From owner-freebsd-questions@freebsd.org  Mon Apr 20 11:43:49 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6E42A2C036C
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Mon, 20 Apr 2020 11:43:49 +0000 (UTC)
 (envelope-from Norman.Gray@glasgow.ac.uk)
Received: from hillend.cent.gla.ac.uk (hillend.cent.gla.ac.uk [130.209.16.102])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 495Pwh2tkhz4C2H
 for <freebsd-questions@freebsd.org>; Mon, 20 Apr 2020 11:43:48 +0000 (UTC)
 (envelope-from Norman.Gray@glasgow.ac.uk)
Received: from cas07.campus.gla.ac.uk ([130.209.14.164])
 by hillend.cent.gla.ac.uk with esmtp (Exim 4.72)
 (envelope-from <Norman.Gray@glasgow.ac.uk>) id 1jQUq1-00030o-8P
 for freebsd-questions@freebsd.org; Mon, 20 Apr 2020 12:43:45 +0100
Received: from CAS08.campus.gla.ac.uk (130.209.14.165) by
 cas07.campus.gla.ac.uk (130.209.14.164) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Mon, 20 Apr 2020 12:43:44 +0100
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (104.47.21.55) by
 CAS08.campus.gla.ac.uk (130.209.14.165) with Microsoft SMTP Server
 (TLS) id
 15.0.1497.2 via Frontend Transport; Mon, 20 Apr 2020 12:43:44 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=QI4h5F8NggL+R5xaxZK6y1nkiXPPkhvWqfZZGynkaV7uRNmofnlB8/sirOBJ8yt8SJRmYJrDGvYQeheRIreLOUAK6JGv/ClYi0ifHCIsPK1NOaUY6sL61fd1EEzsw3gWztkf/WkJWTzhf1NKwg9L6amKRfji4H85LTl/vQhImvrJfZGD6ufsFy1NKYr+6qQzdOYMowJXAnjAiUPXUg6TWlf5wFf+dK7B7JMCvkplAznfhnYX8FfYWeW8uXvGIotYy3W20pfITLHGE0coljXu6BcFF7h8o/ituaLkqyJAtwxzSR4DAyYn09vKn6Rm67/8iINRDn+B2+AgTfzNJAOaow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=DEOjcxWmOdoYLd/LONK/hk2mMW2pXQmqfNm0/RWNLRA=;
 b=UVew+drCSNpYpz/zpwtI91fKVp+m49N5vpgugZcqkIfQ7/f2lu11klVF2emRILKUM9oe/bqAGA5Ni5plxR++1foTOLW24m1MNDZsjcDv9p0Xm9jBMOyK4Q5diDfyCp4PJzf9mdTs0lnNbKj+8+bJBCumz0SCtzNjTF4TSlsmvitB9SslDEc8oYJKwzmF/faGDW7KtRapw/u0+8p2I1Lf51+vuYH0TgOOXxL06nAf0ar0GciX0Ke0aKvirfAoTm1J89gewha8I1Vc2KiHIjyjmK4uYFzJnFeZwmM5Xf1H58NPKoO2b/bU8HZJczm2BiIAizrplQQ/y2GQH9m4yoEVVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=glasgow.ac.uk; dmarc=pass action=none
 header.from=glasgow.ac.uk; dkim=pass header.d=glasgow.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gla.onmicrosoft.com;
 s=selector2-gla-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=DEOjcxWmOdoYLd/LONK/hk2mMW2pXQmqfNm0/RWNLRA=;
 b=SEPiHYPiu7+qBWDKrzN99XWHzMUztNhYLHLVz2ZAx5kVxb3yJqoO828uU2TqTB1G7B5sGLChY32c8S2XkB1TYcn9mWP+Dha+X6xtxOLtBVTjKZZ/ndQLdaI7BHCXHyECAOP9IwOI+hzGlJGJ26br61M/hShlZ4RW6+wpMOoraq8=
Received: from CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM (10.164.144.19) by
 CWXP265MB0741.GBRP265.PROD.OUTLOOK.COM (10.164.255.145) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2921.29; Mon, 20 Apr 2020 11:43:44 +0000
Received: from CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM
 ([fe80::40d7:744b:8734:b8dd]) by CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM
 ([fe80::40d7:744b:8734:b8dd%6]) with mapi id 15.20.2921.030; Mon, 20 Apr 2020
 11:43:44 +0000
From: "Norman Gray" <norman.gray@glasgow.ac.uk>
To: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Subject: blacklistd: what does it detect?
Date: Mon, 20 Apr 2020 12:43:43 +0100
X-Mailer: MailMate (1.13.1r5671)
Message-ID: <E8F1273A-A25F-44FF-9E22-21AC1DD71010@glasgow.ac.uk>
Content-Type: text/plain; format=flowed
X-ClientProxiedBy: LNXP265CA0082.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:600:76::22) To CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:401:8::19)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.50] (2001:8b0:df5:af53:c0dc:184b:1925:ffa) by
