IPFW how to setup sshd+blacklistd+IPFW

[hdc]

I want to setup blacklistd(8) to build database of all failed login attempts and IPFW to block them.

my FreeBSD version:

11.1-RELEASE-p1

The sshd_conf:

MaxAuthTries 3
UseBlacklist yes

The blacklistd.conf

[local]
ssh             stream  *       *               *       2       *

the first question is blacklistd(8):

After running, no failed login attempt blocked ( blacklistctl dump -b returns empty). blacklistctl dump returns something like this:

 address/ma: port id      nfail   last access
  11.11.11.11/32:22           1/2     2017/11/02 12:17:58

the nfail never reached maximum value, in case I configure 3 in blacklistd.conf then I will get

11.11.11.11/32:22           2/3     2017/11/02 11:32:10

The second question is how to configure IPFW to use blacklisted database? I can not see such information from IPFW man page.

 

[hdc]

Sorry I just realize the post should be in firewall sub forum, could anybody delete this post?

 

[SirDice]

Sorry I just realize the post should be in firewall sub forum, could anybody delete this post?

Just ask a Mod or Admin to move it for you. Please don't create a new post with the same question.

 

[SirDice]

The second question is how to configure IPFW to use blacklisted database? I can not see such information from IPFW man page.

Documentation for blacklistd(8) needs some improving. Best is to read /usr/libexec/blacklistd-helper and look how addresses are added/removed. Then create a rule to allow this.

 

[Donald Baud]

Here is a quick reminder to activate blacklistd(8)() on your server with IPFW:

Add the following in file /etc/rc.conf

blacklistd_enable="YES"                # activates blacklistd
sshd_flags="-o UseBlackList=yes"  # instruct sshd to report to blacklistd

Now create an empty file /etc/ipfw-blacklist.rc so that blacklistd(8)() knows you want IPFW as your firewall:

touch /etc/ipfw-blacklist.rc

Now "whitelist" IP segments you care not to blacklist by editing file /etc/blacklistd.conf

10.10.1.0/24     *       *       *       *       *       *

After a while, when needed by blacklistd(8)(), you will see a rule automatically created at IPFW line 2021 (which is line 2000 + PORT number)
You will also see an IPFW Table 22 created too.

# see your IPFW rules:
ipfw show

# see your IPFW table rules:
ipfw table all list

# monitor blacklistd internal IP list:
blacklistctl dump -a

 

[The_Educated_Fool]

Hello,
sorry for resurrecting this old thread, but my question fits perfectly here.

I'm running FreeBSD 11.2-RELEASE-p9 and have configured blacklistd with ssh and IPFW as described in this thread.
If I configure ssh to allow password authentication it works fine: After the configured amount of failed login attempts, the IP address gets blocked for the configured time.
But if I configure ssh to only allow pubkey authentication, it doesn't work. Seems to me that a rejected password login attempt to ssh in this case isn't counted as a failed login in regard to blacklist.

From time to time I can see these typical dictionary attacks in my logs using ssh and password authentication. Since I've disabled that I'm not really afraid of these kind of attacks. (I guess I should be pretty save against brute force ssh attacks I guess, since I only have one user-id allowed for ssh login + pubkey auth only.) Nevertheless I would feel better if such an attacker would simply be blocked for some time via a dynamic IPFW rule - for example it took almost half a day until the last attacker gave up...
Does someone know if its possible to configure blacklistd to also work in my scenario? Or any other suggestions how to (firewall) block such ssh attacks? (Enabling password authentication in ssh just to have a working blacklistd settings is not a good solution, I guess...)

Thanks & Kind Regards,
Fool

 

[trev]

I created a script which runs from cron every 5 minutes to parse the auth.log file and add offending ips to an ipfw table and log them to a file which gets sucked into the table at startup (as I noticed many of the same ips return again and again -- after 3 years there's 30,935 ips listed now. I also have a whitelist file to stop the embarrassment of being locked out of my own systems

 

[SirDice]

Does someone know if its possible to configure blacklistd to also work in my scenario?

There's nothing to configure in this respect. Applications need to send signals to blacklistd(8). If the application doesn't signal blacklistd(8) will be unaware of any issues. See libblacklist(3). FreeBSD's sshd(8) has this included.

Or any other suggestions how to (firewall) block such ssh attacks?

I'm still quite fond of security/sshguard. That's still a good alternative. There's also security/py-fail2ban, it has more dependencies but you can easily create new detection rules for it.

 

[ezraimanuel]

I'm still quite fond of security/sshguard. That's still a good alternative.

+1 for this.

Been using this since long time and it always gets the job done. Only need 1 additional table and filter rule to handle the table

sshguard[9281]: Attack from "5.138.223.229" on service 100 with danger 10.
sshguard[9281]: Blocking "5.138.223.229/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)
sshguard[9281]: Attack from "61.184.247.8" on service 100 with danger 10.
sshguard[9281]: Attack from "61.184.247.8" on service 100 with danger 10.
sshguard[9281]: Blocking "61.184.247.8/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 12697 secs.)
sshguard[9281]: Attack from "123.169.219.171" on service 100 with danger 10.
sshguard[9281]: Attack from "123.169.219.171" on service 100 with danger 10.
sshguard[9281]: Blocking "123.169.219.171/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)
sshguard[9281]: Attack from "139.162.122.110" on service 100 with danger 10.
sshguard[9281]: Attack from "111.7.164.67" on service 100 with danger 10.

 

[Criosphinx]

I guess I'll ask here instead of making a new topic.

How do yo delete an entry from the list?

I found this command in a guide that uses pf
pfctl -a blacklistd/${port} -t port${port} -T delete ${ip}

What's the equivalent command with ipfw?