I can pull detailed logs if it would help, but the basic use case seems consistent with each of the ~half-dozen CL hosts I've deployed in the cloud:

1. SSH to a remote host using password auth for the normal installer-created user, then log out: ✅
2. Run ssh-copy-id to install the local client (ed25519) SSH public key into authorized_keys on the same host
3. ...watch the copy hang at INFO: 1 key(s) remain to be installed..., after which tallow has banned the client IP: 😢

I'm guessing there's a logfile parsing issue where the handshake used to query existing keys appears as a failed auth and results in the ban, but this exact workflow is part of how I bootstrap a new server or workstation so it's honestly a PITA that tallow locks me out 100% of the time when I do it, after which I have to log in via the actual server console and whitelist client IPs and flush firewall rules to unlock my access.

Usernames in SSH log entries can actually contain spaces. If someone tries to login as x x x 1.2.3.4, the log will contain:

Invalid user x x x 1.2.3.4 from <attacker ip>

This will cause "1.2.3.4" to be blocked instead of .

Today I finished systemd support on https://github.com/Lekensteyn/ssh-blocker. Note that it does not have regexes for the "Failed password for invalid user" since I use keys only and use messages from sshd, not PAM. It is trivial to add more matches though (regex.c)

Confirmed on one system - loads of login failures:

• v17 no blocks
• v16 blocks right away almost

Just feedback:

Butter fingered the password a few times on ssh to my Clear laptop from another machine at home and was surprised to find tallow was running after a fresh install and it blocked my other machine.

I didn't realize Clear Linux enables this by default
I didn't realize it operates on my local network

Sean

This is an RFE for adding IPv6 Link-Local Address (LLA) range and Unique local address (ULA) to the default whitelist.

So essentially add fd00::/8 and FE80::/10 prefixes.
Maybe even IPv6 localhost adrress

I have noticed on my server (Arch) that not a single malicious IP has been blocked.

I debugged the code and notices that the sd_journal_next call always returns 0. So the while loop is always skipped (and no journal message will ever get parsed). I found this discussion systemd/systemd#26577 which describes that a sd_journal_previous call directly after sd_journal_seek_tail is necessary to pull out journal messages with sd_journal_next.

So I applied this patch and tallow started working again.

diff --git a/src/tallow.c b/src/tallow.c
index 58e0fb4..2c9fc85 100644
--- a/src/tallow.c
+++ b/src/tallow.c
@@ -371,6 +371,7 @@ int main(void)
 
 	/* go to the tail and wait */
 	r = sd_journal_seek_tail(j);
+	sd_journal_previous(j);
 	sd_journal_wait(j, (uint64_t) 0);
 	dbg("sd_journal_seek_tail() returned %d\n", r);
 	while (sd_journal_next(j) != 0)
@@ -387,6 +388,7 @@ int main(void)
 		if (r == SD_JOURNAL_INVALIDATE) {
 			fprintf(stderr, "Journal was rotated, resetting\n");
 			sd_journal_seek_tail(j);
+			sd_journal_previous(j);
 		} else if (r == SD_JOURNAL_NOP) {
 			dbg("Timeout reached, waiting again\n");
 			continue;

Don't know if Clear Linux is also affected by this strange journal behavior.

I noticed in top that tallow was consuming 100% of a cpu thread.

A gdb attach shows its stack as:

(gdb) where
#0  0x00007fa3ae02fd4c in ?? () from /usr/lib64/libsystemd.so.0
#1  0x00007fa3ae0301be in ?? () from /usr/lib64/libsystemd.so.0
#2  0x00007fa3ae03e057 in sd_journal_get_data () from /usr/lib64/libsystemd.so.0
#3  0x0000555ba651b775 in ?? ()
#4  0x00007fa3ae1472c3 in __libc_start_main () from /usr/lib64/haswell/libc.so.6
#5  0x0000555ba651baee in ?? ()

A continue/stop then showed it as:

(gdb) where
#0  0x00007fa3ae0ca578 in ?? () from /usr/lib64/libpcre.so.1
#1  0x00007fa3ae0db08b in pcre_exec () from /usr/lib64/libpcre.so.1
#2  0x0000555ba651b801 in ?? ()
#3  0x00007fa3ae1472c3 in __libc_start_main () from /usr/lib64/haswell/libc.so.6
#4  0x0000555ba651baee in ?? ()

The tallow journal looks like:

