Solved How to unban an IP with blacklistd and pf?

I am playing around with blacklistd, pf and ssh. Besides that I had some trouble getting it to work because either the man-pages are not useful enough or I cannot read, I just cannot figure out how to remove an IP that blacklistd blocks.

For getting blacklistd working together with pf, I found by chance via googling that I have to use an anchor in pf:

Code:
anchor "blacklistd/*" in on $ext_if
Tbh I do not 100% understand anchors, but from what I've read something like

Code:
pfctl -a "blacklistd/*" -sr
should show me some rule when something is blocked. But also -sa or pfctl -sa do not show me something useful, even though
Code:
blacklistctl -b
shows me blocked IPs.
blacklistctl apparently doesn't help with removal, even so the ctl seems to be a program to control blacklistd. But apparently it only shows stuff…
So I tried to remove the banned IP with the following

Code:
/usr/libexec/blacklistd-helper rem ssh $banned-ipv6-address 128 22
(It also does not work with IPv4)

But the output is only "pfctl: Table does not exist."

I also cannot find any new tables which blacklist-helper seems to rely on. But the blocking works.

When I do not put in the port at the end I get a "invalid netmask '/'".

What am I doing wrong? How do I unban a IP if it is necessary?


P.s.: is there already a way to combine exim with blacklistd?
 
I had some problems with the anchor too, the documentation is somewhat fuzzy. I managed to get it working using this:
Code:
anchor "blacklistd" all {
        anchor "22" all {
        }
}
Now you actually get to see the rules:
Code:
root@maelcum:~ # pfctl -sr -a blacklistd
anchor "22" all {
  block drop in quick proto tcp from <port22> to any port = ssh
}

Any variation of
Code:
anchor "blacklistd/*"
Just never shows me any rules. Only by explicitly building the anchors does it seem to work. But I'm not sure if this is an issue with blacklistd(8) or PF. It appears to be PF that's not cooperating.
 
That shows me the rules but the blocking does not work any more. blacklistctl shows me the failed IPs but pf doesn't block anymore.
I can tell because I have a test host from which I try to log in. WIth
Code:
anchor "blacklistd/*"
I didn't get any login-prompt anymore. As it is expected.

With

Code:
anchor "blacklistd" all {
       anchor "22" all {
        }
}

I can see rules but the blocking does not happen anymore (yep, I reloaded my rules)
 
Ha, I found now the table.

I am using
Code:
anchor "blacklistd/*"

and I am blocking ssh.
Then
Code:
pfctl -a blacklistd/22 -t port22 -T show
shows the table with the blocked IPs.

Thus:
Code:
pfctl -a blacklistd/22 -t port22 -T delete $IP-address
will remove $IP-address from the table and therefore it is unbanned. blacklistctl will still list it but when it fails again, it will also be blocked again.

\o/
 
Thanks for the feedback, I'm going to have another go with blacklistd(8). Your remarks made me wonder if my set up is actually blocking anything. I get quite a lot of brute-force attempts and it looked like it was blocking them. But now I'm not so sure any more. Definitely need to review things.
 
Just because it is listed with blacklistctl doesn't mean that the IPs are blocked. It is confusing to say the least.
 
One thing to consider is that if you restart blacklistd using

Code:
# blacklistctl dump -b
        address/ma:port   id   nfail   last access
 31.162.236.249/32:22   OK   3/3   2017/10/06 13:23:49
  117.146.60.13/32:22   OK   3/3   2017/10/06 12:48:53
   47.92.90.195/32:22   OK   3/3   2017/10/06 15:03:25
   196.27.84.21/32:22   OK   3/3   2017/10/06 15:45:55
188.247.101.124/32:22   OK   3/3   2017/10/06 11:31:08
# service blacklistd restart

Any IP listed with the blacklistd "OK" tag will be blocked again.
 
Back
Top