This article is outdated and may not work correctly for current operating systems or software.
Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like fail2ban or sshguard, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.
An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit /etc/pf.conf so it looks like this:
set skip on lo0
scrub in on vtnet0 all fragment reassemble
anchor "blacklistd/*" in on vtnet0
block in all
pass out all keep state
antispoof for vtnet0 inet
pass in quick on vtnet0 inet proto icmp all icmp-type echoreq
pass in quick on vtnet0 proto tcp from any to vtnet0 port 22
Now enable PF to start automatically, edit /etc/rc.conf:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:
pfctl -vnf /etc/pf.conf
If this command reports errors, go back and fix those first!
It is a good idea to make sure everything is working as expected by rebooting the server now: shutdown -r now
IP's are blocked for 24h. This is the default value and can be changed in /etc/blacklistd:
# Block list rule
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 3 24h
Edit /etc/rc.conf to enable Blacklistd:
blacklistd_enable="YES"
blacklistd_flags="-r"
Start Blacklistd with the following command:
service blacklistd start
One last thing we need to do is tell sshd to notify blacklistd. Add UseBlacklist yes to your /etc/ssh/sshd_config file. Now restart SSH with service sshd restart.
Finally, try logging into your server with an invalid password.
To get all of the blocked IPs use one of the following commands:
blacklistctl dump -bw
address/ma:port id nfail last access
150.x.x.x/32:22 OK 3/3 2017/x/x 04:43:03
115.x.x.x/32:22 OK 3/3 2017/x/x 04:45:40
91.x.x.x/32:22 OK 3/3 2017/x/x 07:51:16
54.x.x.x/32:22 OK 3/3 2017/x/x 12:05:57
pfctl -a blacklistd/22 -t port22 -T show
54.x.x.x
91.x.x.x
115.x.x.x
150.x.x.x
To remove a blocked IP you must use the command pfctl. For example:
pfctl -a blacklistd/22 -t port22 -T delete <IP>
Note that blacklistctl will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.