Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Nov 2017 23:13:39 +0100
From:      Cos Chan <rosettas@gmail.com>
To:        Kurt Lidl <lidl@freebsd.org>
Cc:        Ian Smith <smithi@nimnet.asn.au>, freebsd-questions <freebsd-questions@freebsd.org>,  Michael Ross <gmx@ross.cx>
Subject:   Re: How to setup IPFW working with blacklistd
Message-ID:  <CAKV%2BxLDRSY6Gc3fJXvO0mY_K=kT3rmsykVCjcne-RMa8%2B1VPCA@mail.gmail.com>
In-Reply-To: <7961d19a-bc0c-6dc4-771e-f702ce741144@FreeBSD.org>
References:  <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <7961d19a-bc0c-6dc4-771e-f702ce741144@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 13, 2017 at 6:37 PM, Kurt Lidl <lidl@freebsd.org> wrote:

> Greetings all!
>
> Sorry for not being response to your request for help sooner.
>
> I had a bit of a hardware crisis here last week, where
> what I thought was merely a blown power supply turned
> out to be a failed motherboard.  Getting the 2.5" SAS
> drives back up and running in a different machine took
> far longer than I would have guessed.  That, along with
> a secondary MX host that was offline for the first 36
> hours after the main mail server went down was a cause
> for additional excitement.
>
> Anyway.
>
> I've read through the mail exchange, although its a bit
> hard to follow all of it.
>
> I'll offer a couple of observations about blacklistd
> and how it operates, and maybe that will shed some light
> on the problem at hand.  If not, well, I'd like to start
> fresh with the current configuration, and what you're
> seeing on your host.
>

Sorry I didn't get this email before, thanks Ian forward me this mail.


>
> Observations that might help:
>
> 1) The blacklistd support in 11.0 was broken in a couple
> of significant ways.  The blacklistd support in 11.1 is
> thought to be fully functional.  If you're not running 11.1,
> you will need to update to 11.1.
>

The FreeBSD is: 11.1-RELEASE-p1 FreeBSD 11.1-RELEASE-p1 #0: Wed Aug  9
11:17:49 UTC 2017
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
i386


>
> 2) I only use blacklistd with 'pf' in my day-to-day usage.
> I extended the support in blacklistd-helper to hopefully
> handle both ipfw and ipf, and it seemed to work OK for my
> test setup.  HOWEVER, it is entirely possible that the way
> I did the ipf/ipfw support has a flaw (or more) in it.
>
> 3) The changes to the various daemons to support the
> blacklist just enable sending messages (and a copy of the
> fd of socket) to the blacklist daemon.  The blacklist daemon
> will extract information from the kernel about the socket's
> other end (ie, the information about the remote system),
> and stores that information in a database.
>
> 4) After the information is stored in the database, the
> blacklist daemon calls the blacklistd-helper script and
> that script is responsible for modifying the firewall
> rules that are in effect.  If the script has a bug, it's
> entirely possible that the information in the database
> will be out of sync with the current firewall rules in
> effect.
>
> 5) If you're experiencing a situation where the number
> of login attempts is greater than the cutoff for the
> service (e.g., the "1662/1" noted in the email thread),
> that means that whatever firewall rule that is supposed
> to be blocking the service isn't blocking the traffic.
> (See next item for a case where the right rules are in
> the filter, but you still get a "modest" overage of
> attempts vs the cutoff.)
>
> 6) On a slow-ish single-CPU host (like the sparc64 that I use
> as my gateway), it's possible to get more attempts than
> the cutoff for a persist, high-speed attacker.
>
> Basically, it takes so long before the system context switches
> to the blacklist daemon, and the entry gets added to the pf table.
> Where "so long" is still less than a second, but the machine has
> already seen 10 or 12 attempts!
>
> For example, here's a partial list of what my gateway is reporting
> right now:
>
> root@gatekeeper-130: blacklistctl dump -a
>         address/ma:port id      nfail   last access
> [...]
>  61.126.187.219/32:22   OK      3/3     2017/11/12 17:31:40
>   156.212.51.78/32:22   OK      23/3    2017/11/12 19:09:38
>  179.53.156.109/32:22   OK      3/3     2017/11/12 19:58:57
> 220.174.236.220/32:22           2/3     2017/11/12 23:39:58
>  198.245.63.120/32:22   OK      3/3     2017/11/13 10:36:15
>
> You can see a couple of "normally blocked" attempts (3/3),
> a single IP address that has 2 of 3 attempts, and a very,
> very persistent/fast host that got in 23 attempts before
> it got blocked.
>

I understand. but you may see my problem is the number increased after
blocked.


>
> 7) There was a note about different usernames from the same
> remote host.  The blacklist support currently does not
> differentiate between usernames.  It is just counting the
> number of attempts from a remote IP address.
>
> There's unfinished support for having a "known bad" set of usernames,
> where a single login attempt for that username will block
> the remote address.  This will allow (when finished), easy
> blocking of the twenty or so most common usernames that are
> probed.


That is great. My problem is one connection one fail from sshd was not
registered into blacklistd as one fail.


> Hopefully this will help.
>
> -Kurt
>
>
>>


-- 
with kind regards



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKV%2BxLDRSY6Gc3fJXvO0mY_K=kT3rmsykVCjcne-RMa8%2B1VPCA>