Date: Mon, 20 Apr 2020 12:43:43 +0100 From: "Norman Gray" <norman.gray@glasgow.ac.uk> To: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: blacklistd: what does it detect? Message-ID: <E8F1273A-A25F-44FF-9E22-21AC1DD71010@glasgow.ac.uk>
next in thread | raw e-mail | index | archive | help
Greetings. I've enabled blacklistd on a 12.1 machine accessible to the open internet, but it's not blocking as many failed ssh attempts as I expect. Am I misunderstanding something? My goal is to cut down noise in the 'daily security run' output (the machine doesn't accept passwords for authentication, so I'm not particularly worried about these as break-in attempts). I'm seeing, in the logs, lots of attempts like Apr 19 12:45:34 nxg2 sshd[44480]: Invalid user monitor from 27.78.14.83 port 35510 Apr 19 12:45:34 nxg2 sshd[44480]: Connection closed by invalid user monitor 27.78.14.83 port 35510 [preauth] Apr 19 12:45:46 nxg2 sshd[44482]: Invalid user service from 27.78.14.83 port 50668 Apr 19 12:45:47 nxg2 sshd[44482]: Connection closed by invalid user service 27.78.14.83 port 50668 [preauth] Apr 19 12:46:38 nxg2 sshd[44486]: Invalid user admin from 27.78.14.83 port 40990 Apr 19 12:46:41 nxg2 sshd[44486]: Connection closed by invalid user admin 27.78.14.83 port 40990 [preauth] Apr 19 12:47:13 nxg2 sshd[44488]: Invalid user dvs from 27.78.14.83 port 42484 Apr 19 12:47:13 nxg2 sshd[44488]: Connection closed by invalid user dvs 27.78.14.83 port 42484 [preauth] This is less than 24 hours ago, at the time of writing. That IP address appears 13 times in this time period; another address 116.105.215.232 appears 8 times, 61.78.107.61 appears 36 times; a few others smaller numbers. I expect to see these addresses in both the blacklistctl dump -a output, and in the list of addresses in the port22 table in the blacklistd/22 pf anchor, but I'm not seeing either of these address in either location. Comparing this log output with the blacklistctl output and the pf table, and looking at the IP addresses with fewer attempts, I can see overlaps -- addresses which appear in two or three of the locations, but it's only partial. I'd have expected a fairly straightforward correlation between (i) failed-login log entries, (ii) entries in blacklistctl dump -a output, and (iii) entries in the pf table (modulo some complications to do with entries expiring, or not having reached their ban thresholds). However I see things in (i) but not (ii) or (iii), and things in (iii) with nothing corresponding in the other two. I'm fairly sure that blacklistd has been running continuously for at least the last 24 hours (though blacklistd isn't itself particularly chatty in the logs), so I don't _think_ there's a startup-cache issue. Examining blacklistd.conf(5) and the handbook [1], there's not a lot to configure here (which is a Good Thing, and an attractive contrast with fail2ban), so there don't seem to be many opportunities for me to break this. What am I missing? What is it that blacklistd is detecting/reporting? Best wishes, Norman [1] https://www.freebsd.org/doc/handbook/firewalls-blacklistd.html -- Norman Gray : http://www.astro.gla.ac.uk/users/norman/it/ Research IT Coordinator SUPA School of Physics and Astronomy, University of Glasgow, UK Charity number SC004401
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E8F1273A-A25F-44FF-9E22-21AC1DD71010>