Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 15 Nov 2017 12:46:39 +0100
From:      Cos Chan <rosettas@gmail.com>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>, Michael Ross <gmx@ross.cx>, Kurt Lidl <lidl@freebsd.org>
Subject:   Re: How to setup IPFW working with blacklistd
Message-ID:  <CAKV%2BxLB99A8RxyWh5vCnGweOXrCjmPw5r34-tXj=hhJkKcz1=w@mail.gmail.com>
In-Reply-To: <20171115192830.R72828@sola.nimnet.asn.au>
References:  <mailman.87.1509969603.28633.freebsd-questions@freebsd.org> <20171106235944.U9710@sola.nimnet.asn.au> <CAKV%2BxLCizjt5M%2BmJmTZj-cr=D6rhXRwDjCkE=6Q-VQX73iY%2B4A@mail.gmail.com> <20171107033226.M9710@sola.nimnet.asn.au> <CAKV%2BxLBWgU6zmc7tQNA=0%2B=2aF23C1QfJ2i3q1gKYDttwsCTkg@mail.gmail.com> <20171107162914.G9710@sola.nimnet.asn.au> <CAKV%2BxLDQQcG3bvo1b2nUAu7oOVhdNzDDrPWTVp2qOmkWVV89BQ@mail.gmail.com> <20171108012948.A9710@sola.nimnet.asn.au> <CAKV%2BxLCQ9NE6%2BEg6NvHZuEED8Cf6ZX74unvk9ajfLyG-yA2rXA@mail.gmail.com> <CAKV%2BxLAkfiQCLXfgZOtQGUXOW8gYN7sjOD5uWezv-N%2BTBjybMQ@mail.gmail.com> <20171111213759.I72828@sola.nimnet.asn.au> <CAKV%2BxLDicLze3Dvd2i7HGWJUxCdSLjvhuWWZUJ65pMi%2Bx483=A@mail.gmail.com> <CAKV%2BxLAt4Ciqmg2w1iJK42jq6f%2BnumASKMQ=UL6dT%2BCdGYujVQ@mail.gmail.com> <CAKV%2BxLD_KE938JnmjDE=CmfZ7bOJ1CaqvWuQ%2B0jDzQNWM%2B6yLg@mail.gmail.com> <20171115192830.R72828@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 15, 2017 at 10:02 AM, Ian Smith <smithi@nimnet.asn.au> wrote:

> On Tue, 14 Nov 2017 15:38:51 +0100, Cos Chan wrote:
>
>  > On Tue, Nov 14, 2017 at 9:31 AM, Cos Chan <rosettas@gmail.com> wrote:
>  > >
>  > > On Mon, Nov 13, 2017 at 3:17 PM, Cos Chan <rosettas@gmail.com> wrote:
>
>  > >> here is one strange record:
>  > >>
>  > >> $ sudo blacklistctl dump -b | grep 1662
>  > >> 193.201.224.218/32:22   OK      1662/1  2017/11/13 00:31:04
>  > >>
>  > >> This IP was blocked in ipfw from last week. while I checked it last
> week
>  > >> Friday it was 800+/1 in blacklist and until today it become 1662.
>  > >>
>  > >> To my knowledge the ipfw should block the connection, the times of
> banned
>  > >> IP should be not increased?
>
> Have you added blacklistd_flags="-r" to /etc/rc.conf?  And are you
> using 'service blacklistd start' to control it?  If otherwise, are
> you always starting blacklistd with the -r switch?  Be explicit.
>

Yes blacklistd_flags="-r" to /etc/rc.conf and 'service blacklistd start'


>
> If not, a fresh run of blacklistd should NOT try to remove and re-add
> each of its blocked addresses, and if ipfw has been restarted, that
> address will NOT be in its table of addresses to block.  Might that
> explain what you're seeing?
>
> Whenever in doubt, just run 'ipfw table \(port22\) list'.  Also, when
> listing ipfw rules, it's helpful to use 'ipfw -t show' which shows all
> rules with their packet and byte counters, plus the date last used for
> each rule.  Or even just 'ipfw -t show 4022' or whatever.
>

