How to Install Blacklistd on FreeBSD 11.1

Introduction #

Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like fail2ban or sshguard, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.

Step 1: PF (Firewall) #

An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit /etc/pf.conf so it looks like this:

set skip on lo0
scrub in on vtnet0 all fragment reassemble

anchor "blacklistd/*" in on vtnet0

block in all
pass out all keep state
antispoof for vtnet0 inet

pass in quick on vtnet0 inet proto icmp all icmp-type echoreq
pass in quick on vtnet0 proto tcp from any to vtnet0 port 22

Now enable PF to start automatically, edit /etc/rc.conf:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:

pfctl -vnf /etc/pf.conf

If this command reports errors, go back and fix those first!

It is a good idea to make sure everything is working as expected by rebooting the server now: shutdown -r now

Step 2: Blacklistd #

IP’s are blocked for 24h. This is the default value and can be changed in /etc/blacklistd:

# Block list rule
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h

Edit /etc/rc.conf to enable Blacklistd:

blacklistd_enable="YES"
blacklistd_flags="-r"

Start Blacklistd with the following command:

service blacklistd start

Step 3: SSH #

One last thing we need to do is tell sshd to notify blacklistd. Add UseBlacklist yes to your /etc/ssh/sshd_config file. Now restart SSH with service sshd restart.

Final step #

Finally, try logging into your server with an invalid password.

To get all of the blocked IPs use one of the following commands:

blacklistctl dump -bw
        address/ma:port id      nfail   last access
 150.x.x.x/32:22        OK      3/3     2017/x/x 04:43:03
 115.x.x.x/32:22        OK      3/3     2017/x/x 04:45:40
  91.x.x.x/32:22        OK      3/3     2017/x/x 07:51:16
  54.x.x.x/32:22        OK      3/3     2017/x/x 12:05:57

pfctl -a blacklistd/22 -t port22 -T show
   54.x.x.x
   91.x.x.x
  115.x.x.x
  150.x.x.x

To remove a blocked IP you must use the command pfctl. For example:

pfctl -a blacklistd/22 -t port22 -T delete <IP>

Note that blacklistctl will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.

Powered by BetterDocs