How to setup IPFW working with blacklistd
Cos Chan
rosettas at gmail.com
Wed Nov 15 11:46:42 UTC 2017
On Wed, Nov 15, 2017 at 10:02 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
> On Tue, 14 Nov 2017 15:38:51 +0100, Cos Chan wrote:
>
> > On Tue, Nov 14, 2017 at 9:31 AM, Cos Chan <rosettas at gmail.com> wrote:
> > >
> > > On Mon, Nov 13, 2017 at 3:17 PM, Cos Chan <rosettas at gmail.com> wrote:
>
> > >> here is one strange record:
> > >>
> > >> $ sudo blacklistctl dump -b | grep 1662
> > >> 193.201.224.218/32:22 OK 1662/1 2017/11/13 00:31:04
> > >>
> > >> This IP was blocked in ipfw from last week. while I checked it last
> week
> > >> Friday it was 800+/1 in blacklist and until today it become 1662.
> > >>
> > >> To my knowledge the ipfw should block the connection, the times of
> banned
> > >> IP should be not increased?
>
> Have you added blacklistd_flags="-r" to /etc/rc.conf? And are you
> using 'service blacklistd start' to control it? If otherwise, are
> you always starting blacklistd with the -r switch? Be explicit.
>
Yes blacklistd_flags="-r" to /etc/rc.conf and 'service blacklistd start'
>
> If not, a fresh run of blacklistd should NOT try to remove and re-add
> each of its blocked addresses, and if ipfw has been restarted, that
> address will NOT be in its table of addresses to block. Might that
> explain what you're seeing?
>
> Whenever in doubt, just run 'ipfw table \(port22\) list'. Also, when
> listing ipfw rules, it's helpful to use 'ipfw -t show' which shows all
> rules with their packet and byte counters, plus the date last used for
> each rule. Or even just 'ipfw -t show 4022' or whatever.
>
$ sudo ipfw -t show 02022
02022 204 19920 Wed Nov 15 12:41:36 2017 deny log tcp from
table(port22) to any dst-port 22
>
> > >> I could see more entries with more than 3/1, for example:
> > >>
> > >> 89.160.221.132/32:22 OK 18/1 2017/11/13 00:01:21
> > >> 60.125.42.119/32:22 OK 3/1 2017/11/12 16:13:53
> > >> 166.62.35.180/32:22 OK 3/1 2017/11/10 06:36:25
> > >> 202.162.221.51/32:22 OK 6/1 2017/11/10 00:42:14
> > >> 168.0.114.130/32:22 OK 3/1 2017/11/10 23:40:30
> > >> 95.145.71.165/32:22 OK 3/1 2017/11/11 07:07:07
> > >> 123.161.206.210/32:22 OK 3/1 2017/11/12 18:14:00
> > >> 203.146.208.208/32:22 OK 6/1 2017/11/10 10:16:21
> > >> 149.56.223.241/32:22 OK 1/1 2017/11/12 06:09:16
> > >> 121.169.217.98/32:22 OK 9/1 2017/11/12 21:59:57
> > >> 211.251.237.162/32:22 OK 2/1 2017/11/13 12:08:07
> > >> 103.99.0.116/32:22 OK 30/1 2017/11/10 14:56:07
> > >>
> > >> These records I am not sure if they were not increased after added to
> > >> ipfw list. but the 1662 times one, I am sure it was increased after
> ipfw
> > >> had the ip in list.
>
> But perhaps ipfw was restarted, and lost either the rule or the table?
> Remember, ipfw does not keep its tables between runs, without scripting.
>
To explain to Kurt, this is concerning the issue failed number increased
after the rule was in ipfw list.
Just catch "fresh" log:
$ sudo blacklistctl dump -b
address/ma:port id nfail last access
94.23.73.97/32:22 OK 2/2 2017/11/15 11:58:11
123.59.135.58/32:22 OK 3/2 2017/11/15 12:10:12
132.148.128.234/32:22 OK 2/2 2017/11/15 12:13:42
$ sudo blacklistctl dump -b
address/ma:port id nfail last access
94.23.73.97/32:22 OK 2/2 2017/11/15 11:58:11
123.59.135.58/32:22 OK 3/2 2017/11/15 12:10:12
132.148.128.234/32:22 OK 3/2 2017/11/15 12:15:40
IPFW log:
Nov 15 12:13:42 res kernel: ipfw: 2022 Deny TCP 132.148.128.234:6920
192.168.11.15:22 in via em0
Nov 15 12:14:09 res last message repeated 14 times
Nov 15 12:15:41 res last message repeated 4 times
based on the log, assume the ipfw not restarted (since no new rule added?)
and banned the IP 132.148.128.234 properly?
in case I am right, the question is why the number increased from 2/2 to
3/2?
blacklistd.log:
Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 for -1
seconds
Nov 15 12:15:40 res blacklistd[22100]: rule exists OK
Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 for -1
seconds
blacklistd-helper.log:
Wed Nov 15 12:13:42 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 132.148.128.234 32 22
Wed Nov 15 12:15:40 CET 2017 /usr/libexec/blacklistd-helper run rem
blacklistd tcp 132.148.128.234 32 22 OK
Wed Nov 15 12:15:40 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 132.148.128.234 32 22
ipfw list:
$ sudo ipfw table port22 list
--- table(port22), set(0) ---
...
