Re: Blacklistd Issues

Reply: Doug Hardie : "Re: Blacklistd Issues - Problem Identified"
In reply to: Doug Hardie : "Blacklistd Issues"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Doug Hardie <bc979_at_lafn.org>
Date: Mon, 17 Apr 2023 22:32:52 UTC

> On Apr 17, 2023, at 13:38, Doug Hardie <bc979@lafn.org> wrote:
> 
> I have been implementing blacklistd.  It works fine with postfix and my web server.  However, sshd is not working.  I have enabled the UseBlacklistd configuration line.  However, no amount of invalid id/passwords generate an entry in either blacklistd or pf.  Running ktrace with invalid web requests on blacklistd shows that it obtains the endpoints properly and calls the helper to do the work.  However, when sending invalid id/passwords via ssh, blacklistd does receive the proper packets from sshd and it obtains the endpoints, but just ends.  It never calls the helper.  I have the entry in blacklistd.conf for that port, and blacklistd has been restarted many times.  Any ideas what I need to do to get blacklistd to record the calls.  There is no table in pf for that port.  However, it appears there needs to be at least one call to make the table appear.

Additional information.  I set debug mode in blacklistd and send an invalid ssh login:

processing type=4 fd=6 remote=10.0.1.6:52462 msg=,.lklkj uid=0 gid=0
listening socket: 10.0.1.235:xx
look:	target:10.0.1.235:xx, proto:6, family:2, uid:0, name:=, nfail:*, duration:*
check:	target:8001, proto:6, family:*, uid:*, name:*, nfail:2, duration:300
check:	target:8000, proto:6, family:*, uid:*, name:*, nfail:2, duration:300
check:	target:587, proto:6, family:*, uid:*, name:*, nfail:3, duration:300
check:	target:xx, proto:6, family:*, uid:*, name:*, nfail:2, duration:300
found:	target:xx, proto:6, family:*, uid:*, name:*, nfail:2, duration:300
conf_apply: merge:	target:xx, proto:6, family:*, uid:*, name:*, nfail:2, duration:300
conf_apply: to:	target:10.0.1.235:xx, proto:6, family:2, uid:0, name:=, nfail:*, duration:*
conf_apply: result:	target:10.0.1.235:xx, proto:6, family:2, uid:*, name:*, nfail:2, duration:300
Applied address 10.0.1.6:xx
Applied address 10.0.1.6:xx
process: initial db state for 10.0.1.6:52462: count=0/2 last=1969/12/31 16:00:00 now=2023/04/17 15:04:00
process: final db state for 10.0.1.6:52462: count=0/2 last=1969/12/31 16:00:00 now=2023/04/17 15:04:00

Blacklistd finds the proper ssh entry (port xx - it's not 22).  It does not change the state of that entry though.  Running with debug for an invalid web URL yields basically the same information except that the initial state show a count and last time.  The final state shows the count incremented.  When the web invalid URL count exceeds the threshold, I do see an entry for "add returns OK".  I don't see that for SSH regardless of the number of attempts.