How to Install Blacklistd on FreeBSD 11.1

Introduction

Any service that is connected to the internet is a potential target for brute-force attacks or unwarranted access. There are tools like fail2ban or sshguard, but these are functionally limited because they are only parsing log files. Blacklistd takes a different approach. Modified daemons like SSH are able to connect directly to blacklistd to add new firewall rules.

Step 1: PF (Firewall)

An anchor is a collection of rules and we need one in our PF configuration. To create a minimal ruleset, edit /etc/pf.conf so it looks like this:

set skip on lo0
scrub in on vtnet0 all fragment reassemble

anchor "blacklistd/*" in on vtnet0

block in all
pass out all keep state
antispoof for vtnet0 inet

pass in quick on vtnet0 inet proto icmp all icmp-type echoreq
pass in quick on vtnet0 proto tcp from any to vtnet0 port 22

Now enable PF to start automatically, edit /etc/rc.conf:

pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

However, there is one additional thing you might want to do first: test your rules to be sure everything is correct. For this, use the following command:

pfctl -vnf /etc/pf.conf

If this command reports errors, go back and fix those first!

It is a good idea to make sure everything is working as expected by rebooting the server now: shutdown -r now

Step 2: Blacklistd

IP’s are blocked for 24h. This is the default value and can be changed in /etc/blacklistd:

# Blacklist rule
# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       3       24h

Edit /etc/rc.conf to enable Blacklistd:

blacklistd_enable="YES"
blacklistd_flags="-r"

Start Blacklistd with the following command:

service blacklistd start

Step 3: SSH

One last thing we need to do is tell sshd to notify blacklistd. Add UseBlacklist yes to your /etc/ssh/sshd_config file. Now restart SSH with service sshd restart.

Final step

Finally, try logging into your server with an invalid password.

To get all of the blocked IPs use one of the following commands:

blacklistctl dump -bw
        address/ma:port id      nfail   last access
 150.x.x.x/32:22        OK      3/3     2017/x/x 04:43:03
 115.x.x.x/32:22        OK      3/3     2017/x/x 04:45:40
  91.x.x.x/32:22        OK      3/3     2017/x/x 07:51:16
  54.x.x.x/32:22        OK      3/3     2017/x/x 12:05:57

pfctl -a blacklistd/22 -t port22 -T show
   54.x.x.x
   91.x.x.x
  115.x.x.x
  150.x.x.x

To remove a blocked IP you must use the command pfctl. For example:

pfctl -a blacklistd/22 -t port22 -T delete <IP>

Note that blacklistctl will still show the IP as blocked! This is normal behavior and will hopefully be removed in future releases.