How to Install Blacklistd on FreeBSD 11.1

August 31, 2019


Introduction

Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like fail2ban or sshguard, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.

Step 1: PF (Firewall)

An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit /etc/pf.conf so it looks like this:

set skip on lo0scrub in on vtnet0 all fragment reassembleanchor "blacklistd/*" in on vtnet0block in allpass out all keep stateantispoof for vtnet0 inetpass in quick on vtnet0 inet proto icmp all icmp-type echoreqpass in quick on vtnet0 proto tcp from any to vtnet0 port 22

Now enable PF to start automatically, edit /etc/rc.conf:

pf_enable="YES"pf_rules="/etc/pf.conf"pflog_enable="YES"pflog_logfile="/var/log/pflog"

However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:

pfctl -vnf /etc/pf.conf

If this command reports errors, go back and fix those first!

It is a good idea to make sure everything is working as expected by rebooting the server now: shutdown -r now

Step 2: Blacklistd

IP’s are blocked for 24h. This is the default value and can be changed in /etc/blacklistd:

# Blacklist rule# adr/mask:port type    proto   owner           name    nfail   disable[local]ssh             stream  *       *               *       3       24h

Edit /etc/rc.conf to enable Blacklistd:

blacklistd_enable="YES"blacklistd_flags="-r"

Start Blacklistd with the following command: 

service blacklistd start

Step 3: SSH

One last thing we need to do is tell sshd to notify blacklistd. Add UseBlacklist yes to your /etc/ssh/sshd_config file. Now restart SSH with service sshd restart.

Final step

Finally, try logging into your server with an invalid password.

To get all of the blocked IPs use one of the following commands:

blacklistctl dump -bw        address/ma:port id      nfail   last access 150.x.x.x/32:22        OK      3/3     2017/x/x 04:43:03 115.x.x.x/32:22        OK      3/3     2017/x/x 04:45:40  91.x.x.x/32:22        OK      3/3     2017/x/x 07:51:16  54.x.x.x/32:22        OK      3/3     2017/x/x 12:05:57pfctl -a blacklistd/22 -t port22 -T show   54.x.x.x   91.x.x.x  115.x.x.x  150.x.x.x

To remove a blocked IP you must use the command pfctl. For example:

pfctl -a blacklistd/22 -t port22 -T delete <IP>

Note that blacklistctl will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.

Want to contribute?

You could earn up to $300 by adding new articles

Submit your article
Suggest an update
Request an article

Leave a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.