Re: bl*cklist configuration, ssh only

To: Michael van Elst <mlelstv%serpens.de@localhost>
Subject: Re: bl*cklist configuration, ssh only
From: Patrick Welche <prlw1%welche.eu@localhost>
Date: Fri, 2 Jun 2023 10:43:29 +0100

On Thu, Jun 01, 2023 at 07:21:40PM +0200, Michael van Elst wrote:
> On Thu, Jun 01, 2023 at 05:05:16PM +0100, Patrick Welche wrote:
> > 
> > What puzzles me is:
> > 
> > # blocklistctl dump -a | wc
> >       53     218    2497
> > 
> > BUT:
> > 
> > # npfctl rule blocklistd list | wc
> >        3      45     254
> > 
> > Only 3 hosts apparently being blocked by npf vs 53.
> 
> 
> blocklistctl dumps the policy database.
> 
> npf doesn't implement that policy, but only specfic
> blocking rules. blocklistd adds npf rules when the
> policy is violated (e.g. the 3rd login failure)
> and removes rules when a timeout is reached.

I agree that that is the way it is meant to work, but I am not
convinced that that is happening. e.g., from the logs:

l# grep 62.122.184.124 /var/log/messages | tail -15
Jun  1 05:03:22 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 05:39:28 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 06:51:21 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 07:26:12 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 08:00:59 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 09:12:25 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 10:23:17 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 14:32:10 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 18:41:37 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  1 20:28:15 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  2 00:05:22 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  2 00:39:22 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  2 02:26:52 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  2 07:40:59 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds
Jun  2 08:36:43 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds


172800 seconds is 48 hours as per

# grep ssh /etc/blocklistd.conf 
ssh             stream  *       *               *       3       48h

The login attempts are well spaced out in time, so probably not "races".

# blocklistctl dump -a | grep 62.122.184.124
 62.122.184.124/32:22   7       49/3    2023/06/02 08:36:43

BUT

# npfctl rule blocklistd list
block in final family inet4 proto tcp from 103.125.253.124/32 to any port 22 # id="1" 
block in final family inet4 proto tcp from 107.172.103.170/32 to any port 22 # id="2" 
block in final family inet4 proto tcp from 46.148.41.186/32 to any port 22 # id="3" 
block in final family inet4 proto tcp from 45.9.74.101/32 to any port 22 # id="4" 
block in final family inet4 proto tcp from 46.148.41.185/32 to any port 22 # id="5" 
block in final family inet4 proto tcp from 159.223.177.128/32 to any port 22 # id="6" 

no sign of 62.122.184.124, even though one might expect a id="7" rule to alude
to it, but it isn't in the npfctl list...


Cheers,

Patrick

Follow-Ups:
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst

References:
- bl*cklist configuration, ssh only
  - From: ignatios
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst
- Re: bl*cklist configuration, ssh only
  - From: Patrick Welche
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst

Prev by Date: Re: inetd(8): continue or exit on error?
Next by Date: Re: bl*cklist configuration, ssh only
Previous by Thread: Re: bl*cklist configuration, ssh only
Next by Thread: Re: bl*cklist configuration, ssh only
Indexes:

Home | Main Index | Thread Index | Old Index