/ FreeBSD

Secure your SSH server with blacklistd and PacketFilter under FreeBSD

Many of us know and use Fail2ban, a very powerfull log parser able to block everything you want if you create the good rules for your services.
But, when it comes to just secure our SSHd, it can be a little... overkill !
So, a daemon named blacklistd(8) showed up few months ago on the FreeBSD 11 release and is dedicated to blocking specific ports (ssh, smtp, ftp, etc.) on demand to avoid DoS or bruteforce abuse.

Secured


In this paper, we'll see :

  1. How we can configure blacklistd(8) with PacketFilter to block SSHd attackers.
  2. How we can whitelist specific hosts on specific ports.
  3. How we can check the blocked hosts list.
  4. Need help ?

Time to log in and start working !

1. Blacklistd setup :

First of all, we want blacklistd(8) to be able to :

  • Work with SSHd
  • Use PacketFilter
  • Keep blocked hosts state at reboot

Configure blacklistd(8) with SSHd :

# vi /etc/rc.conf

sshd_flags="-o UseBlacklist=yes"

# service sshd restart

Use PacketFilter :

# vi /etc/rc.conf

pf_enable="YES"
pflog_enable="YES"

# vi /etc/pf.conf

ext_if="re0"
anchor "blacklistd/*" in on $ext_if

# service pf start
# service pflog start

Keep blocked hosts state at reboot :

The -r option allows to keep the blocked hosts.

# vi /etc/rc.conf
blacklistd_enable="YES"
blacklistd_flags="-r"

We can now configure blacklistd(8) :

# vi /etc/blacklistd.conf

You can see that there are two kinds of configuration lines

  • [local] - What service will I protect ?
  • [remote] - How will I treat specific blocks/hosts ?

Associated with them you have multiple fields :

  • adr/mask:port - The address/port of the local machine, usefull if you bind your service on a specific host or port
  • type - The socket type :
    • stream - TCP
    • dgram - UDP
    • numeric socket address
  • proto - The protocol we'll use :
    • tcp
    • udp
    • tcp6
    • udp6
    • numeric
  • owner -The username or userid running the service process
  • name - Useful if you want to use a specific PacketFilter rule name
  • nfail- The allowed number of authentication failures before we blacklist the host
  • disable - The time we keep the host on our blacklist table
    • m - minutes
    • h - hours
    • d - days

[local] configuration :

# vi /etc/blacklistd.conf

[local]
ssh             stream  *       *               *       1       30d

In this case, we check every TCP (4/6) connexion on the port 22, for more than one authentication failure we block the host for 30 days.

Now I can start the service :

# service blacklistd start

2. Whitelist specific hosts on specific ports :

[remote] configuration :

I'll allow my local IPv4 and IPv6 network to connect with as many authentification failures as I want.

# vi /etc/

[remote]
192.168.1.0/24:ssh      *       *       *               =       *       *
[2a01:cb06:3e0:eb00::/56]:ssh   *       *       *       =       *       *

3. Check the blocked hosts list.


You can use the command : blacklist dump to check what host is blocked. I use two options to show everything for IPv4 and IPv6 :

# blacklistctl dump -bw
                    address/ma:port id      nfail   last access
             117.82.185.224/32:22   OK      2/1     2017/09/08 13:31:33
             181.196.46.243/32:22   OK      2/1     2017/09/08 08:50:00
              178.47.101.60/32:22   OK      2/1     2017/09/08 13:22:51
               70.25.48.199/32:22   OK      3/1     2017/09/08 11:08:59
             178.48.146.234/32:22   OK      2/1     2017/09/08 11:12:28

4. Need help ?

CagedMonster

CagedMonster

« I know everyone I've been everywhere I know everything Because I'm everybody » Ether - Nothingface

Read More