Notes about using blacklistd on FreeBSD 11.0

Update 11.0-RELEASE binaries

Unfortunately, there were a few bugs in the binaries and scripts related to blacklistd in the FreeBSD 11.0-RELEASE. All known problems in the 11.0-RELEASE have all been addressed in the 11.1-RELEASE.

The 'pf' filtering support was incorrectly implemented - when blacklistd installed filters for more than one protocol, only the last installed filter would be active.
The 'pf' filtering support reset the filter's counters each time an address was added to the filtering table.
Addresses added to the running blacklist tables (regardless of packet filtering type: ipfw, ipf, pf) were not properly expired.
Reloading of the blacklistd database when when the daemon was restarted was broken. (The '-r' flag to blacklistd.)
The support for blacklistd was not present in sshd at the time FreeBSD-11 was branched. It has since been added to the -current branch, as well as merged to the stable/11 branch.
The blacklistd support in ftpd was always enabled. It now defaults to off, and a new command line flag has been implemented (-B) to enable the blacklistd support.
The support for blacklistd in sshd has been updated to more correctly and precisely send notifications when all authentication errors occur.
The libblacklist library has been extended to support one new action type BLACKLIST_ABUSIVE_BEHAVIOR, which will immediately block a remote address.
The libblacklist library has placeholder support for the new action type BLACKLIST_BAD_USER, which is still under development.

A tarball of the fixed binaries for the 11.0-RELEASE (for amd64 machines) is available here: http://people.freebsd.org/~lidl/fbsd11_blacklist_updates.tar.xz

tar tf fbsd11_blacklist_updates.tar.xz 
etc/periodic/security/520.pfdenied
usr/include/blacklist.h
usr/lib/libblacklist.a
usr/lib/libblacklist_p.a
usr/lib/libblacklist.so.0
usr/lib/libblacklist.so
usr/lib/debug/usr/lib/libblacklist.so.0.debug
usr/lib/debug/usr/libexec/ftpd.debug
usr/lib/debug/usr/sbin/blacklistctl.debug
usr/lib/debug/usr/sbin/blacklistd.debug
usr/lib/debug/usr/sbin/sshd.debug
usr/libexec/blacklistd-helper
usr/libexec/ftpd
usr/sbin/blacklistctl
usr/sbin/blacklistd
usr/sbin/sshd
usr/share/man/man3/libblacklist.3.gz
usr/share/man/man3/blacklist_open.3.gz
usr/share/man/man3/blacklist_close.3.gz
usr/share/man/man3/blacklist.3.gz
usr/share/man/man3/blacklist_r.3.gz
usr/share/man/man3/blacklist_sa.3.gz
usr/share/man/man3/blacklist_sa_r.3.gz
usr/share/man/man5/ftpchroot.5.gz
usr/share/man/man5/sshd_config.5.gz
usr/share/man/man8/blacklistctl.8.gz
usr/share/man/man8/blacklistd.8.gz
usr/share/man/man8/ftpd.8.gz
usr/share/man/man8/sshd.8.gz

Packet filter agnostic operations

List IP addresses/dest ports that have been blacklisted:

