Article

Table of Contents
Theme:
Was this article helpful?
Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

How to Install Blacklistd on FreeBSD 11.1

Last Updated: Fri, Aug 25, 2017
BSD Security Server Apps
Archived content

This article is outdated and may not work correctly for current operating systems or software.

Introduction

Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like fail2ban or sshguard, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.

Step 1: PF (Firewall)

An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit /etc/pf.conf so it looks like this:

set skip on lo0

scrub in on vtnet0 all fragment reassemble



anchor "blacklistd/*" in on vtnet0



block in all

pass out all keep state

antispoof for vtnet0 inet



pass in quick on vtnet0 inet proto icmp all icmp-type echoreq

pass in quick on vtnet0 proto tcp from any to vtnet0 port 22

Now enable PF to start automatically, edit /etc/rc.conf:

pf_enable="YES"

pf_rules="/etc/pf.conf"

pflog_enable="YES"

pflog_logfile="/var/log/pflog"

However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:

pfctl -vnf /etc/pf.conf

If this command reports errors, go back and fix those first!

It is a good idea to make sure everything is working as expected by rebooting the server now: shutdown -r now

Step 2: Blacklistd

IP's are blocked for 24h. This is the default value and can be changed in /etc/blacklistd:

# Block list rule

# adr/mask:port type    proto   owner           name    nfail   disable

[local]

ssh             stream  *       *               *       3       24h

Edit /etc/rc.conf to enable Blacklistd:

blacklistd_enable="YES"

blacklistd_flags="-r"

Start Blacklistd with the following command:

service blacklistd start

Step 3: SSH

One last thing we need to do is tell sshd to notify blacklistd. Add UseBlacklist yes to your /etc/ssh/sshd_config file. Now restart SSH with service sshd restart.

Final step

Finally, try logging into your server with an invalid password.

To get all of the blocked IPs use one of the following commands:

blacklistctl dump -bw

        address/ma:port id      nfail   last access

 150.x.x.x/32:22        OK      3/3     2017/x/x 04:43:03

 115.x.x.x/32:22        OK      3/3     2017/x/x 04:45:40

  91.x.x.x/32:22        OK      3/3     2017/x/x 07:51:16

  54.x.x.x/32:22        OK      3/3     2017/x/x 12:05:57



pfctl -a blacklistd/22 -t port22 -T show

   54.x.x.x

   91.x.x.x

  115.x.x.x

  150.x.x.x

To remove a blocked IP you must use the command pfctl. For example:

pfctl -a blacklistd/22 -t port22 -T delete <IP>

Note that blacklistctl will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.

Want to contribute?

You could earn up to $600 by adding new articles.