Re: bl*cklist configuration, ssh only

To: Patrick Welche <prlw1%welche.eu@localhost>
Subject: Re: bl*cklist configuration, ssh only
From: Michael van Elst <mlelstv%serpens.de@localhost>
Date: Fri, 2 Jun 2023 12:13:05 +0200



> 172800 seconds is 48 hours as per
> 
> # grep ssh /etc/blocklistd.conf 
> ssh             stream  *       *               *       3       48h
> 
> The login attempts are well spaced out in time, so probably not "races".
> 
> # blocklistctl dump -a | grep 62.122.184.124
>  62.122.184.124/32:22   7       49/3    2023/06/02 08:36:43
> 
> BUT
> 
> # npfctl rule blocklistd list
> block in final family inet4 proto tcp from 103.125.253.124/32 to any port 22 # id="1" 


The rule is only added once, but the log message is written every time.

So if adding a rule failed for some reason (or was dropped for some
other reason beyond blocklistd), it won't be added before blocklistd
has dropped the rule itself.

It doesn't look like errors from adding/removing rules were noticed or
logged somewhere, but you could augment the helper script.

Greetings,
-- 
                                Michael van Elst
Internet: mlelstv%serpens.de@localhost
                                "A potential Snark may lurk in every tree."

References:
- bl*cklist configuration, ssh only
  - From: ignatios
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst
- Re: bl*cklist configuration, ssh only
  - From: Patrick Welche
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst
- Re: bl*cklist configuration, ssh only
  - From: Patrick Welche

Prev by Date: Re: bl*cklist configuration, ssh only
Next by Date: Re: inetd(8): continue or exit on error?
Previous by Thread: Re: bl*cklist configuration, ssh only
Next by Thread: mtree(8) vs mtree(5)
Indexes:

Home | Main Index | Thread Index | Old Index