blacklistctl dump -b

        address/ma:port	id	nfail	last access
    190.29.16.2/32:25	OK	3/3	2016/09/28 02:31:01
    1.55.98.186/32:22	OK	4/3	2016/09/27 23:34:51
   37.49.225.80/32:587	OK	3/3	2016/09/28 01:17:58
  187.51.48.114/32:25	OK	3/3	2016/09/28 00:12:00
  46.148.18.162/32:22	OK	4/3	2016/09/28 11:26:20
  123.31.41.196/32:22	OK	4/3	2016/09/28 06:43:58
   64.71.77.149/32:587	OK	3/3	2016/09/28 10:40:57
   94.183.4.136/32:25	OK	3/3	2016/09/28 14:28:57
   27.72.48.246/32:22	OK	4/3	2016/09/28 02:44:29
  81.114.251.53/32:25	OK	3/3	2016/09/28 04:47:22
  189.45.199.50/32:25	OK	3/3	2016/09/28 11:23:50
  222.211.90.56/32:25	OK	3/3	2016/09/28 17:38:54
  171.251.76.71/32:22	OK	6/3	2016/09/28 02:44:56
  164.132.4.151/32:25	OK	3/3	2016/09/28 08:55:14
  82.213.17.225/32:22	OK	6/3	2016/09/28 16:26:39
  61.178.63.245/32:25	OK	3/3	2016/09/28 18:51:04
  14.167.114.35/32:22	OK	4/3	2016/09/28 09:45:36
 81.174.227.226/32:25	OK	3/3	2016/09/28 15:01:03
   58.231.17.50/32:25	OK	3/3	2016/09/28 18:15:02
  121.41.88.139/32:25	OK	3/3	2016/09/28 06:11:16
  89.101.233.30/32:25	OK	3/3	2016/09/28 14:44:36
208.187.126.220/32:25	OK	3/3	2016/09/28 11:05:11
    120.25.98.3/32:25	OK	3/3	2016/09/28 00:39:12
 218.28.103.233/32:25	OK	3/3	2016/09/28 07:48:26
108.188.180.250/32:25	OK	3/3	2016/09/28 10:00:41
 185.53.244.244/32:25	OK	3/3	2016/09/28 19:26:42
  189.208.27.79/32:25	OK	3/3	2016/09/28 16:33:46
 185.93.185.239/32:22	OK	4/3	2016/09/28 04:12:53
 91.224.160.131/32:22	OK	4/3	2016/09/28 17:04:10
   64.71.77.149/32:25	OK	3/3	2016/09/28 10:42:26
  190.147.197.5/32:25	OK	3/3	2016/09/27 22:23:42
  118.71.251.67/32:25	OK	3/3	2016/09/28 03:11:22
  46.32.239.160/32:25	OK	3/3	2016/09/28 18:57:55

List IP addresses/dest ports that have embryonic entries:

