Many of us know and use Fail2ban, a very powerfull log parser able to block everything you want if you create the good rules for your services.
But, when it comes to just secure our SSHd, it can be a little... overkill !
So, a daemon named blacklistd(8) showed up few months ago on the FreeBSD 11 release and is dedicated to blocking specific ports (ssh, smtp, ftp, etc.) on demand to avoid DoS or bruteforce abuse.
In this paper, we'll see :
- How we can configure blacklistd(8) with PacketFilter to block SSHd attackers.
- How we can whitelist specific hosts on specific ports.
- How we can check the blocked hosts list.
- Need help ?
Time to log in and start working !
First of all, we want blacklistd(8) to be able to :
- Work with SSHd
- Use PacketFilter
- Keep blocked hosts state at reboot
Configure blacklistd(8) with SSHd :
# vi /etc/rc.conf sshd_flags="-o UseBlacklist=yes" # service sshd restart
Use PacketFilter :
# vi /etc/rc.conf pf_enable="YES" pflog_enable="YES" # vi /etc/pf.conf ext_if="re0" anchor "blacklistd/*" in on $ext_if # service pf start # service pflog start
Keep blocked hosts state at reboot :
The -r option allows to keep the blocked hosts.
# vi /etc/rc.conf blacklistd_enable="YES" blacklistd_flags="-r"
We can now configure blacklistd(8) :
# vi /etc/blacklistd.conf
You can see that there are two kinds of configuration lines
- [local] - What service will I protect ?
- [remote] - How will I treat specific blocks/hosts ?
Associated with them you have multiple fields :
- adr/mask:port - The address/port of the local machine, usefull if you bind your service on a specific host or port
- type - The socket type :
- stream - TCP
- dgram - UDP
- numeric socket address
- proto - The protocol we'll use :
- owner -The username or userid running the service process
- name - Useful if you want to use a specific PacketFilter rule name
- nfail- The allowed number of authentication failures before we blacklist the host
- disable - The time we keep the host on our blacklist table
- m - minutes
- h - hours
- d - days
[local] configuration :
# vi /etc/blacklistd.conf [local] ssh stream * * * 1 30d
In this case, we check every TCP (4/6) connexion on the port 22, for more than one authentication failure we block the host for 30 days.
Now I can start the service :
# service blacklistd start
[remote] configuration :
I'll allow my local IPv4 and IPv6 network to connect with as many authentification failures as I want.
# vi /etc/ [remote] 192.168.1.0/24:ssh * * * = * * [2a01:cb06:3e0:eb00::/56]:ssh * * * = * *
# blacklistctl dump -bw address/ma:port id nfail last access 220.127.116.11/32:22 OK 2/1 2017/09/08 13:31:33 18.104.22.168/32:22 OK 2/1 2017/09/08 08:50:00 22.214.171.124/32:22 OK 2/1 2017/09/08 13:22:51 126.96.36.199/32:22 OK 3/1 2017/09/08 11:08:59 188.8.131.52/32:22 OK 2/1 2017/09/08 11:12:28
Subscribe to CagedMonster'S Blog
Get the latest posts delivered right to your inbox