blacklistd - never?

cbrace · Mar 27, 2021

Hi all,

I recently started using blacklistd; I have it set up to listen on ports 22 and 25. Looking at its output, I see some entries marked "never". Does this mean they will never be blocked or never unblocked? I don't understand what's going on here. I have a few IP numbers whitelisted (ie, home broadband point), but only single ones, nothing like a 5.188.206.* range. Any ideas?

Code:

$ sudo blacklistctl dump -a|grep never
   5.188.206.98/32:22        2/*    never
   5.188.206.99/32:22        2/*    never
   5.101.99.198/32:22        1/*    never
  5.188.206.100/32:22        2/*    never
  5.188.206.101/32:22        2/*    never
  5.188.206.102/32:22        2/*    never
   5.188.206.54/32:22        2/*    never

SirDice · Mar 27, 2021

What's in /etc/blacklistd.conf?

ShelLuser · Mar 27, 2021

cbrace said:
I recently started using blacklistd; I have it set up to listen on ports 22 and 25.

No you don't.

Blacklist doesn't listen on ports. It only gets informed about login issues from those processes that do. When a threshold has been reached then it will take according action (as configured).

Also, the output from blacklistctl already tells you what each entry means:

Code:

peter@vps:/opt# blacklistctl dump -a
        address/ma:port id      nfail   last access

It seems to me as if you don't fully understand what the blacklist daemon actually does.

cbrace · Mar 27, 2021

SirDice said:
What's in /etc/blacklistd.conf?

Code:

$ less /etc/blacklistd.conf
# $FreeBSD: releng/12.2/usr.sbin/blacklistd/blacklistd.conf 336977 2018-07-31 16:39:38Z brd $
#
# Blacklist rule
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h
ftp             stream  *       *               *       3       24h
smtp            stream  *       *               *       3       24h
submission      stream  *       *               *       3       24h
#6161           stream  tcp6    christos        *       2       10m
*               *       *       *               *       3       60

# adr/mask:port type    proto   owner           name    nfail   disable
[remote]
#129.168.0.0/16 *       *       *               =       *       *
77.168.200.75   *       *       *               =       *       *
149.210.189.222 *       *       *               =       *       *
5.2.74.159              *       *       *               =       *       *
5.2.72.89               *       *       *               =       *       *
#6161           =       =       =               =/24    =       =
#*              stream  tcp     *               =       =       =

cbrace · Mar 27, 2021

ShelLuser said:
Blacklist doesn't listen on ports.

Right, sorry, figure of speech.

DutchDaemon · 2025-10-13T13:38:31+0100

Ages ago, but this has been a consistent issue with blacklistd for me over the years, and I got caught by it again today.

As a punt, I added netmasks to all addresses, including single IP addresses (so, added /32 to those).

Problem gone. Every

Code:

1/*     never

I see in blacklistctl dump -na is indeed an exception I have under [remote].

There appears to be a weird mismatching problem when the IP addresses are not all 'anchored' by a netmask.

DutchDaemon · 2025-10-13T13:48:15+0100

I really advise anyone using blacklistd to check their /etc/blacklistd.conf for netmasks and to restart the service after fixing them.

It is very likely that you're not blocking what you think you're blocking, and on a busy server this can actually happen on a pretty massive scale.

If you want to take it one step further: service blacklistd stop ; cp /dev/null /var/db/blacklistd.db; service blacklistd start - start with a clean slate.

blacklistd - never?

cbrace

SirDice

Administrator

ShelLuser

cbrace

cbrace

DutchDaemon

Administrator

DutchDaemon

Administrator