blacklistctl dump

        address/ma:port	id	nfail	last access
 186.221.59.120/32:25		1/3	2016/09/27 22:09:23
   95.160.88.19/32:25		1/3	2016/09/28 04:26:03
  79.111.95.237/32:25		1/3	2016/09/28 07:33:25
   88.156.53.33/32:25		1/3	2016/09/28 12:55:31
 162.216.220.52/32:25		1/3	2016/09/28 16:57:07
  109.241.234.2/32:25		1/3	2016/09/28 17:57:48
 24.162.213.124/32:25		1/3	2016/09/28 13:07:38
 209.216.166.92/32:25		1/3	2016/09/28 15:23:06
 93.105.114.211/32:25		1/3	2016/09/28 19:22:33
 186.34.198.169/32:25		1/3	2016/09/28 21:23:13
 179.216.102.59/32:25		1/3	2016/09/28 05:47:57
  70.45.135.242/32:25		1/3	2016/09/28 09:27:17
 68.148.127.117/32:25		1/3	2016/09/28 10:26:50
 177.65.204.238/32:25		1/3	2016/09/28 16:26:03
  88.156.73.176/32:25		1/3	2016/09/28 05:43:31
187.181.157.192/32:25		1/3	2016/09/28 17:07:23
   186.35.173.3/32:25		1/3	2016/09/28 17:34:48
   82.139.9.168/32:25		1/3	2016/09/27 21:53:25
179.208.153.242/32:25		1/3	2016/09/28 05:22:01
   154.0.14.134/32:25		2/3	2016/09/28 09:48:07
  5.238.115.168/32:25		2/3	2016/09/28 12:16:50
    78.88.45.27/32:25		1/3	2016/09/28 15:06:24
    77.94.97.34/32:25		1/3	2016/09/28 20:14:21
109.241.214.122/32:25		1/3	2016/09/28 20:25:51
   97.76.110.52/32:25		1/3	2016/09/28 04:47:16
  203.153.25.50/32:25		1/3	2016/09/28 06:33:09
 186.36.148.189/32:25		1/3	2016/09/28 08:12:08
   187.66.39.75/32:25		1/3	2016/09/28 13:53:39
   5.143.146.10/32:25		1/3	2016/09/27 22:46:41
   88.250.28.98/32:25		1/3	2016/09/28 04:20:53
   93.105.233.1/32:25		1/3	2016/09/28 07:43:17
 125.119.106.50/32:25		1/3	2016/09/28 16:52:08
  197.97.154.86/32:22		2/3	2016/09/28 19:55:38
 199.200.127.67/32:25		1/3	2016/09/28 02:52:37
    12.8.84.249/32:25		1/3	2016/09/28 03:18:47
109.241.141.150/32:25		1/3	2016/09/28 03:30:24
  178.235.19.81/32:25		1/3	2016/09/28 05:19:15
   78.88.36.151/32:25		1/3	2016/09/28 06:45:01
 67.221.102.171/32:25		1/3	2016/09/28 10:39:25
   78.88.35.216/32:25		1/3	2016/09/28 13:43:34
 124.108.19.182/32:25		1/3	2016/09/28 15:39:03
187.252.149.101/32:25		1/3	2016/09/28 18:32:10
   66.239.62.34/32:25		1/3	2016/09/28 20:06:56
 91.243.107.104/32:25		1/3	2016/09/28 20:31:53
  95.109.111.39/32:25		1/3	2016/09/28 03:18:49
 189.215.133.25/32:25		1/3	2016/09/28 05:29:33
   78.88.128.44/32:25		1/3	2016/09/28 12:12:18
     12.8.85.41/32:25		1/3	2016/09/28 13:05:31
  95.160.70.221/32:25		1/3	2016/09/28 13:07:00
   216.24.72.74/32:25		1/3	2016/09/28 13:24:05
 124.197.98.223/32:25		1/3	2016/09/28 13:28:44
  52.174.95.241/32:25		2/3	2016/09/28 17:09:26
  187.64.24.239/32:25		1/3	2016/09/28 17:18:01
 93.105.243.105/32:25		1/3	2016/09/28 17:57:56
 175.156.44.203/32:25		1/3	2016/09/28 18:31:38
  88.156.70.104/32:25		1/3	2016/09/28 21:10:03
 186.207.135.18/32:25		1/3	2016/09/28 21:41:04
 186.205.236.64/32:25		1/3	2016/09/28 01:29:00
 179.159.12.101/32:25		1/3	2016/09/28 02:34:13
    187.5.7.252/32:25		2/3	2016/09/28 06:54:08
  213.157.39.90/32:25		1/3	2016/09/28 12:03:33
  76.14.180.197/32:25		1/3	2016/09/28 17:34:04
 186.36.230.223/32:25		1/3	2016/09/28 21:14:46
 114.34.114.126/32:25		1/3	2016/09/27 21:58:35
  175.45.54.210/32:25		1/3	2016/09/28 07:20:45
 115.159.195.95/32:25		1/3	2016/09/28 10:07:34
  200.90.204.22/32:25		1/3	2016/09/28 11:41:27
  181.72.116.35/32:25		1/3	2016/09/28 17:20:10
109.241.112.214/32:25		1/3	2016/09/28 20:03:36
   74.93.89.133/32:25		1/3	2016/09/27 23:01:52
    80.92.99.54/32:25		1/3	2016/09/28 01:11:42
 190.209.117.65/32:25		1/3	2016/09/28 04:22:22
   5.128.171.21/32:25		1/3	2016/09/28 05:18:38
