# Please help with blacklistd.conf



## amnixed (Jan 30, 2017)

Hello,

I have enabled blacklistd(8) but the output of `blacklistctl dump -ad` is empty, even though there are plenty of ssh login attempts in the logs.

`# ps aux | grep blacklistd
root       1251   0.0  0.0  14740    624  -  Ss   12Jan17     0:13.99 /usr/sbin/blacklistd`


```
# cat /etc/blacklistd.conf
# $FreeBSD: stable/11/etc/blacklistd.conf 301226 2016-06-02 19:06:04Z lidl $
#
# Blacklist rule
# adr/mask:port   type   proto   owner       name   nfail   disable
[local]
xn0:ssh       stream   *   *       *   3   24h
ftp       stream   *   *       *   3   24h
smtp       stream   *   *       *   3   24h
xn0:submission   stream   *   *       *   3   24h
#6161       stream   tcp6   christos   *   2   10m
*       *   *   *       *   3   60

# adr/mask:port   type   proto   owner       name   nfail   disable
[remote]
#129.168.0.0/16   *   *   *       =   *   *
#6161       =   =   =       =/24   =   =
#*       stream   tcp   *       =   =   =
```

`# blacklistctl dump -ad
        address/ma:port   id   nfail   last access`

I expected that blacklistctl(8) should return a number of IP addresses which appear in/var/log/messages as sources of login attempts.

Would you please point out what am I missing?


----------



## suntzu00 (Jan 30, 2017)

I don't think ssh has been patched to work with blacklistd. You can find the patches and apply them yerself.


----------



## amnixed (Jan 31, 2017)

Thanks.

What protocol could I try to see if my rules work in blacklistd(8)?


----------



## suntzu00 (Jan 31, 2017)

In 11-Release you can try ftpd and rlogind. In 11-Stable sshd and sendmail have been patched from what I can see. 

https://github.com/freebsd/freebsd/tree/master/contrib/blacklist/diff these are them patches that you need.


----------



## amnixed (Feb 2, 2017)

Well, looks like my /usr/src/secure/usr.sbin/sshd/Makefile is newer:


```
# less /usr/src/secure/usr.sbin/sshd/Makefile
# $FreeBSD: stable/11/secure/usr.sbin/sshd/Makefile 305476 2016-09-06 14:52:14Z lidl $

[...]

.if ${MK_BLACKLIST_SUPPORT} != "no"
CFLAGS+= -DUSE_BLACKLIST -I${SRCTOP}/contrib/blacklist/include
SRCS+=  blacklist.c
LIBADD+= blacklist
LDFLAGS+=-L${LIBBLACKLISTDIR}
.endif
```

Does anyone have blacklistd(8) working?


----------



## DutchDaemon (Oct 13, 2017)

https://blog.cagedmonster.net/configure-blacklistd-under-freebsd/ (sshd)


----------



## SirDice (Oct 17, 2017)

I did have some issues with the anchor on pf.conf, something's not working as it should.


```
anchor "blacklistd/*" in on $ext_if
```
Produces errors:

```
# pfctl -a '*' -sr

anchor "*" in on re0 all {
pfctl: DIOCGETRULES: Invalid argument
}
```


```
anchor "blacklistd" in on $ext_if
```
Doesn't produce errors but stays empty:

```
# pfctl -a '*' -sr
anchor "blacklistd" in on re0 all {
}
```


```
anchor "blacklistd" all {
  anchor "22" all
}
```
This is the only variation that actually seems to work:

```
anchor "blacklistd" all {
  anchor "22" all {
    block drop in quick proto tcp from <port22> to any port = ssh
  }
}
```

I'm sure I'm doing something wrong. Or PF isn't doing what its supposed to do.


----------



## DutchDaemon (Oct 23, 2017)

```
anchor "blacklistd/*" in on $ext_if
```
`pfctl -a blacklistd/21 -sr`
`pfctl -a blacklistd/22 -sr`

etc


----------



## SirDice (Oct 23, 2017)

Yes, but:

```
To print the main ruleset recursively, specify only `*' as the
             anchor name:

                   # pfctl -a '*' -sr
```

So, in my mind this would imply you always get a full ruleset and all the anchors are printed recursively. Which doesn't seem to work.


----------



## DutchDaemon (Oct 23, 2017)

That has never worked for me, anywhere. Maybe an OpenBSD relic or a regression.

By the way, `pfctl -a 'blacklistd/*' -sr` doesn't work either.


----------



## SirDice (Oct 24, 2017)

DutchDaemon said:


> By the way,  pfctl -a 'blacklistd/*' -sr doesn't work either.


Indeed. But the funny thing is, if you do it like this:

```
anchor "blacklistd" all {
  anchor "22" all
}
```
Then both `pfctl -a '*' -sr` and `pfctl -a 'blacklistd/*' -sr` work as expected.


----------



## DutchDaemon (Oct 25, 2017)

But some of my blacklistd configurations block 21, 22, 25, 465, and 587 in one go. That's going to be a lot of improv


----------



## SirDice (Oct 25, 2017)

Yeah, but I'm really only using the sshd(8) one. So for me it's not that bad. But I'm wondering if this is a bug in PF though, maybe some of the rules don't link up properly or there's some other inconsistency in the way anchors are linked into the ruleset.


----------

