Hello,
I have decided to switch from sshguard to blacklistd(8) and my initial set-up was:
1. enable blacklisted at rc.conf by adding
2. add anchor to pf.conf
3. changed SSH rule to match with external interface at blacklistd.conf
After reloading all the daemons I have expected that such kind of activity (from auth.log) must be blocked:
Nov 20 09:04:52 ant sshd[2434]: Connection closed by 1.2.3.6 port 18304 [preauth]
Nov 20 09:05:31 ant sshd[2443]: Connection closed by 1.2.3.6 port 34965 [preauth]
Nov 20 09:06:10 ant sshd[2445]: Connection closed by 1.2.3.6 port 51638 [preauth]
Nov 20 09:06:49 ant sshd[2457]: Connection closed by 1.2.3.6 port 3902 [preauth]
.. but it is not.
I have decided to switch from sshguard to blacklistd(8) and my initial set-up was:
1. enable blacklisted at rc.conf by adding
Code:
blacklistd_enable="YES"
blacklistd_flags="-r -t 900" #to increase observer time period for slow log-ins
Code:
anchor "blacklistd/*" in on $ext_if
Code:
vtnet0:ssh stream * * * 3 24h
After reloading all the daemons I have expected that such kind of activity (from auth.log) must be blocked:
Nov 20 09:04:52 ant sshd[2434]: Connection closed by 1.2.3.6 port 18304 [preauth]
Nov 20 09:05:31 ant sshd[2443]: Connection closed by 1.2.3.6 port 34965 [preauth]
Nov 20 09:06:10 ant sshd[2445]: Connection closed by 1.2.3.6 port 51638 [preauth]
Nov 20 09:06:49 ant sshd[2457]: Connection closed by 1.2.3.6 port 3902 [preauth]
.. but it is not.
blacklistctl dump -a
gives an empty output. What am I missing?