$ sudo ipfw -t show 02022
02022      204       19920 Wed Nov 15 12:41:36 2017 deny log tcp from
table(port22) to any dst-port 22


>
>  > >> I could see more entries with more than 3/1, for example:
>  > >>
>  > >>  89.160.221.132/32:22   OK      18/1    2017/11/13 00:01:21
>  > >>   60.125.42.119/32:22   OK      3/1     2017/11/12 16:13:53
>  > >>   166.62.35.180/32:22   OK      3/1     2017/11/10 06:36:25
>  > >>  202.162.221.51/32:22   OK      6/1     2017/11/10 00:42:14
>  > >>   168.0.114.130/32:22   OK      3/1     2017/11/10 23:40:30
>  > >>   95.145.71.165/32:22   OK      3/1     2017/11/11 07:07:07
>  > >> 123.161.206.210/32:22   OK      3/1     2017/11/12 18:14:00
>  > >> 203.146.208.208/32:22   OK      6/1     2017/11/10 10:16:21
>  > >>  149.56.223.241/32:22   OK      1/1     2017/11/12 06:09:16
>  > >>  121.169.217.98/32:22   OK      9/1     2017/11/12 21:59:57
>  > >> 211.251.237.162/32:22   OK      2/1     2017/11/13 12:08:07
>  > >>    103.99.0.116/32:22   OK      30/1    2017/11/10 14:56:07
>  > >>
>  > >> These records I am not sure if they were not increased after added to
>  > >> ipfw list. but the 1662 times one, I am sure it was increased after
> ipfw
>  > >> had the ip in list.
>
> But perhaps ipfw was restarted, and lost either the rule or the table?
> Remember, ipfw does not keep its tables between runs, without scripting.
>

To explain to Kurt, this is concerning the issue failed number increased
after the rule was in ipfw list.

Just catch "fresh" log:

$ sudo blacklistctl dump -b
        address/ma:port id      nfail   last access
    94.23.73.97/32:22   OK      2/2     2017/11/15 11:58:11
  123.59.135.58/32:22   OK      3/2     2017/11/15 12:10:12
132.148.128.234/32:22   OK      2/2     2017/11/15 12:13:42

$ sudo blacklistctl dump -b
        address/ma:port id      nfail   last access
    94.23.73.97/32:22   OK      2/2     2017/11/15 11:58:11
  123.59.135.58/32:22   OK      3/2     2017/11/15 12:10:12
132.148.128.234/32:22   OK      3/2     2017/11/15 12:15:40

IPFW log:
Nov 15 12:13:42 res kernel: ipfw: 2022 Deny TCP 132.148.128.234:6920
192.168.11.15:22 in via em0
Nov 15 12:14:09 res last message repeated 14 times
Nov 15 12:15:41 res last message repeated 4 times

based on the log, assume the ipfw not restarted (since no new rule added?)
and banned the IP 132.148.128.234 properly?
in case I am right, the question is why the number increased from 2/2 to
3/2?

blacklistd.log:
Nov 15 12:13:42 res blacklistd[22100]: blocked 132.148.128.234/32:22 for -1
seconds
Nov 15 12:15:40 res blacklistd[22100]: rule exists OK
Nov 15 12:15:40 res blacklistd[22100]: blocked 132.148.128.234/32:22 for -1
seconds

blacklistd-helper.log:
Wed Nov 15 12:13:42 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 132.148.128.234 32 22
Wed Nov 15 12:15:40 CET 2017 /usr/libexec/blacklistd-helper run rem
blacklistd tcp 132.148.128.234 32 22 OK
Wed Nov 15 12:15:40 CET 2017 /usr/libexec/blacklistd-helper run add
blacklistd tcp 132.148.128.234 32 22

ipfw list:
$ sudo ipfw table port22 list
--- table(port22), set(0) ---
...
132.148.128.234/32 0
...


