Blacklistd and pf on FreeBSD

In FreeBSD 11.0 there was a new daemon delivered in base that helps to blacklist IPs on unsuccessful logins called blacklistd. Its advantage over fail2ban: it works with IPv6 and it is part of base. Its disadvantage is that as far as I understand it applications have to be linked against blacklistd, so that they can work with it.

With the recently released FreeBSD 11.1 sshd got linked against blacklistd. Therefore there is a new option in sshd_config: UseBlacklist. Per default it is set to no. Uncomment it, set it to yes and then reload sshd.

The config is in /etc/blacklistd.conf. Usually you define blocking rules in the [local]-section and whitelisting in [remote]. The sample file and the man page are good enough to explain that part.

In addition you need to start the blacklistd-service and enable it in rc.conf or even better in a file in /etc/rc.conf.d.

In /etc/pf.conf you need to add the following line:

 anchor "blacklistd/*" in on $ext_if

Then you need to reload pf with the new rule:

 pfctl -f /etc/pf.conf

Now blocking should already work. To get the blocked IPs use the following command

 blacklistctl -b

If there are IPv6-adresses blocked, you need to add -w, so it is then

 blacklistctl -bw

If you want to unblock an IP you can look into the tables with pfctl. To see for example the table for sshd, the command is:

 pfctl -a blacklistd/22 -t port22 -T show

Now let’s say you want to unblock the IP, then you could issue a:

 pfctl -a blacklistd/22 -t port22 -T delete

This will remove the IP from the table and it is now unblocked. blacklistctl will still show the IP as blocked though. But if the IP tries again to log in and fails often enough, it will get blocked again.

Leave a Reply

Your email address will not be published. Required fields are marked *