[Bug 256880] blacklistd entry's vanishes after ~1m

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 29 Jun 2021 08:34:34 UTC 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=256880

            Bug ID: 256880
           Summary: blacklistd entry's vanishes after ~1m
           Product: Base System
           Version: 12.2-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: gspurki@gmail.com

I have blacklistd running for ssh (from base) on a custom port, when i make a
attack (over vpn) the entry is there with the correct custom port, but vanishes
after about 1 minute (but should stay for 24h) and without making a entry in
pf.

SSH is configured for "cert only access", but when making an attack
(brute-force with password) it's not recognized at all.

I have just those entry's in debug.log (not from restarting blacklistd)

sshd_config:
UseBlacklist yes

blacklistd.conf:
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h

pf.conf:
anchor "blacklistd/*" in on $EXT_IF

rc.conf:
blacklistd_enable="YES"
blacklistd_flags="-r"

/var/log/debug.log:
Jun 27 12:50:40  blacklistd[12301]: Connected to blacklist server
Jun 27 13:00:07  blacklistd[25807]: Connected to blacklist server
Jun 27 14:27:46  blacklistd[90565]: Connected to blacklist server
Jun 27 14:28:48  blacklistd[98434]: Connected to blacklist server
Jun 28 07:18:36  blacklistd[59502]: Connected to blacklist server
Jun 28 07:18:44  blacklistd[65168]: Connected to blacklist server
Jun 28 07:26:44  blacklistd[34127]: Connected to blacklist server
Jun 28 07:46:50  blacklistd[97330]: Connected to blacklist server
Jun 28 08:03:32  blacklistd[42533]: Connected to blacklist server
Jun 28 10:06:15  blacklistd[27244]: Connected to blacklist server
Jun 28 10:08:08  blacklistd[81582]: Connected to blacklist server
Jun 28 10:10:50  blacklistd[77628]: Connected to blacklist server

-- 
You are receiving this mail because:
You are the assignee for the bug.