 LNXP265CA0082.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:76::22) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2921.26 via Frontend Transport; Mon, 20 Apr 2020 11:43:43 +0000
X-Mailer: MailMate (1.13.1r5671)
X-Originating-IP: [2001:8b0:df5:af53:c0dc:184b:1925:ffa]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 05881f5a-3a3a-4f01-0787-08d7e5201454
X-MS-TrafficTypeDiagnostic: CWXP265MB0741:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <CWXP265MB0741CE3D6794720B4AFF22E6B2D40@CWXP265MB0741.GBRP265.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-Forefront-PRVS: 03793408BA
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFTY:;
 SFS:(10009020)(366004)(396003)(39860400002)(346002)(376002)(136003)(6486002)(966005)(2616005)(478600001)(66556008)(86362001)(33656002)(66946007)(66476007)(16526019)(186003)(8936002)(2906002)(81156014)(8676002)(66574012)(316002)(6916009)(786003)(52116002)(5660300002)(36756003);
 DIR:OUT; SFP:1101; 
Received-SPF: None (protection.outlook.com: glasgow.ac.uk does not designate
 permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: nwBKW1JIey2ZR5gmTCBIuHhXCBQ0Li5yGgXpEoyDSkrQeY9ay6TXv+J1Ia8IC98v56X7KXaUq/FpiZ+tcJGCpxVR/+76WMu/+gbPiq2+wTKnbNlQeTSBoh1Im7bDekV6P0z4CgmugCAIrl4ZTwEqeKYgTgdjIUH4QbaBJvWrmTIK34/R0pYl6Ts1Nm8l37HKmzqc+XKuyYTojn1uZr1lJ538qA61QEsiz5OYxgQ/LJdIfVut362X63gljgZYHY8/x3pxzhkIhmuA/TmlimK1SVf4bRQZ3VwGG9JYkRyu2FEPBW1h5Vwn8pkHu19jfNEghXgJOMkKfYqaOOZu2IhpH36RYMBKwYZeTFhSo0CmAkHdngAsXzsOyf4Fgl+3HUz80Vm9+0AJLwbE5aMZ/KpP2RcKuaGQDwH7ifK3urmi6fSJG1H8ZdTolyeugL6JJxfhHi0gZw3isAQPKg0XdTyiKHmO+n46upl9RNSuwNDZhRLk+uGSl/WKOHAzJaHCSRMZtha9/0+XSSmAcaJm22kbmQ==
X-MS-Exchange-AntiSpam-MessageData: 0Da87cdvbhOV8yRV1Kc+aUKKhy5s2vcLAr/sRdVOFJb07ygfBHMbl4eZzpkTWy1MVdHxC8jmGUQcApQIOKO/SwKVbucyuZJtxeWMO3n6IX8VDScmyJVfFkbmeWS8KQzfSXrLHVs5l20ZfoPGqvBDahf9PQhloguU7jLnda+7Z9j5F6R2fCBTHBsPENGdMUcQMjTzSZ68VIU2dy25rj4d9Q==
X-MS-Exchange-CrossTenant-Network-Message-Id: 05881f5a-3a3a-4f01-0787-08d7e5201454
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Apr 2020 11:43:44.0928 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 6e725c29-763a-4f50-81f2-2e254f0133c8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: Vi48AbWUPNT9LrNNLrXpKTFahqYVN+dzHs5VhZH5+ioIotXDAn4l/lG+bbU8uAffF+V+ZP6FYp3SxsOeyhk0o1rvE873r9YPrdGj16XWyus=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP265MB0741
X-OriginatorOrg: glasgow.ac.uk
X-Rspamd-Queue-Id: 495Pwh2tkhz4C2H
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gla.onmicrosoft.com header.s=selector2-gla-onmicrosoft-com
 header.b=SEPiHYPi; dmarc=none;
 spf=none (mx1.freebsd.org: domain of Norman.Gray@glasgow.ac.uk has no SPF
 policy when checking 130.209.16.102) smtp.mailfrom=Norman.Gray@glasgow.ac.uk
X-Spamd-Result: default: False [-3.98 / 15.00]; RCVD_COUNT_SEVEN(0.00)[7];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gla.onmicrosoft.com:s=selector2-gla-onmicrosoft-com];
 HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[];
 RWL_MAILSPIKE_GOOD(0.00)[102.16.209.130.rep.mailspike.net : 127.0.0.18];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 DMARC_NA(0.00)[glasgow.ac.uk];
 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-0.98)[ipnet: 130.209.0.0/16(-4.46), asn: 786(-0.35), country:
 GB(-0.07)]; TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[102.16.209.130.list.dnswl.org : 127.0.11.2];
 DKIM_TRACE(0.00)[gla.onmicrosoft.com:+]; R_SPF_NA(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:786, ipnet:130.209.0.0/16, country:GB];
 ARC_ALLOW(-1.00)[i=1]; MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 11:43:49 -0000


