initial commit

Author: shaohme

.gitignore

@@ -0,0 +1,128 @@
+# Created by https://www.toptal.com/developers/gitignore/api/c,linux,emacs
+# Edit at https://www.toptal.com/developers/gitignore?templates=c,linux,emacs
+
+### C ###
+# Prerequisites
+*.d
+
+# Object files
+*.o
+*.ko
+*.obj
+*.elf
+
+# Linker output
+*.ilk
+*.map
+*.exp
+
+# Precompiled Headers
+*.gch
+*.pch
+
+# Libraries
+*.lib
+*.a
+*.la
+*.lo
+
+# Shared objects (inc. Windows DLLs)
+*.dll
+*.so
+*.so.*
+*.dylib
+
+# Executables
+*.exe
+*.out
+*.app
+*.i*86
+*.x86_64
+*.hex
+
+# Debug files
+*.dSYM/
+*.su
+*.idb
+*.pdb
+
+# Kernel Module Compile Results
+*.mod*
+*.cmd
+.tmp_versions/
+modules.order
+Module.symvers
+Mkfile.old
+dkms.conf
+
+### Emacs ###
+# -*- mode: gitignore; -*-
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+*.elc
+auto-save-list
+tramp
+.\#*
+
+# Org-mode
+.org-id-locations
+*_archive
+
+# flymake-mode
+*_flymake.*
+
+# eshell files
+/eshell/history
+/eshell/lastdir
+
+# elpa packages
+/elpa/
+
+# reftex files
+*.rel
+
+# AUCTeX auto folder
+/auto/
+
+# cask packages
+.cask/
+dist/
+
+# Flycheck
+flycheck_*.el
+
+# server auth directory
+/server/
+
+# projectiles files
+.projectile
+
+# directory configuration
+.dir-locals.el
+
+# network security
+/network-security.data
+
+
+### Linux ###
+
+# temporary files which can be created if a process still has a handle open of a deleted file
+.fuse_hidden*
+
+# KDE directory preferences
+.directory
+
+# Linux trash folder which might appear on any partition or disk
+.Trash-*
+
+# .nfs files are created when an open file is removed but is still being accessed
+.nfs*
+
+# End of https://www.toptal.com/developers/gitignore/api/c,linux,emacs
+
+build/
+.cache/
+.markdown-preview.html
+compile_commands.json

LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2022 Martin Kjær Jørgensen <[email protected]>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Makefile

@@ -0,0 +1,23 @@
+LOCALBASE?= /usr/local/
+
+PROG=	filter-sshglogger
+MAN=	filter-sshglogger.8
+BINDIR=	${LOCALBASE}/libexec/smtpd/
+MANDIR=	${LOCALBASE}/man/man
+
+SRCS+=	main.c
+
+CFLAGS+=-I${LOCALBASE}/include
+CFLAGS+=-Wall -I${.CURDIR}
+CFLAGS+=-Wstrict-prototypes -Wmissing-prototypes
+CFLAGS+=-Wmissing-declarations
+CFLAGS+=-Wshadow -Wpointer-arith -Wcast-qual
+CFLAGS+=-Wsign-compare
+LDFLAGS+=-L${LOCALBASE}/lib
+LDADD+= -levent -lopensmtpd
+DPADD=	${LIBEVENT}
+
+bindir:
+	${INSTALL} -d ${DESTDIR}${BINDIR}
+
+.include <bsd.prog.mk>