 # journalctl -u tallow
-- Logs begin at Thu 2019-10-31 10:18:08 GMT, end at Fri 2019-11-01 17:28:18 GMT. --
Oct 31 13:57:04 skull tallow[216312]: Journal was rotated, resetting
Oct 31 18:00:40 skull systemd[1]: Stopping Tallow Service...
Oct 31 18:00:40 skull systemd[1]: tallow.service: Succeeded.
Oct 31 18:00:40 skull systemd[1]: Stopped Tallow Service.
-- Reboot --
Nov 01 09:53:49 skull systemd[1]: Started Tallow Service.
Nov 01 09:53:49 skull tallow[397]: /usr/share/tallow/sshd.json: 10 patterns
Nov 01 09:53:49 skull tallow[397]: Skipped reading /etc/tallow: No such file or directory
Nov 01 09:53:49 skull tallow[397]: Loaded 10 patterns total
Nov 01 09:53:49 skull tallow[397]: tallow 18 Started
Nov 01 10:06:34 skull tallow[397]: Journal was rotated, resetting
Nov 01 10:46:00 skull systemd[1]: Stopping Tallow Service...
Nov 01 10:46:00 skull systemd[1]: tallow.service: Succeeded.
Nov 01 10:46:00 skull systemd[1]: Stopped Tallow Service.
Nov 01 10:46:00 skull systemd[1]: Started Tallow Service.
Nov 01 10:46:00 skull tallow[134447]: /usr/share/tallow/sshd.json: 10 patterns
Nov 01 10:46:00 skull tallow[134447]: Skipped reading /etc/tallow: No such file or directory
Nov 01 10:46:00 skull tallow[134447]: Loaded 10 patterns total
Nov 01 10:46:00 skull tallow[134447]: tallow 18 Started
Nov 01 14:44:35 skull tallow[134447]: Journal was rotated, resetting

The only 'interesting' thing on this machine is that it is running a single node k8s cluster.

The machine is:

# cat /etc/os-release
NAME="Clear Linux OS"
VERSION=1
ID=clear-linux-os
ID_LIKE=clear-linux-os
VERSION_ID=31460
PRETTY_NAME="Clear Linux OS"
ANSI_COLOR="1;35"
HOME_URL="https://clearlinux.org"
SUPPORT_URL="https://clearlinux.org"
BUG_REPORT_URL="mailto:[email protected]"
PRIVACY_POLICY_URL="http://www.intel.com/privacy"

iptables -t filter -A INPUT -m set --match-set tallow src -j DROP

Does not apply when rules already exists as it insert at bottom.

iptables -I INPUT 1 -m set --match-set tallow src -j DROP

Fix the issue.

Thanks

In course of debugging an issue with the clr_debug_daemon today, tallow suddenly blocked my IP address. From the evidence in the journal, I see these two log messages (IP address and hostname masked):

May 25 20:20:05 HOSTNAME tallow[8811]: Journal was rotated, resetting
May 25 20:20:05 HOSTNAME tallow[8811]: Blocked xx.xx.xx.xx

The previous ~50 journal log messages were all from clr_debug_daemon, and all have the same timestamp as above (May 25 20:20:05).

I was locked out of my ssh session a couple of days ago as well, and from the evidence in the journal, I suspect a similar sequence of events: clr_debug_daemon was spamming the journal, and then tallow blocked my IP. Except there were two "journal rotated" log messages that time...

May 23 22:42:11 HOSTNAME tallow[302]: Journal was rotated, resetting
May 23 22:42:11 HOSTNAME tallow[302]: Blocked xx.xx.xx.xx
May 23 22:42:11 HOSTNAME tallow[302]: Journal was rotated, resetting

Since we have multiple vectors being handled by the same function, it can be re-entered multiple times at an attackers discretion since they may have control over various signals that can be sent by terminal sequences, packet flags and so forth. As the signal handler here is managing heap data, it can be groomed and exploited to facilitate remote command execution, for instance as the various free() calls are made with pointers that have already been free'd by another signal that jumped in while processing.

• Do not have multiple vectors calling the same handler.

	memset(&s, 0, sizeof(struct sigaction));
	s.sa_handler = sig;
	sigaction(SIGHUP, &s, NULL);
	sigaction(SIGTERM, &s, NULL);
	sigaction(SIGINT, &s, NULL);

• Be very careful with state, there's no locking here and lots of heap interactions that are remotely controllable by attackers.

OWASP has an excerpt, pretty much see every UNIX daemon from 2006 (ssh, sendmail, etc...).

https://www.owasp.org/index.php/Race_condition_in_signal_handler

A feature request to add firewalld as an option for the ipt_tool and use it to configure ipsets when it is in use.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-setting_and_controlling_ip_sets_using_firewalld

https://firewalld.org/documentation/man-pages/firewalld.ipset.html