132.148.128.234/32 0
...
> > > add the ipfw rules:
> > >
> > > $ sudo ipfw list
> > > 00100 allow ip from any to any via lo0
> > > 00200 deny ip from any to 127.0.0.0/8
> > > 00300 deny ip from 127.0.0.0/8 to any
> > > 00400 deny ip from any to ::1
> > > 00500 deny ip from ::1 to any
> > > 00600 allow ipv6-icmp from :: to ff02::/16
> > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
> > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
> > > 02022 deny tcp from table(port22) to any dst-port 22
> > > 65000 allow ip from any to any
> > > 65535 deny ip from any to any
>
> > the more logs might be useful:
> >
> > $ sudo tail security
> > Nov 14 15:09:07 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920
> > 192.168.11.15:22 in via em0
> > Nov 14 15:09:21 res kernel: ipfw: 2022 Deny TCP 123.125.203.196:6920
> > 192.168.11.15:22 in via em0
> > Nov 14 15:10:11 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920
> > 192.168.11.15:22 in via em0
> > Nov 14 15:10:33 res kernel: ipfw: 2022 Deny TCP 83.12.107.106:6920
> > 192.168.11.15:22 in via em0
> > Nov 14 15:11:08 res last message repeated 15 times
> > Nov 14 15:12:32 res last message repeated 4 times
> > Nov 14 15:21:10 res kernel: ipfw: 2022 Deny TCP 201.147.183.55:60299
> > 192.168.11.15:22 in via em0
> > Nov 14 15:21:17 res last message repeated 3 times
>
> > Nov 14 15:25:38 res kernel: ipfw: 2022 Deny TCP 105.226.55.239:48315
> > 192.168.11.15:22 in via em0
> > Nov 14 15:26:18 res last message repeated 12 times
>
> Well yes, that shows those addresses being blocked, on successive
> connection attempts, at that time.
>
> However ipfw only logs rules to /var/log/security that contain the 'log'
> keyword, so you presumably MUST have added that, making the rule be:
>
> 02022 deny log tcp from table(port22) to any dst-port 22
> ---
>
> If you didn't do that - in blacklistd-helper? or manually? - then ipfw
> in 11.1 is severely broken .. please do say when you change conditions.
>
Yes, I add "02022 deny log tcp from table(port22) to any dst-port 22"
manually.
>
> > $ sudo tail auth.log
> > Nov 14 15:07:24 res sshd[9029]: input_userauth_request: invalid user
> admin
> > [preauth]
>
> > Nov 14 15:10:33 res sshd[9052]: Invalid user omni from 83.12.107.106
> > Nov 14 15:10:33 res sshd[9052]: input_userauth_request: invalid user
> omni
> > [preauth]
>
> > Nov 14 15:25:37 res sshd[9144]: reverse mapping checking getaddrinfo for
> > 105-226-55-239.south.dsl.telkomsa.net [105.226.55.239] failed -
> POSSIBLE
> > BREAK-IN ATTEMPT!
> > Nov 14 15:25:37 res sshd[9144]: Invalid user admin from 105.226.55.239
> > Nov 14 15:25:37 res sshd[9144]: input_userauth_request: invalid user
> admin
> > [preauth]
>
> That one is different .. and seems to have been added to ipfw table as
> above .. but we can't see what blacklistctl reports for it. Confusing.
>
> Might that have been reported as ABUSIVE? No matching blacklistd.log?
>
> > Nov 14 15:26:08 res sshd[9152]: Received disconnect from 121.18.238.123
> > port 42391:11: [preauth]
> > Nov 14 15:26:08 res sshd[9152]: Disconnected from 121.18.238.123 port
> 42391
> > [preauth]
> >
> > The IP 105.226.55.239 looks like banned by IPFW, but still connected to
> > sshd?
>
> No, it was first logged as denied from 15:25:38, after sshd reported it.
>
> Hope that helps.
>
> cheers, Ian
>
--
with kind regards
More information about the freebsd-questions
mailing list