From owner-freebsd-questions@freebsd.org Wed Nov 15 11:46:42 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6B9B7DDA377 for ; Wed, 15 Nov 2017 11:46:42 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DCA94679DC; Wed, 15 Nov 2017 11:46:41 +0000 (UTC) (envelope-from rosettas@gmail.com) Received: by mail-wr0-x234.google.com with SMTP id p96so20190140wrb.7; Wed, 15 Nov 2017 03:46:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=reclS4suR3tkPSjD7sHTJVw2/vO4hz8un3SQHqLd3uw=; b=eWHlVTLZMbvIdMs4iZLEixZkWjpL7efMUaeOWKOsV/KZhlVsyDynKZtkPgdqBVoaoi fVuKWv0wajz5dAs1SMcqjFJvBs0Rj39GLejbX8vxAG16O9+7dmrHFYxuv1fDExe79HG2 6l49i15x1xYlz/BFc/mYkgX/XAtVYxtKMH0v8LWnfK3Meab8YGliaOgORXG0kRwCRgRD P/QaxNMIuantj7kGzyplAQfW86LwOCeS8QAEfVucHGOSehvxw9loOOXkpxgqT+lLbeVr Cn3phpN2tNn0ala5wyeDh8/Bp94tKmdpeIttj+9Q1FWJABplRmmKMAi/UW9EzxCkkESn Vi0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=reclS4suR3tkPSjD7sHTJVw2/vO4hz8un3SQHqLd3uw=; b=kpWK8T431WdhQAVMRuyGD5cvY48kAi234BJ2HMhmc4V4Bq3W00ZOCzGatr3PjHSyHP SAA1eoLQV0/jrPxjE3RQDY2JpKenn/mH46TzO3R96Nmaqnn/R5Io9JZeyePQSsIZR5zZ 5TWqKy28Ca9B7yBdPnCJTyLa+pwDPxZIro4i2gXTsUAn/x1HofnR/DyCOpF4hA55Sqvg w5WdkVJsHi2pVcNYIQBH3QXtTKoh4as1cipwLPh5qOWM/289bhLXySUtPo8QYPFD6CXF mlLdLkOReyUWSCOIQy6cDMiep3+pevgHSMEl54F5uahYKWfDin5rN5I+ybjJBHW+bHDb gxlA== X-Gm-Message-State: AJaThX6LGh7lGos2BXk/0iAg+Y8633C7+jDtzEyjzfKK7oqmGUMmOUyH uxS3wkbQupZbMU+4LPPZjYCVohqTsBz2rGFc8Mc= X-Google-Smtp-Source: AGs4zMaCe5VYHkse7WgE0UBxL/xj3RU6MWj6bl8INPrcNrSntjCaYaL7djj4BrR57oSt2T3CbeeEJSqOJQivNHKYxFM= X-Received: by 10.223.154.244 with SMTP id a107mr856762wrc.8.1510746400141; Wed, 15 Nov 2017 03:46:40 -0800 (PST) MIME-Version: 1.0 Received: by 10.28.125.8 with HTTP; Wed, 15 Nov 2017 03:46:39 -0800 (PST) In-Reply-To: <20171115192830.R72828@sola.nimnet.asn.au> References: <20171106235944.U9710@sola.nimnet.asn.au> <20171107033226.M9710@sola.nimnet.asn.au> <20171107162914.G9710@sola.nimnet.asn.au> <20171108012948.A9710@sola.nimnet.asn.au> <20171111213759.I72828@sola.nimnet.asn.au> <20171115192830.R72828@sola.nimnet.asn.au> From: Cos Chan Date: Wed, 15 Nov 2017 12:46:39 +0100 Message-ID: Subject: Re: How to setup IPFW working with blacklistd To: Ian Smith Cc: freebsd-questions , Michael Ross , Kurt Lidl Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Nov 2017 11:46:42 -0000 On Wed, Nov 15, 2017 at 10:02 AM, Ian Smith wrote: > On Tue, 14 Nov 2017 15:38:51 +0100, Cos Chan wrote: > > > On Tue, Nov 14, 2017 at 9:31 AM, Cos Chan wrote: > > > > > > On Mon, Nov 13, 2017 at 3:17 PM, Cos Chan wrote: > > > >> here is one strange record: > > >> > > >> $ sudo blacklistctl dump -b | grep 1662 > > >> 193.201.224.218/32:22 OK 1662/1 2017/11/13 00:31:04 > > >> > > >> This IP was blocked in ipfw from last week. while I checked it last > week > > >> Friday it was 800+/1 in blacklist and until today it become 1662. > > >> > > >> To my knowledge the ipfw should block the connection, the times of > banned > > >> IP should be not increased? > > Have you added blacklistd_flags="-r" to /etc/rc.conf? And are you > using 'service blacklistd start' to control it? If otherwise, are > you always starting blacklistd with the -r switch? Be explicit. > Yes blacklistd_flags="-r" to /etc/rc.conf and 'service blacklistd start' > > If not, a fresh run of blacklistd should NOT try to remove and re-add > each of its