Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Apr 2020 12:43:43 +0100
From:      "Norman Gray" <>
To:        FreeBSD Questions Mailing List <>
Subject:   blacklistd: what does it detect?
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help


I've enabled blacklistd on a 12.1 machine accessible to the open 
internet, but it's not blocking as many failed ssh attempts as I expect. 
  Am I misunderstanding something?

My goal is to cut down noise in the 'daily security run' output (the 
machine doesn't accept passwords for authentication, so I'm not 
particularly worried about these as break-in attempts).

I'm seeing, in the logs, lots of attempts like

Apr 19 12:45:34 nxg2 sshd[44480]: Invalid user monitor from 
port 35510
Apr 19 12:45:34 nxg2 sshd[44480]: Connection closed by invalid user 
monitor port 35510 [preauth]
Apr 19 12:45:46 nxg2 sshd[44482]: Invalid user service from 
port 50668
Apr 19 12:45:47 nxg2 sshd[44482]: Connection closed by invalid user 
service port 50668 [preauth]
Apr 19 12:46:38 nxg2 sshd[44486]: Invalid user admin from 
port 40990
Apr 19 12:46:41 nxg2 sshd[44486]: Connection closed by invalid user 
admin port 40990 [preauth]
Apr 19 12:47:13 nxg2 sshd[44488]: Invalid user dvs from port 
Apr 19 12:47:13 nxg2 sshd[44488]: Connection closed by invalid user dvs port 42484 [preauth]

This is less than 24 hours ago, at the time of writing.  That IP address 
appears 13 times in this time period; another address 
appears 8 times, appears 36 times; a few others smaller 

I expect to see these addresses in both the blacklistctl dump -a output, 
and in the list of addresses in the port22 table in the blacklistd/22 pf 
anchor, but I'm not seeing either of these address in either location.

Comparing this log output with the blacklistctl output and the pf table, 
and looking at the IP addresses with fewer attempts, I can see overlaps 
-- addresses which appear in two or three of the locations, but it's 
only partial.  I'd have expected a fairly straightforward correlation 
between  (i) failed-login log entries, (ii) entries in blacklistctl dump 
-a output, and (iii) entries in the pf table (modulo some complications 
to do with entries expiring, or not having reached their ban 
thresholds).  However I see things in (i) but not (ii) or (iii), and 
things in (iii) with nothing corresponding in the other two.

I'm fairly sure that blacklistd has been running continuously for at 
least the last 24 hours (though blacklistd isn't itself particularly 
chatty in the logs), so I don't _think_ there's a startup-cache issue.

Examining blacklistd.conf(5) and the handbook [1], there's not a lot to 
configure here (which is a Good Thing, and an attractive contrast with 
fail2ban), so there don't seem to be many opportunities for me to break 
this.  What am I missing?   What is it that blacklistd is 

Best wishes,



Norman Gray  :
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401

Want to link to this message? Use this URL: <>