Setting up NetBSD Blacklistd

draft

Much better than e.g. fail2ban & sshguard, as the daemons talk to it directly

Warning - you need to do that BEFORE your server goes to production, as it required two additional kernel modules which you cannot load in securelevel 1

NPF

You need NPF to be up and running already, but there’s specifics - you need to tweak NPF for Blacklistd accordingly

ls -lF /libexec/blacklistd-helper
cp -pi /usr/share/examples/blacklist/npf.conf /etc/npf.conf.bl.dist
vi /etc/npf.conf

set bpf.jit off;
#set bpf.jit on;
alg "icmp"

group "external" on wm0 {
        ruleset "blacklistd" 
        pass final all
}

group default {
        pass final all
}       

block in final from <blacklist>

Logging

Also logging apparently needs to be enabled

ifconfig npflog0 create
cat /etc/ifconfig.npflog0
echo create > /etc/ifconfig.npflog0

Modules

see what’s enabled so far

modstat | egrep "npf|jit"

got npf ones but you need to add those

modload bpfjit
modload sljit

cat >> /etc/modules.conf << EOF
bpfjit
sljit
EOF

cat /etc/rc.conf
echo modules=yes >> /etc/rc.conf

Other requirements

sysctl -a | grep net.bpf
echo $((1048576 * 4))
sysctl -w net.bpf.jit=1
sysctl -w net.bpf.maxbufsize=4194304
echo net.bpf.jit=1 >> /etc/sysctl.conf
echo net.bpf.maxbufsize=4194304 >> /etc/sysctl.conf
cat /etc/sysctl.conf

Overall Setup

cp -pi /usr/share/examples/blacklist/blacklistd.conf /etc/blacklistd.conf.dist
cp -pi /usr/share/examples/blacklist/blacklistd.conf /etc/blacklistd.conf
vi /etc/blacklistd.conf

# adr/mask:port type    proto   owner           name    nfail   disable

[local]
wm0:XXX         *       *       *               *       3       6h
wm0:25          *       *       postfix         *       3       6h
wm0:465         *       *       postfix         *       3       6h 
wm0:587         *       *       postfix         *       3       6h 
wm0:53          *       *       _nsd            *       3       12h
wm0:*           *       *       *               *       3       60 

[remote]

chmod 400 /etc/npf.conf /etc/npf_blacklist /etc/blacklistd.conf

ls -lF /dev/bpf /dev/npf

ls -lF /etc/npf_blacklist
touch /etc/npf_blacklist

Ready to go

echo npf=yes >> /etc/rc.conf
echo npfd=yes >> /etc/rc.conf
echo blacklistd=yes >> /etc/rc.conf
echo blacklistd_flags=-r >> /etc/rc.conf

#npfctl flush
#npfctl reload
service npfd restart
service npf reload
#service npf restart

service blacklistd restart

not sure postfix needs to be restarted entirely

postfix stop    
postfix start

status

postfix status

npfctl show

ls -lF /var/db/blacklistd.db
ls -lF /var/run/blacklistd.sock
blacklistctl dump -a
blacklistctl dump -ab
#-r -w

cat /etc/npf_blacklist

gives e.g.

        address/ma:port id      nfail   last access
 202.120.39.141/32:2222 4       3/3     2019/11/17 21:31:57
  104.152.52.27/32:2222         1/3     2019/11/17 20:15:45

Resources

Blacklistd by Christos Zoulas https://www.youtube.com/watch?v=fuuf8G28mjs

blacklistd – block and release ports on demand to avoid DoS abuse https://netbsd.gw.com/cgi-bin/man-cgi?blacklistd

blacklistd.conf – configuration file format for blacklistd https://netbsd.gw.com/cgi-bin/man-cgi?blacklistd.conf

blacklistctl – display and change the state of blacklistd https://netbsd.gw.com/cgi-bin/man-cgi?blacklistctl+8

req

blacklistd support for dovecot https://dovecot.org/pipermail/dovecot/2018-September/112971.html

Loading NetBSD kernel modules https://unix.stackexchange.com/questions/348530/loading-netbsd-kernel-modules

tutorials

How to use blacklistd(8) with NPF as a fail2ban replacement https://www.unitedbsd.com/d/63-how-to-use-blacklistd8-with-npf-as-a-fail2ban-replacement

Blacklistd: A new approach to blocking attackers https://gioarc.me/2017/05/29/blacklistd-a-new-approach-to-blocking-attackers/

FreeBSD and blacklistd https://www.cryptomonkeys.com/2018/05/freebsd-blacklistd/


Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml