Bug 256880

Summary: blacklistd entry's vanishes after ~1m
Product: Base System Reporter: Gian-Simon Purkert <gspurki>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: chris, zarychtam
Priority: ---    
Version: 12.2-RELEASE   
Hardware: amd64   
OS: Any   

Description Gian-Simon Purkert 2021-06-29 08:34:34 UTC 
I have blacklistd running for ssh (from base) on a custom port, when i make a attack (over vpn) the entry is there with the correct custom port, but vanishes after about 1 minute (but should stay for 24h) and without making a entry in pf.

SSH is configured for "cert only access", but when making an attack (brute-force with password) it's not recognized at all.

I have just those entry's in debug.log (not from restarting blacklistd)

sshd_config:
UseBlacklist yes

blacklistd.conf:
# adr/mask:port	type	proto	owner		name	nfail	disable
[local]
ssh		stream	*	*		*	3	24h

pf.conf:
anchor "blacklistd/*" in on $EXT_IF

rc.conf:
blacklistd_enable="YES"
blacklistd_flags="-r"

/var/log/debug.log:
Jun 27 12:50:40  blacklistd[12301]: Connected to blacklist server
Jun 27 13:00:07  blacklistd[25807]: Connected to blacklist server
Jun 27 14:27:46  blacklistd[90565]: Connected to blacklist server
Jun 27 14:28:48  blacklistd[98434]: Connected to blacklist server
Jun 28 07:18:36  blacklistd[59502]: Connected to blacklist server
Jun 28 07:18:44  blacklistd[65168]: Connected to blacklist server
Jun 28 07:26:44  blacklistd[34127]: Connected to blacklist server
Jun 28 07:46:50  blacklistd[97330]: Connected to blacklist server
Jun 28 08:03:32  blacklistd[42533]: Connected to blacklist server
Jun 28 10:06:15  blacklistd[27244]: Connected to blacklist server
Jun 28 10:08:08  blacklistd[81582]: Connected to blacklist server
Jun 28 10:10:50  blacklistd[77628]: Connected to blacklist server
Comment 1 Marek Zarychta 2021-06-29 15:22:21 UTC 
It's not a bug but a misconfiguration. Please try adding your custom port to blacklistd.conf and try to reproduce, otherwise default rule will be applied:
*			*	*	*		*	4	60
If it helps, please consider closing this PR.
Comment 2 Gian-Simon Purkert 2021-06-29 23:35:59 UTC 
(In reply to Marek Zarychta from comment #1)
the entry is there with the correct custom port, but vanishes

>If it helps, please consider closing this PR.

No, i does not help.
Comment 3 Marek Zarychta 2021-06-30 08:18:42 UTC 
(In reply to Gian-Simon Purkert from comment #2)
Works for me as intended, including custom ports. 
I must be misconfiguration, does "anchor "blacklistd/*" in on $EXT_IF" apply to VPN traffic?
Comment 4 Gian-Simon Purkert 2021-06-30 08:55:05 UTC 
(In reply to Marek Zarychta from comment #3)

I used the vpn to make the attack.

It's a bit like this bug:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247309
Comment 5 Marek Zarychta 2021-06-30 09:11:15 UTC 
(In reply to Gian-Simon Purkert from comment #4)
Indeed, the documentation is not one of the strengths here. Could you please past the output from commands:
sockstat -lP tcp |grep sshd
cat /etc/blacklistd.conf
Comment 6 Gian-Simon Purkert 2021-06-30 10:42:31 UTC 
(In reply to Marek Zarychta from comment #5)

It works now, i commented out the
*			*	*	*		*	4	60
rule.

It now blocks the right port and ip.

Thanks for the help!
Comment 7 Marek Zarychta 2021-06-30 10:44:45 UTC 
(In reply to Gian-Simon Purkert from comment #6)

>It works now, i commented out the
>*			*	*	*		*	4	60

This one can be left, but has to be the last one