I've enabled the PF(4) firewall and blacklistd(8). Although IP addresses are being added to to blacklist, I can still see multiple failed attempts from a single IP address. Yet when I test it myself, my IP address gets blacklisted properly: it's added to the blacklist and I can't initiate any more connections from it.
/etc/rc.conf:
/etc/blacklistd.conf:
/etc/ssh/sshd_config:
/etc/pf.conf:
Output of
I've truncated the lines for readability. The entire first lines reads as:
Output of
The list contains 1069 entries but not the IP address 120.92.147.56.
Questions:
/etc/rc.conf:
Code:
blacklistd_enable="YES"
pf_enable="YES"
/etc/blacklistd.conf:
Code:
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 1 365d
# Extra lines removed
/etc/ssh/sshd_config:
Code:
...
UseBlacklist Yes
...
/etc/pf.conf:
Code:
intf="wlan0"
set skip on { lo0, em0 }
# Packet normalization
scrub in
# Integrate blacklistd to protect sshd
anchor "blacklistd/*" in on $intf
### FIREWALL RULES
# Default firewall rules
block in
pass out
# Allow inbound SSH on the default port (22)
pass in on $intf proto tcp to ($intf) port 22
# Allow basic ICMP functionality
pass in on $intf inet proto icmp to ($intf) icmp-type { unreach, redir, timex, echoreq }
Output of
grep sshd /var/log/messages | tail -20
:
Code:
Mar 2 00:21:11 [...] illegal user admin from 120.92.147.56
Mar 2 00:21:30 [...] illegal user alix from 120.92.147.56
Mar 2 00:21:51 [...] illegal user gotubego from 120.92.147.56
Mar 2 00:23:35 [...] illegal user tsbot from 120.92.147.56
Mar 2 00:23:40 [...] illegal user spravce from 120.92.147.56
Mar 2 00:25:34 [...] root from 120.92.147.56
Mar 2 00:25:57 [...] illegal user admin from 120.92.147.56
Mar 2 00:27:29 [...] illegal user admin from 120.92.147.56
Mar 2 00:29:13 [...] root from 120.92.147.56
Mar 2 00:30:06 [...] root from 120.92.147.56
Mar 2 00:33:09 [...] illegal user admin from 120.92.147.56
Mar 2 00:33:23 [...] illegal user admin from 120.92.147.56
Mar 2 00:34:15 [...] illegal user bogalfb from 120.92.147.56
Mar 2 00:35:34 [...] root from 120.92.147.56
Mar 2 00:35:59 [...] illegal user admin from 120.92.147.56
Mar 3 13:35:35 [...] illegal user user from 103.200.23.124
Mar 4 19:47:59 [...] root from 111.207.23.140
Mar 5 02:09:39 [...] illegal user user from host2.awolphoto.com
Mar 5 16:02:33 [...] illegal user user from 103.221.221.189
Mar 7 04:43:38 [...] illegal user user from server28.pixeled.net
I've truncated the lines for readability. The entire first lines reads as:
Mar 2 00:21:11 phoenix sshd[94473]: error: PAM: authentication error for illegal user admin from 120.92.147.56
. I've deleted the unuseful bits.Output of
sudo blacklistctl dump -br
:
Code:
150.95.156.167/32:22 OK 2/1 1y3d22h45m57s
27.79.178.252/32:22 OK 2/1 1y3d29h16m55s
194.61.24.162/32:22 OK 40/1 20d2h19m32s
76.242.160.219/32:22 OK 2/1 22d42h8m58s
91.121.173.184/32:22 OK 2/1 2d12h1m40s
116.127.174.152/32:22 OK 2/1 7d34h39m45s
88.214.26.49/32:22 OK 62/1 9d11h56m22s
...
The list contains 1069 entries but not the IP address 120.92.147.56.
Questions:
- Some IP addresses time out in (more) a year (as they should) while others time out in only a couple of days (e.g. 2 days).
- Some IP addresses (e.g. 120.92.147.56) are not added to the list while they clearly should be.
- Some addresses could execute as much as 62 attempts before being blocked in the list.