From owner-freebsd-questions@freebsd.org  Thu Apr 23 10:24:12 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id D90B12B0AD2
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 23 Apr 2020 10:24:12 +0000 (UTC)
 (envelope-from Norman.Gray@glasgow.ac.uk)
Received: from hillend.cent.gla.ac.uk (hillend.cent.gla.ac.uk [130.209.16.102])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 497D1R70cqz4nVG
 for <freebsd-questions@freebsd.org>; Thu, 23 Apr 2020 10:24:11 +0000 (UTC)
 (envelope-from Norman.Gray@glasgow.ac.uk)
Received: from cas07.campus.gla.ac.uk ([130.209.14.164])
 by hillend.cent.gla.ac.uk with esmtp (Exim 4.72)
 (envelope-from <Norman.Gray@glasgow.ac.uk>) id 1jRZ1d-0006kI-D7
 for freebsd-questions@freebsd.org; Thu, 23 Apr 2020 11:24:09 +0100
Received: from cas07.campus.gla.ac.uk (130.209.14.164) by
 cas07.campus.gla.ac.uk (130.209.14.164) with Microsoft SMTP Server (TLS) id
 15.0.1497.2; Thu, 23 Apr 2020 11:24:08 +0100
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (104.47.21.50) by
 cas07.campus.gla.ac.uk (130.209.14.164) with Microsoft SMTP Server
 (TLS) id
 15.0.1497.2 via Frontend Transport; Thu, 23 Apr 2020 11:24:08 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=oQLpdZCiSjeMm6ejNTsomS79XDN68UvzaB2tYL6humO6tBEOd1cFsBUB3FpeV5e29J7JOgbwpWRHjFG8+Mh2wFb5VeP4Lj0OsmMSgH5Oh3CHd21uN/UwqEaYvS10LEYcrXhKqI44NFQH5PyU0XbsRRuXfABGOajKcd91J5L/5Fs80fZN0MxabVjvjpNLir1smcX1kKFNgwCa963GGWn2mSAw/Ds9UruJ0fcmXL/Vf8w/JRLRG9fEqOAgs2nqpoXy/AVYGqttKbsbJ5FiR0sYkocZLHii2mxqaVfc4G8UIlhfjW+SqRXF0m0oX/Zn1txk+XH3CvvDSlLKtDh++SMD6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=WFOZNPFWdQITr+Zv3LqC3/q83/LTtZ7S0xfs/UAj1kc=;
 b=BrC5yIuthD/Z8Lc326APMtpifOmRVdTfhEZRmxFe0HQfdL2/xP2xYruqrI1tCVNqsuVZp+ddsiZPr7VraMKqZeUqTCWyjPBizVIIH2Id+CpZBGGqPyaAZ5VR/pgJ7aa/PhehCphP0uuCCjuUYRYV55NkjVcSo8eKEHfc7KO2XJptDxyGy5/QxaLh1rNHE9fqB5dHmAf21SRJLcYCLtg0uYYNLqPTzDlLQ2D9J1Qj7WtoAtonweo28d8nT6vwGjUZK2m650Vh6vmA54Jx6pzSjZ51MEzi2/i6mdzyLxOvYXlbO/WtDhDzNfvnvXWKX2qFLtJtkD7D3UvxXECUvmZC0A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=glasgow.ac.uk; dmarc=pass action=none
 header.from=glasgow.ac.uk; dkim=pass header.d=glasgow.ac.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gla.onmicrosoft.com;
 s=selector2-gla-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=WFOZNPFWdQITr+Zv3LqC3/q83/LTtZ7S0xfs/UAj1kc=;
 b=HiXBpTjl0Co7t33/nquQizuiLqOBypZKMDZUJuUplghPwrc/sjGKWS4DTl+qJDv9GXhq6KWLa7WxW7EYLp1hAiJZI1JrwiFpiPOdsGDfkofwzzXscbBZ1rfZ1HLT2vqP2pO2pNVExngMYoA/AfJFMRtAKMDb5KliFaJM2O+qFAE=
Received: from CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM (10.164.144.19) by
 CWXP265MB0456.GBRP265.PROD.OUTLOOK.COM (10.164.185.17) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2921.29; Thu, 23 Apr 2020 10:24:08 +0000
Received: from CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM
 ([fe80::40d7:744b:8734:b8dd]) by CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM
 ([fe80::40d7:744b:8734:b8dd%6]) with mapi id 15.20.2921.032; Thu, 23 Apr 2020
 10:24:08 +0000
From: "Norman Gray" <norman.gray@glasgow.ac.uk>
To: FreeBSD Questions Mailing List <freebsd-questions@freebsd.org>
Subject: Re: blacklistd: what does it detect?
Date: Thu, 23 Apr 2020 11:24:06 +0100
X-Mailer: MailMate (1.13.1r5671)
Message-ID: <701E0B01-CD41-4A95-9FAC-44D3ED711FCD@glasgow.ac.uk>
In-Reply-To: <E8F1273A-A25F-44FF-9E22-21AC1DD71010@glasgow.ac.uk>
References: <E8F1273A-A25F-44FF-9E22-21AC1DD71010@glasgow.ac.uk>
Content-Type: text/plain; format=flowed
X-ClientProxiedBy: LO2P265CA0276.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:600:a1::24) To CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM
 (2603:10a6:401:8::19)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.50] (2001:8b0:df5:af53:8c70:97b6:936e:f8ad) by
