Re: Blacklistd configuration

[neitzel%hackett.marshlabs.gaertner.de@localhost (Martin Neitzel)]

Hi Joel,

> I have in -10 blAcklistd and blOcklistd. Is blacklistd now unsupported?
> Man pages seem to be very similar.

It's just a renaming, and blocklistd gets continuing support.  On
a "true" netbsd-10-release (not available yet), there should be
just blocklistd.  Maybe you have old blAcklistd remnants from
upgrading into the your release-candidate?  I'd just use blOcklistd
on anything 10-ish.

Make sure you match the proper daemon with the proper config file;
Without an explicit "-c configfile" option, blocklistd will use
blocklistd.conf -- not blacklistd.conf.

> 	I have checked /libexec/blacklistd-helper. But as blacklistctl dump
> doesn't return anything, I suppose something is broken before call of
> /libexec/blacklistd-helper.

Things which got me when I did the ssh filter setup:

- "blacklistctl dump" without options only shows "embryonic"
  clients -- clients which have been reported but not yet
  reached the limit to get blocked.  "-a"/"-b" is required to
  see currently blocked clients (according to bl[ao]cklistd).
  These should then also show up in npf:

	npfctl rule blacklistd list

- There are certain forms of ssh connects which the client
  doesn't complete and where sshd never notifies blacklistd.
  For example, if you only accept key-based logins and the
  client never gets to the stage where it guesses passwords,
  this will not make it to blacklistd -- even when the client
  keeps hammering on with new connects.  IIRC, one sees lots
  of "pre-authorized client disconnects" in the auth.log

						Martin Neitzel