Date: Wed, 15 Nov 2017 20:02:29 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Cos Chan <rosettas@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org>, Michael Ross <gmx@ross.cx>, Kurt Lidl <lidl@freebsd.org> Subject: Re: How to setup IPFW working with blacklistd Message-ID: <20171115192830.R72828@sola.nimnet.asn.au> In-Reply-To: <CAKV%2BxLD_KE938JnmjDE=CmfZ7bOJ1CaqvWuQ%2B0jDzQNWM%2B6yLg@mail.gmail.com> References: <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <CAKV%2BxLAt4Ciqmg2w1iJK42jq6f%2BnumASKMQ=UL6dT%2BCdGYujVQ@mail.gmail.com> <CAKV%2BxLD_KE938JnmjDE=CmfZ7bOJ1CaqvWuQ%2B0jDzQNWM%2B6yLg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Nov 2017 15:38:51 +0100, Cos Chan wrote: > On Tue, Nov 14, 2017 at 9:31 AM, Cos Chan <rosettas@gmail.com> wrote: > > > > On Mon, Nov 13, 2017 at 3:17 PM, Cos Chan <rosettas@gmail.com> wrote: > >> here is one strange record: > >> > >> $ sudo blacklistctl dump -b | grep 1662 > >> 193.201.224.218/32:22 OK 1662/1 2017/11/13 00:31:04 > >> > >> This IP was blocked in ipfw from last week. while I checked it last week > >> Friday it was 800+/1 in blacklist and until today it become 1662. > >> > >> To my knowledge the ipfw should block the connection, the times of banned > >> IP should be not increased? Have you added blacklistd_flags="-r" to /etc/rc.conf? And are you using 'service blacklistd start' to control it? If otherwise, are you always starting blacklistd with the -r switch? Be explicit. If not, a fresh run of blacklistd should NOT try to remove and re-add each of its blocked addresses, and if ipfw has been restarted, that address will NOT be in its table of addresses to block. Might that explain what you're seeing? Whenever in doubt, just run 'ipfw table \(port22\) list'. Also, when listing ipfw rules, it's helpful to use 'ipfw -t show' which shows all rules with their packet and byte counters, plus the date last used for each rule. Or even just 'ipfw -t show 4022' or whatever. > >> I could see more entries with more than 3/1, for example: > >> > >> 89.160.221.132/32:22 OK 18/1 2017/11/13 00:01:21 > >> 60.125.42.119/32:22 OK 3/1 2017/11/12 16:13:53 > >> 166.62.35.180/32:22 OK 3/1 2017/11/10 06:36:25 > >> 202.162.221.51/32:22 OK 6/1 2017/11/10 00:42:14 > >> 168.0.114.130/32:22 OK 3/1 2017/11/10 23:40:30 > >> 95.145.71.165/32:22 OK 3/1 2017/11/11 07:07:07 > >> 123.161.206.210/32:22 OK 3/1 2017/11/12 18:14:00 > >> 203.146.208.208/32:22 OK 6/1 2017/11/10 10:16:21 > >> 149.56.223.241/32:22 OK 1/1 2017/11/12 06:09:16 > >> 121.169.217.98/32:22 OK 9/1 2017/11/12 21:59:57 > >> 211.251.237.162/32:22 OK 2/1 2017/11/13 12:08:07 > >> 103.99.0.116/32:22 OK 30/1 2017/11/10 14:56:07 > >> > >> These records I am not sure if they were not increased after added to > >> ipfw list. but the 1662 times one, I am sure it was increased after ipfw > >> had the ip in list. But perhaps ipfw was restarted, and lost either the rule or the table? Remember, ipfw does not keep its tables between runs, without scripting. > > add the ipfw rules: > > > > $ sudo ipfw list > > 00100 allow ip from any to any via lo0 > > 00200 deny ip from any to 127.0.0.0/8 > > 00300 deny ip from 127.0.0.0/8 to any > > 00400 deny ip from any to ::1 > > 00500 deny ip from ::1 to any > > 00600 allow ipv6-icmp from :: to ff02::/16 > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > 02022 deny tcp from table(port22) to any dst-port 22 > > 65000 allow ip from any to any > > 65535 deny ip from any to any > the more logs might be useful: > > $ sudo tail security > Nov 14 15:09:07 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920 > 192.168.11.15:22 in via em0 > Nov 14 15:09:21 res kernel: ipfw: 2022 Deny TCP 123.125.203.196:6920 > 192.168.11.15:22 in via em0 > Nov 14 15:10:11 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920 > 192.168.11.15:22 in via em0 > Nov 14 15:10:33 res kernel: ipfw: 2022 Deny TCP 83.12.107.106:6920 > 192.168.11.15:22 in via em0 > Nov 14 15:11:08 res last message repeated 15 times > Nov 14 15:12:32 res last message repeated 4 times > Nov 14 15:21:10 res kernel: ipfw: 2022 Deny TCP 201.147.183.55:60299 > 192.168.11.15:22 in via em0 > Nov 14 15:21:17 res last message repeated 3 times > Nov 14 15:25:38 res kernel: ipfw: 2022 Deny TCP 105.226.55.239:48315 > 192.168.11.15:22 in via em0 > Nov 14 15:26:18 res last message repeated 12 times Well yes, that shows those addresses being blocked, on successive connection attempts, at that time. However ipfw only logs rules to /var/log/security that contain the 'log' keyword, so you presumably MUST have added that, making the rule be: 02022 deny log tcp from table(port22) to any dst-port 22 --- If you didn't do that - in blacklistd-helper? or manually? - then ipfw in 11.1 is severely broken .. please do say when you change conditions. > $ sudo tail auth.log > Nov 14 15:07:24 res sshd[9029]: input_userauth_request: invalid user admin > [preauth] > Nov 14 15:10:33 res sshd[9052]: Invalid user omni from 83.12.107.106 > Nov 14 15:10:33 res sshd[9052]: input_userauth_request: invalid user omni > [preauth] > Nov 14 15:25:37 res sshd[9144]: reverse mapping checking getaddrinfo for > 105-226-55-239.south.dsl.telkomsa.net [105.226.55.239] failed - POSSIBLE > BREAK-IN ATTEMPT! > Nov 14 15:25:37 res sshd[9144]: Invalid user admin from 105.226.55.239 > Nov 14 15:25:37 res sshd[9144]: input_userauth_request: invalid user admin > [preauth] That one is different .. and seems to have been added to ipfw table as above .. but we can't see what blacklistctl reports for it. Confusing. Might that have been reported as ABUSIVE? No matching blacklistd.log? > Nov 14 15:26:08 res sshd[9152]: Received disconnect from 121.18.238.123 > port 42391:11: [preauth] > Nov 14 15:26:08 res sshd[9152]: Disconnected from 121.18.238.123 port 42391 > [preauth] > > The IP 105.226.55.239 looks like banned by IPFW, but still connected to > sshd? No, it was first logged as denied from 15:25:38, after sshd reported it. Hope that helps. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171115192830.R72828>