 LO2P265CA0276.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a1::24) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2937.13 via Frontend Transport; Thu, 23 Apr 2020 10:24:07 +0000
X-Mailer: MailMate (1.13.1r5671)
X-Originating-IP: [2001:8b0:df5:af53:8c70:97b6:936e:f8ad]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0071f93c-b071-4ac6-3ae6-08d7e77074cd
X-MS-TrafficTypeDiagnostic: CWXP265MB0456:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <CWXP265MB04568AC2103399B6E8869467B2D30@CWXP265MB0456.GBRP265.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-Forefront-PRVS: 03827AF76E
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:CWXP265MB0149.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFTY:;
 SFS:(10009020)(396003)(39860400002)(136003)(346002)(376002)(366004)(8936002)(8676002)(81156014)(52116002)(36756003)(66574012)(316002)(786003)(2616005)(66476007)(66556008)(66946007)(86362001)(966005)(6916009)(53546011)(186003)(16526019)(6486002)(478600001)(5660300002)(33656002)(2906002);
 DIR:OUT; SFP:1101; 
Received-SPF: None (protection.outlook.com: glasgow.ac.uk does not designate
 permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: pCOzXUfMEocjrUrHKlgnIZKOLMTHNMBGbZ3o0swfFc2kJax9kiYz8ZcyQ4JZ8aWMNph1dw7PBlBXsb24VLzQIVeqLTHTyW/Zl6nw3vrQTkXw3CmfCZqHGIQ8C6yoCdvZ/HOcXWYA3Y1PJTSi11xun++4AXkecocwnUNIRupjhDFG+Y9YktwaMUg329Xh9FnKWOE06ty5JEpSMzPayz6ggiCnXgIZLGGrZw1+ekq5hlceQHkSVigybpSzkuTdHQhfTEgBlswyaGk2nZtQYOEj0SUv4FCMCnBzJ5MDLqx9BRLBizIoEyC87Iq8QA1xh6xSc0aaEgtgzmHrG7jRQdTf7ZB3aZx/9r7iWdUOYgzZd3SRdIMDdJSuDX/Ie+WVCcrh0A69SPOnvAKWMTMLMEbItNaQbB6UjXD07rGpPNG0oj4eRTd0z36qlOK0FsWAj1AKzeO9EYOoPB5uSMJ+SZBVdUXyZHwQs2CUwE8LAnKth/eGS3mU96r6zcrGqatzFNE/c4ELna5Pesmazqqo7Rh8/w==
X-MS-Exchange-AntiSpam-MessageData: svB/jBxJDNQ4ciofqLOSl+fvoZObNpd2Agh7E+OlJetlWTmrG/AgukRizuyetEdHr9dZdEDgijfatujKfhJIbQlrInMIzYgpSWJGhumTB4MwQQB4lPsais3EORxOtaT93SMnG15L3iNuZuq7Py5RKMfCjsOGctIATjoNX1JH5YcvKLN+1oBafBWvYyw0e12VjJ+cPUYqBe49t4SIZ6kMDg==
X-MS-Exchange-CrossTenant-Network-Message-Id: 0071f93c-b071-4ac6-3ae6-08d7e77074cd
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Apr 2020 10:24:07.9873 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 6e725c29-763a-4f50-81f2-2e254f0133c8
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: VbAOLOg2Qf1xiZwezGsW3i1epXiS2sZRMiHBXUPcPeaRaxtYAX/y+WB0mcUK0zz4Z/lgc4kv5waNQspB0h37uTGXc487jBV02OLsCVWAZ40=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWXP265MB0456
X-OriginatorOrg: glasgow.ac.uk
X-Rspamd-Queue-Id: 497D1R70cqz4nVG
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gla.onmicrosoft.com header.s=selector2-gla-onmicrosoft-com
 header.b=HiXBpTjl; dmarc=none;
 spf=none (mx1.freebsd.org: domain of Norman.Gray@glasgow.ac.uk has no SPF
 policy when checking 130.209.16.102) smtp.mailfrom=Norman.Gray@glasgow.ac.uk
X-Spamd-Result: default: False [-4.00 / 15.00]; RCVD_COUNT_SEVEN(0.00)[7];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 R_DKIM_ALLOW(-0.20)[gla.onmicrosoft.com:s=selector2-gla-onmicrosoft-com];
 HAS_XOIP(0.00)[]; FROM_HAS_DN(0.00)[];
 RWL_MAILSPIKE_GOOD(0.00)[102.16.209.130.rep.mailspike.net : 127.0.0.18];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0];
 MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[];
 DMARC_NA(0.00)[glasgow.ac.uk];
 RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; RCPT_COUNT_ONE(0.00)[1];
 IP_SCORE(-1.00)[ipnet: 130.209.0.0/16(-4.57), asn: 786(-0.36), country:
 GB(-0.07)]; TO_DN_ALL(0.00)[];
 RCVD_IN_DNSWL_MED(-0.20)[102.16.209.130.list.dnswl.org : 127.0.11.2];
 DKIM_TRACE(0.00)[gla.onmicrosoft.com:+]; R_SPF_NA(0.00)[];
 FROM_EQ_ENVFROM(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:786, ipnet:130.209.0.0/16, country:GB];
 ARC_ALLOW(-1.00)[i=1]; MID_RHS_MATCH_FROM(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 10:24:12 -0000


