Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like
sshguard, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.
An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit
/etc/pf.conf so it looks like this:
set skip on lo0 scrub in on vtnet0 all fragment reassemble anchor "blacklistd/*" in on vtnet0 block in all pass out all keep state antispoof for vtnet0 inet pass in quick on vtnet0 inet proto icmp all icmp-type echoreq pass in quick on vtnet0 proto tcp from any to vtnet0 port 22
PF to start automatically, edit /etc/rc.conf:
pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog"
However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:
pfctl -vnf /etc/pf.conf
If this command reports errors, go back and fix those first!
It is a good idea to make sure everything is working as expected by rebooting the server now:
shutdown -r now
IP's are blocked for 24h. This is the default value and can be changed in
# Block list rule # adr/mask:port type proto owner name nfail disable [local] ssh stream * * * 3 24h
/etc/rc.conf to enable Blacklistd:
Start Blacklistd with the following command:
service blacklistd start
One last thing we need to do is tell
sshd to notify
UseBlacklist yes to your
/etc/ssh/sshd_config file. Now restart SSH with
service sshd restart.
Finally, try logging into your server with an invalid password.
To get all of the blocked IPs use one of the following commands:
blacklistctl dump -bw address/ma:port id nfail last access 150.x.x.x/32:22 OK 3/3 2017/x/x 04:43:03 115.x.x.x/32:22 OK 3/3 2017/x/x 04:45:40 91.x.x.x/32:22 OK 3/3 2017/x/x 07:51:16 54.x.x.x/32:22 OK 3/3 2017/x/x 12:05:57 pfctl -a blacklistd/22 -t port22 -T show 54.x.x.x 91.x.x.x 115.x.x.x 150.x.x.x
To remove a blocked IP you must use the command
pfctl. For example:
pfctl -a blacklistd/22 -t port22 -T delete <IP>
blacklistctl will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.