Makefile.gnu

@@ -0,0 +1,66 @@
+LOCALBASE?=	/usr/
+
+PROG=		filter-sshglogger
+MAN=		filter-sshglogger.8
+BINDIR=		${LOCALBASE}/libexec/opensmtpd/
+MANDIR=		${LOCALBASE}/share/man/man8
+
+SRCS+=		main.c
+
+CFLAGS+=	-I${LOCALBASE}/include
+CFLAGS+=	-DPROG=${PROG}
+CFLAGS+=	-Wall -I${.CURDIR}
+CFLAGS+=	-Wstrict-prototypes -Wmissing-prototypes
+CFLAGS+=	-Wmissing-declarations
+CFLAGS+=	-Wshadow -Wpointer-arith -Wcast-qual
+CFLAGS+=	-Wsign-compare
+CFLAGS+=	${CRYPT_CFLAGS}
+CFLAGS+=	-I${CURDIR}
+
+LDFLAGS+=	-L${LOCALBASE}/lib
+LDFLAGS+=	${CRYPT_LDFLAGS}
+LDADD+=		${CRYPT_LDADD} -lopensmtpd
+
+INSTALL?=	install
+
+MANFORMAT?=		mangz
+
+BINOWN?=	root
+BINGRP?=	root
+BINPERM?=	755
+MANOWN?=	root
+MANGRP?=	root
+MANPERM?=	644
+
+ifeq (${MANFORMAT}, mangz)
+TARGET_MAN=		${MAN}.gz
+CLEANFILES+=		${TARGET_MAN}
+${TARGET_MAN}: ${MAN}
+	mandoc -Tman ${MAN} | gzip > $@
+else
+TARGET_MAN=		${MAN}
+endif
+
+${SRCS:.c=.d}:%.d:%.c
+	 ${CC} ${CFLAGS} -MM $< >$@
+CLEANFILES+=	${SRCS:.c=.d}
+
+OBJS=		${notdir ${SRCS:.c=.o}}
+CLEANFILES+=	${OBJS}
+
+${PROG}: ${OBJS}
+	${CC} ${LDFLAGS} -o $@ ${OBJS} ${LDADD}
+
+.DEFAULT_GOAL=		all
+.PHONY: all
+all: ${PROG} ${TARGET_MAN}
+CLEANFILES+=	${PROG}
+
+.PHONY: clean
+clean:
+	rm -f ${CLEANFILES}
+
+.PHONY: install
+install: ${PROG}
+	${INSTALL} -D -o ${BINOWN} -g ${BINGRP} -m ${BINPERM} ${PROG} ${DESTDIR}${BINDIR}/${PROG}
+	${INSTALL} -D -o ${MANOWN} -g ${MANGRP} -m ${MANPERM} ${TARGET_MAN} ${DESTDIR}${MANDIR}/${TARGET_MAN}

README.md

@@ -0,0 +1,85 @@
+# filter-sshglogger
+
+One day I noticed something brute forcing authentication attempts on
+my `opensmtpd` server which already runs `sshguard` protecting sshd, so
+I wondered if I could protect `opensmtpd` the same way ...
+
+## Description
+This filter listens on `opensmtpd` authentication attempts and checks
+if they fail because of incorrect username or password combination. If
+so, it logs the attempt to `syslog` in a format `sshguard` parses
+correctly, and let it and `pf` decide what to do.
+
+## Dependencies
+It requires OpenSMTPD 6.6.0 or higher and needs an extended version of
+`libopensmtpd` not yet merged. See changes here
+[libopensmtpd](<https://github.com/shaohme/libopensmtpd>)
+
+## How to install
+Install the modified `libopensmtpd` library metioned in dependencies by
+cloning it at running:
+
+```
+$ doas make install
+```
+
+This should install or overwrite existing `libopensmtpd` library with a
+modified version allowing filters to subscribe to authentication
+events.
+
+Afterwards close this repository and run the usual install command:
+
+```
+$ doas make install
+```
+
+The filter should now be installed in default `opensmtpd` filters
+directory `/usr/local/libexec/smtpd`
+
+## How to configure
+The filter itself requires no configuration.
+
+It must be declared in smtpd.conf and attached to a listener for sessions to go through filter-sshglogger:
+```
+# smtpd.conf
+...
+filter sshguard proc-exec "filter-sshglogger"
+
+...
+listen on all port smtp tls pki "default" filter { "rdns", "sshguard" }
+```
+
+`filter-sshglogger` will open a syslog interface and log failed
+authentication attempts using its own application name. This should
+probably be written to its own logfile, like so:
+
+```
+# /etc/syslog.conf
+...
+!!filter-sshglogger
+*.*                                                     /var/log/smtpd-sshg
+```
+
+`sshguard` should be configured to pickup these events and act
+accordingly, like so:
+
+```
+# /etc/sshguard.conf
+
+BACKEND="/usr/local/libexec/sshg-fw-pf"
+...
+FILES="/var/log/authlog /var/log/maillog /var/log/smtpd-sshg"
+```
+
+`syslog` omits repeated entries in logs. `sshguard` might need these
+repeated entires to form a judgement. To make `syslog` stop omitting
+these entries, simply add:
+
+```
+# /etc/rc.conf.local
+...
+syslogd_flags=-rr
+```
+
+From now on `sshguard` should recognize failed authentication attempts
+and block the peer temporarily using the same rules as with SSH, etc.

filter-sshglogger.8

@@ -0,0 +1,30 @@
+.\"	$OpenBSD$
+.\"
+.\" Copyright (c) 2022 Martin Kjær Jørgensen <[email protected]>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate$
+.Dt FILTER-SSHGLOGGER 8
+.Os
+.Sh NAME
+.Nm filter-sshglogger
+.Nd writes failed auth attempts to syslog
+.Sh DESCRIPTION
+.Nm
+Checks if authentication attempt was failed. If so, write the incident
+to syslog in a format sshguard can parse and act accordingly to its
+configuration.
+.Sh SEE ALSO
+.Xr smtpd 8
+.Xr sshguard 8