blacklistd: what does it detect?
Norman Gray
norman.gray at glasgow.ac.uk
Mon Apr 20 11:43:49 UTC 2020
Greetings.
I've enabled blacklistd on a 12.1 machine accessible to the open
internet, but it's not blocking as many failed ssh attempts as I expect.
Am I misunderstanding something?
My goal is to cut down noise in the 'daily security run' output (the
machine doesn't accept passwords for authentication, so I'm not
particularly worried about these as break-in attempts).
I'm seeing, in the logs, lots of attempts like
Apr 19 12:45:34 nxg2 sshd[44480]: Invalid user monitor from 27.78.14.83
port 35510
Apr 19 12:45:34 nxg2 sshd[44480]: Connection closed by invalid user
monitor 27.78.14.83 port 35510 [preauth]
Apr 19 12:45:46 nxg2 sshd[44482]: Invalid user service from 27.78.14.83
port 50668
Apr 19 12:45:47 nxg2 sshd[44482]: Connection closed by invalid user
service 27.78.14.83 port 50668 [preauth]
Apr 19 12:46:38 nxg2 sshd[44486]: Invalid user admin from 27.78.14.83
port 40990
Apr 19 12:46:41 nxg2 sshd[44486]: Connection closed by invalid user
admin 27.78.14.83 port 40990 [preauth]
Apr 19 12:47:13 nxg2 sshd[44488]: Invalid user dvs from 27.78.14.83 port
42484
Apr 19 12:47:13 nxg2 sshd[44488]: Connection closed by invalid user dvs
27.78.14.83 port 42484 [preauth]
This is less than 24 hours ago, at the time of writing. That IP address
appears 13 times in this time period; another address 116.105.215.232
appears 8 times, 61.78.107.61 appears 36 times; a few others smaller
numbers.
I expect to see these addresses in both the blacklistctl dump -a output,
and in the list of addresses in the port22 table in the blacklistd/22 pf
anchor, but I'm not seeing either of these address in either location.
Comparing this log output with the blacklistctl output and the pf table,
and looking at the IP addresses with fewer attempts, I can see overlaps
-- addresses which appear in two or three of the locations, but it's
only partial. I'd have expected a fairly straightforward correlation
between (i) failed-login log entries, (ii) entries in blacklistctl dump
-a output, and (iii) entries in the pf table (modulo some complications
to do with entries expiring, or not having reached their ban
thresholds). However I see things in (i) but not (ii) or (iii), and
things in (iii) with nothing corresponding in the other two.
I'm fairly sure that blacklistd has been running continuously for at
least the last 24 hours (though blacklistd isn't itself particularly
chatty in the logs), so I don't _think_ there's a startup-cache issue.
Examining blacklistd.conf(5) and the handbook [1], there's not a lot to
configure here (which is a Good Thing, and an attractive contrast with
fail2ban), so there don't seem to be many opportunities for me to break
this. What am I missing? What is it that blacklistd is
detecting/reporting?
Best wishes,
Norman
[1] https://www.freebsd.org/doc/handbook/firewalls-blacklistd.html
--
Norman Gray : http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401
More information about the freebsd-questions
mailing list