blacklistd | fail2ban | sshguard
Much better IN THEORY than fail2ban and sshguard, as the daemon talks to it directly
Warning - you need to do that BEFORE your server goes to production, as it required two additional kernel modules which you cannot load in securelevel 1
THIS IS A DRAFT
You need NPF to be up and running already, but there’s specifics - you need to tweak NPF for Blacklistd accordingly
ls -lF /libexec/blacklistd-helper
cp -pi /usr/share/examples/blacklist/npf.conf /etc/npf.conf.bl.dist
vi /etc/npf.conf
set bpf.jit off;
#set bpf.jit on;
alg "icmp"
group "external" on wm0 {
ruleset "blacklistd"
pass final all
}
group default {
pass final all
}
block in final from <blacklist>
Also logging apparently needs to be enabled
ifconfig npflog0 create cat /etc/ifconfig.npflog0 echo create > /etc/ifconfig.npflog0
see what’s enabled so far
modstat | egrep "npf|jit"
got npf ones but you need to add those
modload bpfjit modload sljit cat >> /etc/modules.conf << EOF bpfjit sljit EOF cat /etc/rc.conf echo modules=yes >> /etc/rc.conf
sysctl -a | grep net.bpf echo $((1048576 * 4)) sysctl -w net.bpf.jit=1 sysctl -w net.bpf.maxbufsize=4194304 echo net.bpf.jit=1 >> /etc/sysctl.conf echo net.bpf.maxbufsize=4194304 >> /etc/sysctl.conf cat /etc/sysctl.conf
cp -pi /usr/share/examples/blacklist/blacklistd.conf /etc/blacklistd.conf.dist cp -pi /usr/share/examples/blacklist/blacklistd.conf /etc/blacklistd.conf vi /etc/blacklistd.conf # adr/mask:port type proto owner name nfail disable [local] wm0:XXX * * * * 3 6h wm0:25 * * postfix * 3 6h wm0:465 * * postfix * 3 6h wm0:587 * * postfix * 3 6h wm0:53 * * _nsd * 3 12h wm0:* * * * * 3 60 [remote] chmod 400 /etc/npf.conf /etc/npf_blacklist /etc/blacklistd.conf ls -lF /dev/bpf /dev/npf ls -lF /etc/npf_blacklist touch /etc/npf_blacklist
echo npf=yes >> /etc/rc.conf echo npfd=yes >> /etc/rc.conf echo blacklistd=yes >> /etc/rc.conf echo blacklistd_flags=-r >> /etc/rc.conf #npfctl flush #npfctl reload service npfd restart service npf reload #service npf restart service blacklistd restart
not sure postfix needs to be restarted entirely
postfix stop postfix start
status
postfix status npfctl show ls -lF /var/db/blacklistd.db ls -lF /var/run/blacklistd.sock blacklistctl dump -a blacklistctl dump -ab #-r -w cat /etc/npf_blacklist
gives e.g.
address/ma:port id nfail last access 202.120.39.141/32:2222 4 3/3 2019/11/17 21:31:57 104.152.52.27/32:2222 1/3 2019/11/17 20:15:45
Blacklistd by Christos Zoulas https://www.youtube.com/watch?v=fuuf8G28mjs
blacklistd – block and release ports on demand to avoid DoS abuse https://netbsd.gw.com/cgi-bin/man-cgi?blacklistd
blacklistd.conf – configuration file format for blacklistd https://netbsd.gw.com/cgi-bin/man-cgi?blacklistd.conf
blacklistctl – display and change the state of blacklistd https://netbsd.gw.com/cgi-bin/man-cgi?blacklistctl+8
staffan / unblacklist https://git.shangtai.net/staffan/unblacklist
blacklistd support for dovecot https://dovecot.org/pipermail/dovecot/2018-September/112971.html
Loading NetBSD kernel modules https://unix.stackexchange.com/questions/348530/loading-netbsd-kernel-modules
How to use blacklistd(8) with NPF as a fail2ban replacement https://www.unitedbsd.com/d/63-how-to-use-blacklistd8-with-npf-as-a-fail2ban-replacement
Blacklistd: A new approach to blocking attackers https://gioarc.me/2017/05/29/blacklistd-a-new-approach-to-blocking-attackers/
FreeBSD and blacklistd https://www.cryptomonkeys.com/2018/05/freebsd-blacklistd/
Feature suggestion: hook support for specific events? http://postfix.1071664.n5.nabble.com/Feature-suggestion-hook-support-for-specific-events-td107291.html
new signature: postfix smtp auth https://bitbucket.org/sshguard/sshguard/issues/123/new-signature-postfix-smtp-auth
[SSHGuard-users] New Attack Signature https://sourceforge.net/p/sshguard/mailman/message/35360905/