Greetings.

I've enabled blacklistd on a 12.1 machine accessible to the open 
internet, but it's not blocking as many failed ssh attempts as I expect. 
  Am I misunderstanding something?

My goal is to cut down noise in the 'daily security run' output (the 
machine doesn't accept passwords for authentication, so I'm not 
particularly worried about these as break-in attempts).

I'm seeing, in the logs, lots of attempts like

Apr 19 12:45:34 nxg2 sshd[44480]: Invalid user monitor from 27.78.14.83 
port 35510
Apr 19 12:45:34 nxg2 sshd[44480]: Connection closed by invalid user 
monitor 27.78.14.83 port 35510 [preauth]
Apr 19 12:45:46 nxg2 sshd[44482]: Invalid user service from 27.78.14.83 
port 50668
Apr 19 12:45:47 nxg2 sshd[44482]: Connection closed by invalid user 
service 27.78.14.83 port 50668 [preauth]
Apr 19 12:46:38 nxg2 sshd[44486]: Invalid user admin from 27.78.14.83 
port 40990
Apr 19 12:46:41 nxg2 sshd[44486]: Connection closed by invalid user 
admin 27.78.14.83 port 40990 [preauth]
Apr 19 12:47:13 nxg2 sshd[44488]: Invalid user dvs from 27.78.14.83 port 
42484
Apr 19 12:47:13 nxg2 sshd[44488]: Connection closed by invalid user dvs 
27.78.14.83 port 42484 [preauth]

This is less than 24 hours ago, at the time of writing.  That IP address 
appears 13 times in this time period; another address 116.105.215.232 
appears 8 times, 61.78.107.61 appears 36 times; a few others smaller 
numbers.

I expect to see these addresses in both the blacklistctl dump -a output, 
and in the list of addresses in the port22 table in the blacklistd/22 pf 
anchor, but I'm not seeing either of these address in either location.

Comparing this log output with the blacklistctl output and the pf table, 
and looking at the IP addresses with fewer attempts, I can see overlaps 
-- addresses which appear in two or three of the locations, but it's 
only partial.  I'd have expected a fairly straightforward correlation 
between  (i) failed-login log entries, (ii) entries in blacklistctl dump 
-a output, and (iii) entries in the pf table (modulo some complications 
to do with entries expiring, or not having reached their ban 
thresholds).  However I see things in (i) but not (ii) or (iii), and 
things in (iii) with nothing corresponding in the other two.

I'm fairly sure that blacklistd has been running continuously for at 
least the last 24 hours (though blacklistd isn't itself particularly 
chatty in the logs), so I don't _think_ there's a startup-cache issue.

Examining blacklistd.conf(5) and the handbook [1], there's not a lot to 
configure here (which is a Good Thing, and an attractive contrast with 
fail2ban), so there don't seem to be many opportunities for me to break 
this.  What am I missing?   What is it that blacklistd is 
detecting/reporting?

Best wishes,

Norman


[1] https://www.freebsd.org/doc/handbook/firewalls-blacklistd.html


-- 
Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401