Greetings.

On 20 Apr 2020, at 12:43, Norman Gray wrote:

> I've enabled blacklistd on a 12.1 machine accessible to the open 
> internet, but it's not blocking as many failed ssh attempts as I 
> expect.  Am I misunderstanding something?

Is there documentation anywhere (outside of the source) of how 
blacklistd and sshd interact?

There seems to be very little correlation between what I find in 
auth.log and what blacklistd is acting on, as reported by blacklistctl.  
Addresses seem to be blocked which barely appear in the log, and not 
blocked after making multiple appearances in one message or another.

I haven't gone through [1] and [2] line by line, but what I've seen 
there makes broad sense, and leads me to expect something different from 
what I'm seeing.

I'm worrying I've got something horribly misconfigured (though I've 
barely fiddled with the relevant configurations).

My immediate goal is to cut down noise in the 'daily security run' log, 
and if that's chattering about connection attempts that sshd/blacklistd 
think aren't worth acting on, then I'm going to feel tempted to start 
fiddling with /etc/periodic/security/800.loginfail (which would probably 
be a bad idea).

Best wishes,

Norman


[1] https://reviews.freebsd.org/rS305065#change-w4DoRPrDuJ51
[2] https://github.com/freebsd/freebsd/tree/master/crypto/openssh

-- 
Norman Gray  :  http://www.astro.gla.ac.uk/users/norman/it/
Research IT Coordinator
SUPA School of Physics and Astronomy, University of Glasgow, UK
Charity number SC004401