PF blacklistd not blocking addresses

I've enabled the PF(4) firewall and blacklistd(8). Although IP addresses are being added to to blacklist, I can still see multiple failed attempts from a single IP address. Yet when I test it myself, my IP address gets blacklisted properly: it's added to the blacklist and I can't initiate any more connections from it.

/etc/rc.conf:
Code:
blacklistd_enable="YES"
pf_enable="YES"

/etc/blacklistd.conf:
Code:
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       1       365d
# Extra lines removed

/etc/ssh/sshd_config:
Code:
...
UseBlacklist Yes
...

/etc/pf.conf:
Code:
intf="wlan0"
set skip on { lo0, em0 }

# Packet normalization
scrub in

# Integrate blacklistd to protect sshd
anchor "blacklistd/*" in on $intf

### FIREWALL RULES

# Default firewall rules
block in
pass out
# Allow inbound SSH on the default port (22)
pass in on $intf proto tcp to ($intf) port 22
# Allow basic ICMP functionality
pass in on $intf inet proto icmp to ($intf) icmp-type { unreach, redir, timex, echoreq }

Output of grep sshd /var/log/messages | tail -20:
Code:
Mar  2 00:21:11 [...] illegal user admin from 120.92.147.56
Mar  2 00:21:30 [...] illegal user alix from 120.92.147.56
Mar  2 00:21:51 [...] illegal user gotubego from 120.92.147.56
Mar  2 00:23:35 [...] illegal user tsbot from 120.92.147.56
Mar  2 00:23:40 [...] illegal user spravce from 120.92.147.56
Mar  2 00:25:34 [...] root from 120.92.147.56
Mar  2 00:25:57 [...] illegal user admin from 120.92.147.56
Mar  2 00:27:29 [...] illegal user admin from 120.92.147.56
Mar  2 00:29:13 [...] root from 120.92.147.56
Mar  2 00:30:06 [...] root from 120.92.147.56
Mar  2 00:33:09 [...] illegal user admin from 120.92.147.56
Mar  2 00:33:23 [...] illegal user admin from 120.92.147.56
Mar  2 00:34:15 [...] illegal user bogalfb from 120.92.147.56
Mar  2 00:35:34 [...] root from 120.92.147.56
Mar  2 00:35:59 [...] illegal user admin from 120.92.147.56
Mar  3 13:35:35 [...] illegal user user from 103.200.23.124
Mar  4 19:47:59 [...] root from 111.207.23.140
Mar  5 02:09:39 [...] illegal user user from host2.awolphoto.com
Mar  5 16:02:33 [...] illegal user user from 103.221.221.189
Mar  7 04:43:38 [...] illegal user user from server28.pixeled.net

I've truncated the lines for readability. The entire first lines reads as: Mar 2 00:21:11 phoenix sshd[94473]: error: PAM: authentication error for illegal user admin from 120.92.147.56. I've deleted the unuseful bits.

Output of sudo blacklistctl dump -br:
Code:
150.95.156.167/32:22   OK      2/1     1y3d22h45m57s
  27.79.178.252/32:22   OK      2/1     1y3d29h16m55s
  194.61.24.162/32:22   OK      40/1    20d2h19m32s
76.242.160.219/32:22   OK      2/1     22d42h8m58s
91.121.173.184/32:22   OK      2/1     2d12h1m40s
116.127.174.152/32:22   OK      2/1     7d34h39m45s
   88.214.26.49/32:22   OK      62/1    9d11h56m22s
...

The list contains 1069 entries but not the IP address 120.92.147.56.

Questions:
  1. Some IP addresses time out in (more) a year (as they should) while others time out in only a couple of days (e.g. 2 days).
  2. Some IP addresses (e.g. 120.92.147.56) are not added to the list while they clearly should be.
  3. Some addresses could execute as much as 62 attempts before being blocked in the list.
What am I missing in my configuration to make it work as desired?
 
Are the connections coming in on em0? You have a set skip on em0 in your ruleset. So your em0 interface is completely ignored by PF.
 
That is not the case. It's a laptop only connected via the wireless network to my router. The em0 interface is not connected and will in the future be used to connect my home lab.
 
Alright, just verifying. What does pfctl -a 'blacklistd/22' -t port22 -T show output?
 
It shows 1231 lines of IP addresses. So it is working. It also blocks my own IP addresses (public VPS) when I try it.
 
What rules does blacklist generate? I see that your 'pass' rule for ssh comes after your blacklistd anchors, so unless they're 'quick' your ruleset will allow all connections to the ssh port.
 
Can you help me out here? How do I check this? Which config file or command do you want to see?

'pfctl -a "blacklistd/*" -sr' should show the rules blacklistd has created.

Do you mean I should put the "pass" rule before my blacklistd anchor?
That depends on the rules blacklistd created. I don't use it myself so I don't know what they are. Once we know that we can establish if your anchor rule belongs before or after your other rules.
 
It seems blacklistd works correctly because I've tested from several sources and after the first failed attempt, my IP address gets blocked and I can't establish a new SSH connection from the same source IP address until I remove it from the list (`blacklistctl dump -br`).

But pfctl -a "blacklistd/*" -sr returns empty:

Code:
root@phoenix:~ # pfctl -a "blacklistd/*" -sr
root@phoenix:~ #

I don't use it myself
Do you use sshguard instead? I believe SirDice also uses sshguard instead of blacklistd thus perhaps I should migrate from blacklistd to sshguard. I'm new to both so it does not really matter to me. i only picked sshguard because it was mentioned in Lucas' book Absolute FreeBSD but apparently his steps resulted in this not-really-working configuration.
 
Back
Top