From nobody Mon Apr 17 22:32:52 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q0hdr4BGlz45Hsm for ; Mon, 17 Apr 2023 22:33:04 +0000 (UTC) (envelope-from bc979@lafn.org) Received: from mail.sermon-archive.info (sermon-archive.info [47.181.130.121]) by mx1.freebsd.org (Postfix) with ESMTP id 4Q0hdq3kDxz3pR7 for ; Mon, 17 Apr 2023 22:33:03 +0000 (UTC) (envelope-from bc979@lafn.org) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of bc979@lafn.org designates 47.181.130.121 as permitted sender) smtp.mailfrom=bc979@lafn.org; dmarc=none Received: from smtpclient.apple (mini [10.0.1.251]) by mail.sermon-archive.info (Postfix) with ESMTPSA id 4Q0hdp2XTdz2gGMk for ; Mon, 17 Apr 2023 15:33:02 -0700 (PDT) From: Doug Hardie Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\)) Subject: Re: Blacklistd Issues Date: Mon, 17 Apr 2023 15:32:52 -0700 References: To: questions@freebsd.org In-Reply-To: Message-Id: <8B1C1DCE-75CA-4CE9-A589-329519FB792E@sermon-archive.info> X-Mailer: Apple Mail (2.3731.400.51.1.1) X-Virus-Scanned: clamav-milter 1.0.1 at mail X-Virus-Status: Clean X-Spamd-Result: default: False [-2.68 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-0.999]; NEURAL_HAM_SHORT(-0.98)[-0.977]; MV_CASE(0.50)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_NO_TLS_LAST(0.10)[]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; DMARC_NA(0.00)[lafn.org: no valid DMARC record]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:5650, ipnet:47.181.128.0/18, country:US]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4Q0hdq3kDxz3pR7 X-Spamd-Bar: -- X-ThisMailContainsUnwantedMimeParts: N > On Apr 17, 2023, at 13:38, Doug Hardie wrote: >=20 > I have been implementing blacklistd. It works fine with postfix and = my web server. However, sshd is not working. I have enabled the = UseBlacklistd configuration line. However, no amount of invalid = id/passwords generate an entry in either blacklistd or pf. Running = ktrace with invalid web requests on blacklistd shows that it obtains the = endpoints properly and calls the helper to do the work. However, when = sending invalid id/passwords via ssh, blacklistd does receive the proper = packets from sshd and it obtains the endpoints, but just ends. It never = calls the helper. I have the entry in blacklistd.conf for that port, = and blacklistd has been restarted many times. Any ideas what I need to = do to get blacklistd to record the calls. There is no table in pf for = that port. However, it appears there needs to be at least one call to = make the table appear. Additional information. I set debug mode in blacklistd and send an = invalid ssh login: processing type=3D4 fd=3D6 remote=3D10.0.1.6:52462 msg=3D,.lklkj uid=3D0 = gid=3D0 listening socket: 10.0.1.235:xx look: target:10.0.1.235:xx, proto:6, family:2, uid:0, name:=3D, = nfail:*, duration:* check: target:8001, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 check: target:8000, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 check: target:587, proto:6, family:*, uid:*, name:*, nfail:3, = duration:300 check: target:xx, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 found: target:xx, proto:6, family:*, uid:*, name:*, nfail:2, = duration:300 conf_apply: merge: target:xx, proto:6, family:*, uid:*, name:*, = nfail:2, duration:300 conf_apply: to: target:10.0.1.235:xx, proto:6, family:2, uid:0, name:=3D, = nfail:*, duration:* conf_apply: result: target:10.0.1.235:xx, proto:6, family:2, uid:*, = name:*, nfail:2, duration:300 Applied address 10.0.1.6:xx Applied address 10.0.1.6:xx process: initial db state for 10.0.1.6:52462: count=3D0/2 = last=3D1969/12/31 16:00:00 now=3D2023/04/17 15:04:00 process: final db state for 10.0.1.6:52462: count=3D0/2 last=3D1969/12/31 = 16:00:00 now=3D2023/04/17 15:04:00 Blacklistd finds the proper ssh entry (port xx - it's not 22). It does = not change the state of that entry though. Running with debug for an = invalid web URL yields basically the same information except that the = initial state show a count and last time. The final state shows the = count incremented. When the web invalid URL count exceeds the = threshold, I do see an entry for "add returns OK". I don't see that for = SSH regardless of the number of attempts.