 190.72.101.186/32:25		2/3	2016/09/28 16:06:30
  179.211.47.96/32:25		1/3	2016/09/28 11:19:50
  88.156.25.104/32:25		1/3	2016/09/28 13:35:37
  82.76.190.217/32:25		2/3	2016/09/28 13:40:37
 137.119.201.60/32:25		1/3	2016/09/28 13:43:34
   122.53.58.28/32:25		1/3	2016/09/28 14:13:16
 116.212.215.86/32:25		1/3	2016/09/28 17:18:09
  82.139.45.219/32:25		1/3	2016/09/28 19:06:24
   95.160.84.18/32:25		1/3	2016/09/28 20:39:51
178.235.166.227/32:25		1/3	2016/09/27 22:38:50
   78.88.87.169/32:25		1/3	2016/09/28 01:03:03
   70.45.32.147/32:25		1/3	2016/09/28 01:11:36
  31.11.217.147/32:25		1/3	2016/09/28 02:16:48
  80.253.154.47/32:25		1/3	2016/09/28 02:36:36
 66.182.114.124/32:25		1/3	2016/09/28 04:36:42
  216.9.187.218/32:25		1/3	2016/09/28 05:55:26
 109.241.244.84/32:25		1/3	2016/09/28 09:04:44
  5.238.115.168/32:587		2/3	2016/09/28 12:17:20
    181.73.66.6/32:25		1/3	2016/09/28 13:15:23
187.252.190.209/32:25		1/3	2016/09/28 15:42:22
178.235.214.147/32:25		1/3	2016/09/28 19:48:50
   93.174.93.46/32:25		2/3	2016/09/28 20:47:43
   83.216.97.90/32:25		1/3	2016/09/28 21:14:45
 188.227.67.197/32:25		1/3	2016/09/27 22:04:49
192.154.154.163/32:25		1/3	2016/09/28 13:37:00
 24.139.206.214/32:25		1/3	2016/09/28 13:43:34
  190.54.239.36/32:25		1/3	2016/09/28 15:12:37
  177.81.39.238/32:25		1/3	2016/09/28 16:06:52
    70.45.85.15/32:25		1/3	2016/09/28 20:00:34
 177.238.33.231/32:25		1/3	2016/09/28 20:24:57
190.123.226.124/32:25		1/3	2016/09/28 21:15:21
113.160.248.111/32:25		2/3	2016/09/27 22:38:34
   179.4.51.126/32:25		1/3	2016/09/28 04:17:38
  75.36.234.175/32:25		1/3	2016/09/28 04:24:03
 109.241.46.189/32:25		1/3	2016/09/27 23:29:46
  94.42.191.210/32:25		1/3	2016/09/27 23:45:22
 178.123.221.15/32:25		1/3	2016/09/28 08:03:00
  95.160.179.87/32:25		1/3	2016/09/28 10:53:48
 190.232.17.210/32:25		1/3	2016/09/28 13:44:55
   41.193.182.9/32:25		1/3	2016/09/28 18:45:32
137.118.103.195/32:25		1/3	2016/09/28 20:06:33
109.241.235.209/32:25		1/3	2016/09/28 12:17:27
 181.72.129.125/32:25		1/3	2016/09/27 23:28:34
  118.69.10.214/32:25		1/3	2016/09/27 23:44:18
 109.241.46.207/32:25		1/3	2016/09/28 05:05:15
  189.61.98.191/32:25		1/3	2016/09/28 05:39:28
  88.156.11.156/32:25		1/3	2016/09/28 07:14:02
  80.112.133.86/32:25		1/3	2016/09/28 16:35:02
   37.8.218.117/32:25		1/3	2016/09/27 22:46:03
  190.54.158.74/32:25		1/3	2016/09/27 23:20:58
 177.238.242.75/32:25		1/3	2016/09/27 23:33:20
  31.11.224.178/32:25		1/3	2016/09/28 00:11:07
  82.139.16.207/32:25		1/3	2016/09/28 04:33:30
 168.187.78.107/32:25		1/3	2016/09/28 05:14:33
 95.155.208.178/32:25		1/3	2016/09/28 07:23:00
  31.11.226.240/32:25		1/3	2016/09/28 16:00:30
104.174.199.127/32:25		1/3	2016/09/28 16:57:07
 179.223.167.67/32:25		1/3	2016/09/28 17:02:52
    37.8.213.26/32:25		1/3	2016/09/28 19:47:13
    78.88.75.76/32:25		1/3	2016/09/28 03:18:49
   78.88.235.12/32:25		1/3	2016/09/28 05:39:27
190.208.247.152/32:25		1/3	2016/09/28 05:55:16
  185.81.157.22/32:25		2/3	2016/09/28 07:15:31
  95.160.70.153/32:25		1/3	2016/09/27 22:22:30
 128.72.209.197/32:25		1/3	2016/09/28 02:28:07
  88.156.35.167/32:25		1/3	2016/09/28 09:44:10
  24.244.152.26/32:25		1/3	2016/09/28 15:57:23
 50.160.104.228/32:25		1/3	2016/09/28 19:16:09
 160.16.196.138/32:25		1/3	2016/09/28 21:45:00
  190.232.23.66/32:25		1/3	2016/09/27 23:01:49
    37.8.205.37/32:25		1/3	2016/09/28 12:03:30
   41.242.49.19/32:25		1/3	2016/09/28 16:57:11
113.160.248.111/32:587		2/3	2016/09/27 22:39:19
   78.88.94.188/32:25		1/3	2016/09/28 15:52:53

