Importing NetBSD's blacklist project into FreeBSD

Thu Apr 14 08:15:37 UTC 2016

On Wed, 13 Apr 2016 20:47-0600, Warren Block wrote:

> On Wed, 13 Apr 2016, Kurt Lidl wrote:
> 
> > Greetings all -
> > 
> > This is just a quick note to alert the FreeBSD development community
> > that I've posted a review for the import of the NetBSD "blacklist"
> > project into FreeBSD.
> > 
> > The reviews for the basic import and hookup of the blacklist system
> > into the build process are here:
> > 
> > 	https://reviews.freebsd.org/D5912
> > 	https://reviews.freebsd.org/D5913
> > 
> > The rational behind the system is given in the first referenced
> > review, which is Christos Zoulas' presentation at vBSDcon 2015.
> 
> The first review has a link to the video:
> https://youtu.be/fuuf8G28mjs
> 
> > I think the system is a very reasonable framework to allow for
> > real-time notification of attacks, feeding to a single daemon
> > process, which maintains a persistent on-disk database. The daemon
> > can then invoke a helper script to affect packet filtering changes
> > as needed. It's driven from a text configuration file, and it is
> > pretty easy to add support to more programs in the future.
> > 
> > Thanks for your interest, and I look forward to any discussion
> > about the merits of the system and the patches to implement it
> > in FreeBSD.
> 
> After seeing that review yesterday and thinking it sounded interesting, I
> watched the video.  After looking at today's maillog, I have gone from just
> being interested to really wanting it.  And a patch for sendmail to use it.
> 
> Thank you for working on this!

+1

security/denyhosts is a fairly good substitute for handling sshd 
abuse, but denyhosts chokes on certain hostnames and adds the same 
hostname over and over to /etc/hosts.deniedssh, leaving me with the 
burden of cleaning up the mess.

I hope blacklistd is better than denyhosts as the former integrates 
with the daemon internals.

Speaking of denyhosts, any chance blacklistd could distribute the 
blacklisted IP adresses between multiple hosts? The blacklistd-helper 
control program could be a candidate.

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+