blacklistd: what does it detect?

Norman Gray norman.gray at
Thu Apr 23 10:24:12 UTC 2020


On 20 Apr 2020, at 12:43, Norman Gray wrote:

> I've enabled blacklistd on a 12.1 machine accessible to the open 
> internet, but it's not blocking as many failed ssh attempts as I 
> expect.  Am I misunderstanding something?

Is there documentation anywhere (outside of the source) of how 
blacklistd and sshd interact?

There seems to be very little correlation between what I find in 
auth.log and what blacklistd is acting on, as reported by blacklistctl.  
Addresses seem to be blocked which barely appear in the log, and not 
blocked after making multiple appearances in one message or another.

I haven't gone through [1] and [2] line by line, but what I've seen 
there makes broad sense, and leads me to expect something different from 
what I'm seeing.

I'm worrying I've got something horribly misconfigured (though I've 
barely fiddled with the relevant configurations).

My immediate goal is to cut down noise in the 'daily security run' log, 
and if that's chattering about connection attempts that sshd/blacklistd 
think aren't worth acting on, then I'm going to feel tempted to start 
fiddling with /etc/periodic/security/800.loginfail (which would probably 
be a bad idea).

Best wishes,



Norman Gray  :
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401

More information about the freebsd-questions mailing list