Disable/tune sshlockout

Started by arnog, July 04, 2022, 06:10:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 04, 2022, 06:10:51 PM
Hi all,

I am teaching networking technologies for media networks at a university of applied sciences in Germany, where I heavily rely on OPNsense as the main router distribution for teaching and for our internal media networks.

Students can use OPNsense in our lab networks for their practical exercises. Now, it sometimes happens that students repeatedly enter the wrong user credentials for the Web GUI and the sshlockout kicks in. The only way to circumvent the 60 minute lockout is to restart the router which seems to clear the sshlockout table (or to connect from a different IP address and carry on with their tasks from this other machine).

Is there a way to either disable the lockout functionality for the lab routers or to tune the number of failed login attempts to a much higher value?

Any hint is much appreciated!

Thanks
Arno
July 05, 2022, 10:14:49 AM #1 Last Edit: July 05, 2022, 10:20:50 AM by Vilhonator
Yes there is one way.

Go to Firewall ---> Rules ---> LAN ---> next to "Automatically generated rules" click the arrow pointing down icon and next to "anti-lockout rule" click the magnifier glass icon and you will be directed to firewall advanced rule section, where you disable it.

Keep in mind that you need to first create allow rule for https, http and ssh for each network you want to allow access to firewall management, or you will lock yourself and others completely out from remote management (other than console)
July 05, 2022, 10:16:49 AM #2
Filesize of both pictures was too large, but here is the second one
July 05, 2022, 10:21:56 AM #3
Another option is to figure out which config file specifies how many login attempts are allowed and how long IPs are banned and edit the config file via ssh or console
July 05, 2022, 02:09:27 PM #4
Thanks, will take a look at it. :-)
July 05, 2022, 03:16:48 PM #5
Hi Arno,

Anti-lockout is something else ;)

So the script to cover the lockout actually is:

https://github.com/opnsense/core/blob/master/src/opnsense/scripts/syslog/lockout_handler

And the place for it to be configured is:

https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf

If you edit this and restart syslog it'll adhere to what you configure as command line args, but it will be overwritten by next update.

It might make more sense mid-term to add GUI-based settings for lockout and an on/off switch? If so I'd appreciate a GitHub ticket.


Cheers,
Franco
July 05, 2022, 05:33:15 PM #6 Last Edit: July 05, 2022, 06:05:47 PM by arnog
Hi Franco,

yeah, I just figured, that anti-lockout is different than sshlockout. :-)

Just for the record: I tried Vilhonator's suggestions and OPNsense would still add the machine to the sshlockout table. Since this table is used in a floating rule, which cannot be disabled from the GUI, the lockout is still enforced.

I will try to edit the syslog-ng-lockout.conf and report back.

Thanks
Arno

July 05, 2022, 06:37:16 PM #7 Last Edit: July 05, 2022, 06:43:37 PM by arnog
Hi Franco,

I edited /usr/local/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf like this:

Code Select
filter f_local_lockout_auth {
  facility(auth);
};

destination d_local_lockout_auth {
    program("/usr/local/opnsense/scripts/syslog/lockout_handler --attempts 12 --grace_period 60");
};

log {
    source(s_all);
    filter(f_local_lockout_auth);
    destination(d_local_lockout_auth);
};

After reloading syslog-ng from the Dashboard this change is reflected in /usr/local/etc/syslog-ng.conf.d/syslog-ng-lockout.conf.

If I understand the code in /usr/local/opnsense/scripts/syslog/lockout_handler correctly, my changes result in the following behaviour:

  • After 12 consecutive failed login attempts from a specific host during a period of 60 seconds, this host is added to the sshlockout table.
  • The host will stay in this table until the router is being rebooted or the entry is being removed from the table manually, e.g. by issuing pfctl -t sshlockout -T delete a.b.c.d.

  • When the host doesn't try to login for 60 seconds, it is being removed from the internal dicts and the counter is being reset, although it is not being removed from the table.

A few tests show that, this works for me. I just wanted to clarify that I got this right. One thing to notice: there is a fixed value of two seconds set in lockout_handler, for which log entries are considered to belong to the same login attempt. Therefore, a lot of login attempts in quick succession might fall through the gap (if I understand the code correctly).

Is this on purpose to keep the entry in the list forever?

I will submit a ticket to make this configurable form the GUI for a future release. :-)

Thanks
Arno
July 06, 2022, 09:47:59 AM #8
Basically this is correct.

There is also expiretable binary which will remove entries from the table according to the configuration:

https://github.com/opnsense/core/blob/312faa175dad46e857590965f2bacc05453edf4f/src/etc/inc/plugins.inc.d/core.inc#L201

> Is this on purpose to keep the entry in the list forever?

The two seconds windows is done to deduplicate spurious attempts which could end up in the log. It's not exact science but it wants to normalize the event down to "human" behaviour in order to properly count each failed attempt like you would enter your password and hit login a few times in a row.

It allows a lot more machine-based login attempts in practice, but it's still being locked out after 2 * (failed attempts) seconds like a human.


Cheers,
Franco
Print
Go Up Pages1
User actions