How to Install Blacklistd on FreeBSD 11.1
Introduction
Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like fail2ban
or sshguard
, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.
Step 1: PF (Firewall)
An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit /etc/pf.conf
so it looks like this:
set skip on lo0scrub in on vtnet0 all fragment reassembleanchor "blacklistd/*" in on vtnet0block in allpass out all keep stateantispoof for vtnet0 inetpass in quick on vtnet0 inet proto icmp all icmp-type echoreqpass in quick on vtnet0 proto tcp from any to vtnet0 port 22
Now enable PF
to start automatically, edit /etc/rc.conf:
pf_enable="YES"pf_rules="/etc/pf.conf"pflog_enable="YES"pflog_logfile="/var/log/pflog"
However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:
pfctl -vnf /etc/pf.conf
If this command reports errors, go back and fix those first!
It is a good idea to make sure everything is working as expected by rebooting the server now: shutdown -r now
Step 2: Blacklistd
IP’s are blocked for 24h. This is the default value and can be changed in /etc/blacklistd
:
# Blacklist rule# adr/mask:port type proto owner name nfail disable[local]ssh stream * * * 3 24h
Edit /etc/rc.conf
to enable Blacklistd:
blacklistd_enable="YES"blacklistd_flags="-r"
Start Blacklistd with the following command:
service blacklistd start
Step 3: SSH
One last thing we need to do is tell sshd
to notify blacklistd
. Add UseBlacklist yes
to your /etc/ssh/sshd_config
file. Now restart SSH with service sshd restart
.
Final step
Finally, try logging into your server with an invalid password.
To get all of the blocked IPs use one of the following commands:
blacklistctl dump -bw address/ma:port id nfail last access 150.x.x.x/32:22 OK 3/3 2017/x/x 04:43:03 115.x.x.x/32:22 OK 3/3 2017/x/x 04:45:40 91.x.x.x/32:22 OK 3/3 2017/x/x 07:51:16 54.x.x.x/32:22 OK 3/3 2017/x/x 12:05:57pfctl -a blacklistd/22 -t port22 -T show 54.x.x.x 91.x.x.x 115.x.x.x 150.x.x.x
To remove a blocked IP you must use the command pfctl
. For example:
pfctl -a blacklistd/22 -t port22 -T delete <IP>
Note that blacklistctl
will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.
Want to contribute?
You could earn up to $300 by adding new articles
Suggest an update
Request an article
Leave a Comment