blacklistd: what does it detect?
norman.gray at glasgow.ac.uk
Thu Apr 23 10:24:12 UTC 2020
On 20 Apr 2020, at 12:43, Norman Gray wrote:
> I've enabled blacklistd on a 12.1 machine accessible to the open
> internet, but it's not blocking as many failed ssh attempts as I
> expect. Am I misunderstanding something?
Is there documentation anywhere (outside of the source) of how
blacklistd and sshd interact?
There seems to be very little correlation between what I find in
auth.log and what blacklistd is acting on, as reported by blacklistctl.
Addresses seem to be blocked which barely appear in the log, and not
blocked after making multiple appearances in one message or another.
I haven't gone through  and  line by line, but what I've seen
there makes broad sense, and leads me to expect something different from
what I'm seeing.
I'm worrying I've got something horribly misconfigured (though I've
barely fiddled with the relevant configurations).
My immediate goal is to cut down noise in the 'daily security run' log,
and if that's chattering about connection attempts that sshd/blacklistd
think aren't worth acting on, then I'm going to feel tempted to start
fiddling with /etc/periodic/security/800.loginfail (which would probably
be a bad idea).
Norman Gray : http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401
More information about the freebsd-questions