Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Apr 2020 11:24:06 +0100
From:      "Norman Gray" <>
To:        FreeBSD Questions Mailing List <>
Subject:   Re: blacklistd: what does it detect?
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


On 20 Apr 2020, at 12:43, Norman Gray wrote:

> I've enabled blacklistd on a 12.1 machine accessible to the open 
> internet, but it's not blocking as many failed ssh attempts as I 
> expect.  Am I misunderstanding something?

Is there documentation anywhere (outside of the source) of how 
blacklistd and sshd interact?

There seems to be very little correlation between what I find in 
auth.log and what blacklistd is acting on, as reported by blacklistctl.  
Addresses seem to be blocked which barely appear in the log, and not 
blocked after making multiple appearances in one message or another.

I haven't gone through [1] and [2] line by line, but what I've seen 
there makes broad sense, and leads me to expect something different from 
what I'm seeing.

I'm worrying I've got something horribly misconfigured (though I've 
barely fiddled with the relevant configurations).

My immediate goal is to cut down noise in the 'daily security run' log, 
and if that's chattering about connection attempts that sshd/blacklistd 
think aren't worth acting on, then I'm going to feel tempted to start 
fiddling with /etc/periodic/security/800.loginfail (which would probably 
be a bad idea).

Best wishes,



Norman Gray  :
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401

Want to link to this message? Use this URL: <>