Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Apr 2020 12:43:43 +0100
From:      "Norman Gray" <norman.gray@glasgow.ac.uk>
To:        FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Subject:   blacklistd: what does it detect?
Message-ID:  <E8F1273A-A25F-44FF-9E22-21AC1DD71010@glasgow.ac.uk>

Next in thread | Raw E-Mail | Index | Archive | Help

Greetings.

I've enabled blacklistd on a 12.1 machine accessible to the open 
internet, but it's not blocking as many failed ssh attempts as I expect. 
  Am I misunderstanding something?

My goal is to cut down noise in the 'daily security run' output (the 
machine doesn't accept passwords for authentication, so I'm not 
particularly worried about these as break-in attempts).

I'm seeing, in the logs, lots of attempts like

Apr 19 12:45:34 nxg2 sshd[44480]: Invalid user monitor from 27.78.14.83 
port 35510
Apr 19 12:45:34 nxg2 sshd[44480]: Connection closed by invalid user 
monitor 27.78.14.83 port 35510 [preauth]
Apr 19 12:45:46 nxg2 sshd[44482]: Invalid user service from 27.78.14.83 
port 50668
Apr 19 12:45:47 nxg2 sshd[44482]: Connection closed by invalid user 
service 27.78.14.83 port 50668 [preauth]
Apr 19 12:46:38 nxg2 sshd[44486]: Invalid user admin from 27.78.14.83 
port 40990
Apr 19 12:46:41 nxg2 sshd[44486]: Connection closed by invalid user 
admin 27.78.14.83 port 40990 [preauth]
Apr 19 12:47:13 nxg2 sshd[44488]: Invalid user dvs from 27.78.14.83 port 
42484
Apr 19 12:47:13 nxg2 sshd[44488]: Connection closed by invalid user dvs 
27.78.14.83 port 42484 [preauth]

This is less than 24 hours ago, at the time of writing.  That IP address 
appears 13 times in this time period; another address 116.105.215.232 
appears 8 times, 61.78.107.61 appears 36 times; a few others smaller 
numbers.

I expect to see these addresses in both the blacklistctl dump -a output, 
and in the list of addresses in the port22 table in the blacklistd/22 pf 
anchor, but I'm not seeing either of these address in either location.

Comparing this log output with the blacklistctl output and the pf table, 
and looking at the IP addresses with fewer attempts, I can see overlaps 
-- addresses which appear in two or three of the locations, but it's 
only partial.  I'd have expected a fairly straightforward correlation 
between  (i) failed-login log entries, (ii) entries in blacklistctl dump 
-a output, and (iii) entries in the pf table (modulo some complications 
to do with entries expiring, or not having reached their ban 
thresholds).  However I see things in (i) but not (ii) or (iii), and 
things in (iii) with nothing corresponding in the other two.

I'm fairly sure that blacklistd has been running continuously for at 
least the last 24 hours (though blacklistd isn't itself particularly 
chatty in the logs), so I don't _think_ there's a startup-cache issue.

Examining blacklistd.conf(5) and the handbook [1], there's not a lot to 
configure here (which is a Good Thing, and an attractive contrast with 
fail2ban), so there don't seem to be many opportunities for me to break 
this.  What am I missing?   What is it that blacklistd is 
detecting/reporting?

Best wishes,

Norman


[1] https://www.freebsd.org/doc/handbook/firewalls-blacklistd.html


-- 
Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?E8F1273A-A25F-44FF-9E22-21AC1DD71010>