NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: blocklistd: How to keep my dynamic IP from getting blocked

At Wed, 31 Mar 2021 11:13:51 -0000 (UTC), (Michael van Elst) wrote:
Subject: Re: blocklistd: How to keep my dynamic IP from getting blocked
> (Mayuresh) writes:
> >
> > Strangely autossh manages to fail auth irking blocklistd and that ends up
> > blocking access to all devices at home as they share the same external
> > dynamic IP. (Let's keep aside why autossh manages to fail auth for now.)

Well, that is the very root of the problem, is it not?  :-)

SSHd and blocklistd are doing exactly what you asked them to do and
they're reporting and blocking "abuse" where that's been defined as some
persistent attempt to authenticate a connection that's been explicitly
(or implicitly, or accidentally) denied.

Fix the authentication problems (and perhaps tune blocklistd's
sensitivity so as to allow as many fat-finger failed authentications as
you feel you might need), and your problem magically disappears
entirely and hopefully permanently.

And even more magically this solution is not affected in any way by
whether or not either or both the target and/or source IPs are
dynamically or statically assigned.  It Just Works.

> > Alternatively does it need to be done at npf's level?
> That's the more logical way. blocklistd works as designed and the login
> failures trigger an entry in the blocklist. If you don't want to block
> specific IPs, allow them by a specific rule, then it's also more clear
> what is allowed and what is not by looking at a single place.

Blocklistd also has the ability to be configured to not block any given
addresses or networks.

So depending on how the firewall rules are designed, it may actually
make more sense to keep blocklistd from injecting its own blocking rules
into the same firewall that is also trying to avoid blocking those same
addresses or networks.

Either way you'll need to update the new address in one or more files
and trigger one or more actions that probably have to be done as root.

That becomes more complicated if it's the remote (client) side that has
the changing address and you don't already have a pre-determined way to
do these updates and actions based on a remote trigger or some other
kind of locally initiated monitoring.

					Greg A. Woods <>

Kelowna, BC     +1 250 762-7675           RoboHack <>
Planix, Inc. <>     Avoncote Farms <>

Attachment: pgpieryDYCxhw.pgp
Description: OpenPGP Digital Signature

Home | Main Index | Thread Index | Old Index