blacklistd - never?

cbrace · Mar 27, 2021

Hi all,

I recently started using blacklistd; I have it set up to listen on ports 22 and 25. Looking at its output, I see some entries marked "never". Does this mean they will never be blocked or never unblocked? I don't understand what's going on here. I have a few IP numbers whitelisted (ie, home broadband point), but only single ones, nothing like a 5.188.206.* range. Any ideas?

Code:

$ sudo blacklistctl dump -a|grep never
   5.188.206.98/32:22        2/*    never
   5.188.206.99/32:22        2/*    never
   5.101.99.198/32:22        1/*    never
  5.188.206.100/32:22        2/*    never
  5.188.206.101/32:22        2/*    never
  5.188.206.102/32:22        2/*    never
   5.188.206.54/32:22        2/*    never

SirDice · Mar 27, 2021

What's in /etc/blacklistd.conf?

ShelLuser · Mar 27, 2021

cbrace said:
I recently started using blacklistd; I have it set up to listen on ports 22 and 25.

No you don't.

Blacklist doesn't listen on ports. It only gets informed about login issues from those processes that do. When a threshold has been reached then it will take according action (as configured).

Also, the output from blacklistctl already tells you what each entry means:

Code:

peter@vps:/opt# blacklistctl dump -a
        address/ma:port id      nfail   last access

It seems to me as if you don't fully understand what the blacklist daemon actually does.

cbrace · Mar 27, 2021

SirDice said:
What's in /etc/blacklistd.conf?

Code:

$ less /etc/blacklistd.conf
# $FreeBSD: releng/12.2/usr.sbin/blacklistd/blacklistd.conf 336977 2018-07-31 16:39:38Z brd $
#
# Blacklist rule
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h
ftp             stream  *       *               *       3       24h
smtp            stream  *       *               *       3       24h
submission      stream  *       *               *       3       24h
#6161           stream  tcp6    christos        *       2       10m
*               *       *       *               *       3       60

# adr/mask:port type    proto   owner           name    nfail   disable
[remote]
#129.168.0.0/16 *       *       *               =       *       *
77.168.200.75   *       *       *               =       *       *
149.210.189.222 *       *       *               =       *       *
5.2.74.159              *       *       *               =       *       *
5.2.72.89               *       *       *               =       *       *
#6161           =       =       =               =/24    =       =
#*              stream  tcp     *               =       =       =

cbrace · Mar 27, 2021

ShelLuser said:
Blacklist doesn't listen on ports.

Right, sorry, figure of speech.

blacklistd - never?

cbrace

SirDice

Administrator

ShelLuser

cbrace

cbrace