>  > > add the ipfw rules:
>  > >
>  > > $ sudo ipfw list
>  > > 00100 allow ip from any to any via lo0
>  > > 00200 deny ip from any to 127.0.0.0/8
>  > > 00300 deny ip from 127.0.0.0/8 to any
>  > > 00400 deny ip from any to ::1
>  > > 00500 deny ip from ::1 to any
>  > > 00600 allow ipv6-icmp from :: to ff02::/16
>  > > 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
>  > > 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
>  > > 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
>  > > 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
>  > > 02022 deny tcp from table(port22) to any dst-port 22
>  > > 65000 allow ip from any to any
>  > > 65535 deny ip from any to any
>
>  > the more logs might be useful:
>  >
>  > $ sudo tail security
>  > Nov 14 15:09:07 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920
>  > 192.168.11.15:22 in via em0
>  > Nov 14 15:09:21 res kernel: ipfw: 2022 Deny TCP 123.125.203.196:6920
>  > 192.168.11.15:22 in via em0
>  > Nov 14 15:10:11 res kernel: ipfw: 2022 Deny TCP 182.93.152.171:6920
>  > 192.168.11.15:22 in via em0
>  > Nov 14 15:10:33 res kernel: ipfw: 2022 Deny TCP 83.12.107.106:6920
>  > 192.168.11.15:22 in via em0
>  > Nov 14 15:11:08 res last message repeated 15 times
>  > Nov 14 15:12:32 res last message repeated 4 times
>  > Nov 14 15:21:10 res kernel: ipfw: 2022 Deny TCP 201.147.183.55:60299
>  > 192.168.11.15:22 in via em0
>  > Nov 14 15:21:17 res last message repeated 3 times
>
>  > Nov 14 15:25:38 res kernel: ipfw: 2022 Deny TCP 105.226.55.239:48315
>  > 192.168.11.15:22 in via em0
>  > Nov 14 15:26:18 res last message repeated 12 times
>
> Well yes, that shows those addresses being blocked, on successive
> connection attempts, at that time.
>
> However ipfw only logs rules to /var/log/security that contain the 'log'
> keyword, so you presumably MUST have added that, making the rule be:
>
> 02022 deny log tcp from table(port22) to any dst-port 22
>            ---
>
> If you didn't do that - in blacklistd-helper? or manually? - then ipfw
> in 11.1 is severely broken .. please do say when you change conditions.
>

Yes, I add "02022 deny log tcp from table(port22) to any dst-port 22"
manually.


>
>  > $ sudo tail auth.log
>  > Nov 14 15:07:24 res sshd[9029]: input_userauth_request: invalid user
> admin
>  > [preauth]
>
>  > Nov 14 15:10:33 res sshd[9052]: Invalid user omni from 83.12.107.106
>  > Nov 14 15:10:33 res sshd[9052]: input_userauth_request: invalid user
> omni
>  > [preauth]
>
>  > Nov 14 15:25:37 res sshd[9144]: reverse mapping checking getaddrinfo for
>  > 105-226-55-239.south.dsl.telkomsa.net [105.226.55.239] failed -
> POSSIBLE
>  > BREAK-IN ATTEMPT!
>  > Nov 14 15:25:37 res sshd[9144]: Invalid user admin from 105.226.55.239
>  > Nov 14 15:25:37 res sshd[9144]: input_userauth_request: invalid user
> admin
>  > [preauth]
>
> That one is different .. and seems to have been added to ipfw table as
> above .. but we can't see what blacklistctl reports for it.  Confusing.
>
> Might that have been reported as ABUSIVE?  No matching blacklistd.log?
>
>  > Nov 14 15:26:08 res sshd[9152]: Received disconnect from 121.18.238.123
>  > port 42391:11:  [preauth]
>  > Nov 14 15:26:08 res sshd[9152]: Disconnected from 121.18.238.123 port
> 42391
>  > [preauth]
>  >
>  > The IP 105.226.55.239 looks like banned by IPFW, but still connected to
>  > sshd?
>
> No, it was first logged as denied from 15:25:38, after sshd reported it.
>
> Hope that helps.
>
> cheers, Ian
>



-- 
with kind regards

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKV%2BxLB99A8RxyWh5vCnGweOXrCjmPw5r34-tXj=hhJkKcz1=w>