Basic 'blacklistd' configuration

Configure blacklistd on the system, by adding the the following entries to /etc/rc.conf:


blacklistd_enable="YES"
blacklistd_flags="-r"
sshd_flags="-o UseBlacklist=yes"

Add the '-B' flag to ftpd in /etc/inetd.conf:

sed -i -e 's/ftpd -l/ftpd -l -B/' /etc/inetd.conf

Start blacklistd daemon:

service blacklistd start

Restart sshd daemon:

service sshd restart

Signal the inetd daemon to re-read the /etc/inetd.conf configuration file:

service inetd reload

Using the 'pf' packet filter

Configure the 'pf' packet filter on the system, by adding the the following entry to /etc/rc.conf:


pf_enable="YES"

Add the following rule to your /etc/pf.conf file, where $ext_if is a macro is the external interface on your machine (for example, "gem0"). Note: the quotes around the anchor name are required, since the anchor name has a slash in it.


ext_if=gem0
anchor "blacklistd/*" in on $ext_if

Reload pf packet filtering:

service pf reload

Examine blocked packet statistics:


for p in 22 25 587
do
    pfctl -a blacklistd/$p -sr -v 2> /dev/null
done


block drop in quick proto tcp from  to any port = ssh
  [ Evaluations: 4135      Packets: 47        Bytes: 2756        States: 0     ]
  [ Inserted: uid 0 pid 81869 State Creations: 0     ]
block drop in quick proto tcp from  to any port = smtp
  [ Evaluations: 4088      Packets: 130       Bytes: 6540        States: 0     ]
  [ Inserted: uid 0 pid 2835 State Creations: 0     ]
block drop in quick proto tcp from  to any port = submission
  [ Evaluations: 3958      Packets: 6         Bytes: 296         States: 0     ]
  [ Inserted: uid 0 pid 4301 State Creations: 0     ]

Using the 'ipfw' packet filter

Configure the 'ipfw' packet filtering on the system, by adding the the following entries to /etc/rc.conf:


firewall_enable="YES"
firewall_quiet="YES"
firewall_type="workstation"
firewall_allowservices="any"
firewall_myservices="ssh smtp http https"

Create the sentinal file detected by the blacklistd-helper daemon to enable ipfw packet filtering commands. Use a non-default offset value, as the default rules for the "workstation" configuration end above rule 2000.


echo "ifpw_offset=4000" > /etc/ipfw-blacklist.rc

The ipfw system needs to have rule numbers, and the blacklistd-helper script defaults to 2000+port_number for each of the rules that it inserts.

It creates a named table (eg: port22) and then just inserts the bad actors into that table, and creates a rule like the following for ssh:


ipfw -q add 2022 drop tcp from table(port22) to any dst-port 22

The filtering rules get added as needed, and IP addresses get inserted/deleted into the tables as needed. The rules are never deleted, but it should be low-cost to check an empty table.

If you have followed the general rules of having the ultimate deny/pass rules near the end of the 64K range of rules, you'll be OK by just touching the /etc/ipfw-blacklist.rc file to turn it on. The file is sourced by the invoking shell, so if you need a different offset than 2000 for the rules, you can do something like:


echo 'ipfw_offset=4000' > /etc/ipfw-blacklist.rc

lidl at freebsd dot org