Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Jun 2021 08:34:34 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 256880] blacklistd entry's vanishes after ~1m
Message-ID:  <bug-256880-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D256880

            Bug ID: 256880
           Summary: blacklistd entry's vanishes after ~1m
           Product: Base System
           Version: 12.2-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: gspurki@gmail.com

I have blacklistd running for ssh (from base) on a custom port, when i make=
 a
attack (over vpn) the entry is there with the correct custom port, but vani=
shes
after about 1 minute (but should stay for 24h) and without making a entry in
pf.

SSH is configured for "cert only access", but when making an attack
(brute-force with password) it's not recognized at all.

I have just those entry's in debug.log (not from restarting blacklistd)

sshd_config:
UseBlacklist yes

blacklistd.conf:
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h

pf.conf:
anchor "blacklistd/*" in on $EXT_IF

rc.conf:
blacklistd_enable=3D"YES"
blacklistd_flags=3D"-r"

/var/log/debug.log:
Jun 27 12:50:40  blacklistd[12301]: Connected to blacklist server
Jun 27 13:00:07  blacklistd[25807]: Connected to blacklist server
Jun 27 14:27:46  blacklistd[90565]: Connected to blacklist server
Jun 27 14:28:48  blacklistd[98434]: Connected to blacklist server
Jun 28 07:18:36  blacklistd[59502]: Connected to blacklist server
Jun 28 07:18:44  blacklistd[65168]: Connected to blacklist server
Jun 28 07:26:44  blacklistd[34127]: Connected to blacklist server
Jun 28 07:46:50  blacklistd[97330]: Connected to blacklist server
Jun 28 08:03:32  blacklistd[42533]: Connected to blacklist server
Jun 28 10:06:15  blacklistd[27244]: Connected to blacklist server
Jun 28 10:08:08  blacklistd[81582]: Connected to blacklist server
Jun 28 10:10:50  blacklistd[77628]: Connected to blacklist server

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-256880-227>