blocked addresses, and if ipfw has been restarted, that > address will NOT be in its table of addresses to block. Might that > explain what you're seeing? > > Whenever in doubt, just run 'ipfw table \(port22\) list'. Also, when > listing ipfw rules, it's helpful to use 'ipfw -t show' which shows all > rules with their packet and byte counters, plus the date last used for > each rule. Or even just 'ipfw -t show 4022' or whatever. > $ sudo ipfw -t show 02022 02022 204 19920 Wed Nov 15 12:41:36 2017 deny log tcp from table(port22) to any dst-port 22 > > > >> I could see more entries with more than 3/1, for example: > > >> > > >> 89.160.221.132/32:22 OK 18/1 2017/11/13 00:01:21 > > >> 60.125.42.119/32:22 OK 3/1 2017/11/12 16:13:53 > > >> 166.62.35.180/32:22 OK 3/1 2017/11/10 06:36:25 > > >> 202.162.221.51/32:22 OK 6/1 2017/11/10 00:42:14 > > >> 168.0.114.130/32:22 OK 3/1 2017/11/10 23:40:30 > > >> 95.145.71.165/32:22 OK 3/1 2017/11/11 07:07:07 > > >> 123.161.206.210/32:22 OK 3/1 2017/11/12 18:14:00 > > >> 203.146.208.208/32:22 OK 6/1 2017/11/10 10:16:21 > > >> 149.56.223.241/32:22 OK 1/1 2017/11/12 06:09:16 > > >> 121.169.217.98/32:22 OK 9/1 2017/11/12 21:59:57 > > >> 211.251.237.162/32:22 OK 2/1 2017/11/13 12:08:07 > > >> 103.99.0.116/32:22 OK 30/1 2017/11/10 14:56:07 > > >> > > >> These records I am not sure if they were not increased after added to > > >> ipfw list. but the 1662 times one, I am sure it was increased after > ipfw > > >> had the ip in list. > > But perhaps ipfw was restarted, and lost either the rule or the table? > Remember, ipfw does not keep its tables between runs, without scripting. > To explain to Kurt, this is concerning the issue failed number increased after the rule was in ipfw list. Just catch "fresh" log: $ sudo blacklistctl dump -b address/ma:port id nfail last access 94.23.73.97/32:22 OK 2/2 2017/11/15 11:58:11 123.59.135.58/32:22 OK 3/2 2017/11/15 12:10:12 132.148.128.234/32:22 OK 2/2 2017/11/15 12:13:42 $ sudo blacklistctl dump -b address/ma:port id nfail last access 94.23.73.97/32:22 OK 2/2 2017/11/15 11:58:11 123.59.135.58/32:22 OK 3/2 2017/11/15 12:10:12 132.148.128.234/32:22 OK 3/2 2017/11/15 12:15:40 IPFW log: Nov 15 12:13:42 res kernel: ipfw: 2022 Deny TCP 132.148.128.234:6920 192.168.11.15:22 in via em0 Nov 15 12:14:09 res last message repeated 14 times Nov 15 12:15:41 res last message repeated 4 times based on the log, assume the ipfw not restarted (since no new rule added?) and banned the IP 132.148.128.234 properly? in case I am right, the question is why the number increased from 2/2 to 3/2? blacklistd.log: Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 for -1 seconds Nov 15 12:15:40 res blacklistd[22100]: rule exists OK Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 for -1 seconds blacklistd-helper.log: Wed Nov 15 12:13:42 CET 2017 /usr/libexec/blacklistd-helper run add blacklistd tcp 132.148.128.234 32 22 Wed Nov 15 12:15:40 CET 2017 /usr/libexec/blacklistd-helper run rem blacklistd tcp 132.148.128.234 32 22 OK Wed Nov 15 12:15:40 CET 2017 /usr/libexec/blacklistd-helper run add blacklistd tcp 132.148.128.234 32 22 ipfw list: $ sudo ipfw table port22 list --- table(port22), set(0) --- ... 