PF blacklisted (not blocking)

[vadimk]

Hello,
I have decided to switch from sshguard to blacklistd(8) and my initial set-up was:
1. enable blacklisted at rc.conf by adding

blacklistd_enable="YES"
blacklistd_flags="-r -t 900" #to increase observer time period for slow log-ins

2. add anchor to pf.conf

anchor "blacklistd/*" in on $ext_if

3. changed SSH rule to match with external interface at blacklistd.conf

vtnet0:ssh      stream  *       *               *       3       24h

After reloading all the daemons I have expected that such kind of activity (from auth.log) must be blocked:

Nov 20 09:04:52 ant sshd[2434]: Connection closed by 1.2.3.6 port 18304 [preauth]
Nov 20 09:05:31 ant sshd[2443]: Connection closed by 1.2.3.6 port 34965 [preauth]
Nov 20 09:06:10 ant sshd[2445]: Connection closed by 1.2.3.6 port 51638 [preauth]
Nov 20 09:06:49 ant sshd[2457]: Connection closed by 1.2.3.6 port 3902 [preauth]

.. but it is not. blacklistctl dump -a gives an empty output. What am I missing?

 

[ShelLuser]

You don't give us enough information to draw conclusions yet.

For starters: under which header does the line you copied from /etc/blacklistd.conf reside (local or remote)? Also: which SSH daemon are you using (base or ports)?

It shouldn't make a difference but for what's it worth I wouldn't mess with any parameters. There's no need for -r because pf can easily retain its own rules, and I also can't help wonder if 15 minutes for polling isn't a bit too long (but that's merely a guess on my end). Even so, I would stick with the defaults for now.

 

[vadimk]

Thank you for fast reply, ShelLuser!
I have vanilla installation of FreeBSD 11.2 with base SSH daemon. The only thing I made changes to is kernel -- removed drivers/options I don't use. Have tried as less modifications as possible. At the moment I have:
sshd_config:

UseBlacklist yes

pf.conf:

# configuration set-up
ext_if = "vtnet0"
set loginterface $ext_if
set skip on lo
scrub in on $ext_if all fragment reassemble

# tables

# pass list
tcp_pass = "{ ssh, smtp, http, https, pop3s }"
udp_pass = "{ domain }"
icmp_pass = "{ echoreq, unreach }"

# rules
anchor "blacklistd/*" on $ext_if
block all
antispoof log for $ext_if
pass on $ext_if proto tcp to any port $tcp_pass keep state

# only UDP traffic to DNS
pass out on $ext_if proto udp to any port $udp_pass keep state

# only ICMP Echo
pass inet proto icmp all icmp-type $icmp_pass keep state

blacklistd.conf : default (no modifications)

Diagnostics:

$ pfctl -nvf /etc/pf.conf
ext_if = "vtnet0"
set loginterface vtnet0
set skip on { lo }
tcp_pass = "{ ssh, smtp, http, https, pop3s }"
udp_pass = "{ domain }"
icmp_pass = "{ echoreq, unreach }"
scrub in on vtnet0 all fragment reassemble
[B]anchor "/*" on vtnet0 all[/B]
block drop all
block drop in log on ! vtnet0 inet from 95.216.190.211 to any
block drop in log inet from 95.216.190.211 to any
block drop in log on vtnet0 inet6 from fe80::9400:ff:fe14:3b82 to any
pass on vtnet0 proto tcp from any to any port = ssh flags S/SA keep state
pass on vtnet0 proto tcp from any to any port = smtp flags S/SA keep state
pass on vtnet0 proto tcp from any to any port = http flags S/SA keep state
pass on vtnet0 proto tcp from any to any port = https flags S/SA keep state
pass on vtnet0 proto tcp from any to any port = pop3s flags S/SA keep state
pass out on vtnet0 proto udp from any to any port = domain keep state
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep state


$ pfctl -a blacklistd -s Anchors
is empty

Some strange thing I have mentioned -- the name of the anchor is missing at pfctl(8) output. But may be this should be like this, I don't know

 

[DavidMarec]

What am I missing?

To tell sshd to talk to blacklistd(), you have to set UseBlacklist to "yes" into sshd_config().

Or set it up from rc.conf():

sysrc sshd_flags="-o UseBlacklist=yes"

 

[ShelLuser]

Your pf.conf is a bit messy, heed the specific sequence which you need to use (see pf.conf(5)): Macros, Tables, Options ... Packet Filtering.

In your example you have a macro on top, then some options, then traffic control (the scrub entry) after which you're back to macro's again. That explains why you don't get to see the table anchor when using pfctl and it's most likely also the reason why nothing got blocked.

If there's no anchor for blacklistd to use then it obviously can't block entries.

 

[vadimk]

I agree, ShelLuser, that conf is a bit messy, but pfctl -nvf /etc/pf.conf does not report any errors and in fact - it works. It just works not as I have expected. Here what I have found during tests:

1. pfctl -nvf /etc/pf.conf does not show anchor names if name contains "/*". I think it is a bug, because pfctl -sr prints them correctly.
2. pfctl -a blacklistd -s Anchors does not print anything because there are no IP blocked.
3. blacklistctl dump shows some IP-s in "blocking progress". That is how I guessed that blacklistd works
   
4. blacklistd(8) doesn't react on "incomplete login" as I have posted in the beginning. With default configuration at least. If malicious user does not really logs in with error - it will not get into ban list. I have hundreds of such attempts and sshguard was able to detect them out of the box. Probably I will let them work in parallel if there is no conflict.

Anyway - my pf.conf is structured better now and probably I can find the way to filter those unwanted authentication attempts with blacklistd.