int dev, const char *ip, const char *tablename)
{
	int rc;
	struct pfioc_table io;
	struct pfr_addr addr;
	struct pfr_table table;

	bzero(&addr, sizeof(struct pfr_addr));
	rc = inet_pton(AF_INET, ip, &(addr.pfra_ip4addr));
	if (-1 == rc) {
		rc = inet_pton(AF_INET6, ip, &(addr.pfra_ip6addr));
		if (-1 == rc) {
			warn(NULL);
			return -1;
		}
		addr.pfra_af = AF_INET6;
		addr.pfra_net = 128;
	} else {
		addr.pfra_af = AF_INET;
		addr.pfra_net = 32;
	}

	bzero(&table, sizeof(struct pfr_table));
	strlcpy(table.pfrt_name, tablename, PF_TABLE_NAME_SIZE);

	bzero(&io, sizeof(struct pfioc_table));
	io.pfrio_flags = PFR_FLAG_FEEDBACK;
	io.pfrio_table = table;
	io.pfrio_buffer = &addr;
	io.pfrio_esize = sizeof(struct pfr_addr);
	io.pfrio_size = 1;
	if (ioctl(dev, DIOCRADDADDRS, &io) == -1) {
		log_warn("DIOCRADDADDRS");
		return -1;
	}

	return io.pfrio_nadd;
}


int
main(int argc, char **argv)
{
	int		 dev;
	int		 queue, nev;
	int		 ch, rc;
	struct kevent	 ev[2];
	int		 debug = 0, verbose = 0;
	FILE		*authlog = NULL;

	if (geteuid() != 0)
		errx(1, "Need root privileges to run.");

	while ((ch = getopt(argc, argv, "dv")) != -1) {
		switch (ch) {
		case 'd':
			debug = 2;
			break;
		case 'v':
			verbose++;
			break;
		default:
			usage();
			/* NOT REACHED */
		}
	}

	argc -= optind;
	argv += optind;

	if (argc != 0)
		usage();

	setprogname("ssh-sentry");

	log_init(debug ? debug : 0, LOG_DAEMON);
	log_setverbose(verbose);

	dev = open("/dev/pf", O_RDWR);
	if (-1 == dev)
		err(1, "open /dev/pf failed");

	rc = regcomp(&rx_failed_invalid_user, RX_FAILED_INVALID_USER,
	    REG_EXTENDED);
	if (rc != 0)
		errx(1, "%s", rx_error_string(rc, &rx_failed_invalid_user));

	log_init(debug, LOG_DAEMON);
	log_setverbose(verbose);

	if (!debug) {
		if (daemon(0, 0) == -1)
			fatal("daemon");
	}

	signal(SIGTERM, sighandler);
	signal(SIGINT, sighandler);

	if ((queue = kqueue()) == -1)
		fatal("kqueue");

	if (unveil(AUTHLOG_FILENAME, "r") == -1)
		fatal("unveil");
	if (unveil(NULL, NULL) == -1)
		fatal("unveil");
#if 0
	// XXX: pledge for pf does not contain DIOCRADDADDRS, so unless
	// that is added we can't pledge
	// The way to go would be to split the process into two, where
	// the child processes sole purpose would be to talk to /dev/pf
	if (pledge("stdio rpath pf") == -1)
		fatal("pledge");
#endif

	if ((authlog = fopen(AUTHLOG_FILENAME, "r")) == NULL)
		fatal("%s", AUTHLOG_FILENAME);
	if (fseek(authlog, 0L, SEEK_END) < 0)
		fatal("fseek");

add_events:
	EV_SET(&ev[0], fileno(authlog), EVFILT_READ,
	    EV_ENABLE | EV_ADD | EV_CLEAR, 0, 0, NULL);
	EV_SET(&ev[1], fileno(authlog), EVFILT_VNODE,
	    EV_ENABLE | EV_ADD | EV_CLEAR,
	    NOTE_DELETE | NOTE_RENAME, 0, NULL);
	if (kevent(queue, ev, 2, NULL, 0, NULL))
		fatal(NULL);

	log_info("Starting event loop...");
	struct kevent ke;
	while (run) {
		nev = kevent(queue, NULL, 0, &ke, 1, NULL);
		if (nev == -1) {
			if (errno != EINTR) {
				log_warn("kevent");
				break;
			}
		}

		if (nev > 0) {
			if (ke.filter == EVFILT_READ) {
				handle_authlog(dev, authlog);
			} else if (ke.filter == EVFILT_VNODE) {
				if (ke.fflags & NOTE_RENAME) {
					log_info("%s renamed...",
					    AUTHLOG_FILENAME);
					authlog = freopen(AUTHLOG_FILENAME,
					    "r", authlog);
					if (authlog == NULL)
						fatal("freopen");
					goto add_events;
				} else if (ke.fflags & NOTE_DELETE) {
					log_info("%s renamed...",
					    AUTHLOG_FILENAME);
					authlog = freopen(AUTHLOG_FILENAME,
					    "r", authlog);
					if (authlog == NULL)
						fatal("freopen");
					goto add_events;
				}
			}
		}
	}
	close(queue);
	close(dev);
	regfree(&rx_failed_invalid_user);

	return 0;
}