132.148.128.234/32 0 ... > > > add the ipfw rules: > > > > > > $ sudo ipfw list > > > 00100 allow ip from any to any via lo0 > > > 00200 deny ip from any to 127.0.0.0/8 > > > 00300 deny ip from 127.0.0.0/8 to any > > > 00400 deny ip from any to ::1 > > > 00500 deny ip from ::1 to any > > > 00600 allow ipv6-icmp from :: to ff02::/16 > > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10 > > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16 > > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1 > > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 > > > 02022 deny tcp from table(port22) to any dst-port 22 > > > 65000 allow ip from any to any > > > 65535 deny ip from any to any > > > the more logs might be useful: > > > > $ sudo tail security > > Nov 14 15:09:07 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920 > > 192.168.11.15:22 in via em0 > > Nov 14 15:09:21 res kernel: ipfw: 2022 Deny TCP 123.125.203.196:6920 > > 192.168.11.15:22 in via em0 > > Nov 14 15:10:11 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920 > > 192.168.11.15:22 in via em0 > > Nov 14 15:10:33 res kernel: ipfw: 2022 Deny TCP 83.12.107.106:6920 > > 192.168.11.15:22 in via em0 > > Nov 14 15:11:08 res last message repeated 15 times > > Nov 14 15:12:32 res last message repeated 4 times > > Nov 14 15:21:10 res kernel: ipfw: 2022 Deny TCP 201.147.183.55:60299 > > 192.168.11.15:22 in via em0 > > Nov 14 15:21:17 res last message repeated 3 times > > > Nov 14 15:25:38 res kernel: ipfw: 2022 Deny TCP 105.226.55.239:48315 > > 192.168.11.15:22 in via em0 > > Nov 14 15:26:18 res last message repeated 12 times > > Well yes, that shows those addresses being blocked, on successive > connection attempts, at that time. > > However ipfw only logs rules to /var/log/security that contain the 'log' > keyword, so you presumably MUST have added that, making the rule be: > > 02022 deny log tcp from table(port22) to any dst-port 22 > --- > > If you didn't do that - in blacklistd-helper? or manually? - then ipfw > in 11.1 is severely broken .. please do say when you change conditions. > Yes, I add "02022 deny log tcp from table(port22) to any dst-port 22" manually. > > > $ sudo tail auth.log > > Nov 14 15:07:24 res sshd[9029]: input_userauth_request: invalid user > admin > > [preauth] > > > Nov 14 15:10:33 res sshd[9052]: Invalid user omni from 83.12.107.106 > > Nov 14 15:10:33 res sshd[9052]: input_userauth_request: invalid user > omni > > [preauth] > > > Nov 14 15:25:37 res sshd[9144]: reverse mapping checking getaddrinfo for > > 105-226-55-239.south.dsl.telkomsa.net [105.226.55.239] failed - > POSSIBLE > > BREAK-IN ATTEMPT! > > Nov 14 15:25:37 res sshd[9144]: Invalid user admin from 105.226.55.239 > > Nov 14 15:25:37 res sshd[9144]: input_userauth_request: invalid user > admin > > [preauth] > > That one is different .. and seems to have been added to ipfw table as > above .. but we can't see what blacklistctl reports for it. Confusing. > > Might that have been reported as ABUSIVE? No matching blacklistd.log? > > > Nov 14 15:26:08 res sshd[9152]: Received disconnect from 121.18.238.123 > > port 42391:11: [preauth] > > Nov 14 15:26:08 res sshd[9152]: Disconnected from 121.18.238.123 port > 42391 > > [preauth] > > > > The IP 105.226.55.239 looks like banned by IPFW, but still connected to > > sshd? > > No, it was first logged as denied from 15:25:38, after sshd reported it. > > Hope that helps. > > cheers, Ian > -- with kind regards