我已经启用了PF(4) 防火墙和黑名单(8)。尽管 IP 地址已被添加到黑名单中,但我仍然可以看到来自单个 IP 地址的多次失败尝试。然而,当我自己测试时,我的 IP 地址被正确列入黑名单:它被添加到黑名单中,我无法从中发起任何更多连接。
/etc/rc.conf:
blacklistd_enable="YES"
pf_enable="YES"
/etc/blacklistd.conf:
# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 1 365d
# Extra lines removed
/etc/ssh/sshd_config:
...
UseBlacklist Yes
...
/etc/pf.conf:
intf="wlan0"
set skip on { lo0, em0 }
# Packet normalization
scrub in
# Integrate blacklistd to protect sshd
anchor "blacklistd/*" in on $intf
### FIREWALL RULES
# Default firewall rules
block in
pass out
# Allow inbound SSH on the default port (22)
pass in on $intf proto tcp to ($intf) port 22
# Allow basic ICMP functionality
pass in on $intf inet proto icmp to ($intf) icmp-type { unreach, redir, timex, echoreq }
grep sshd /var/log/messages | grep sshd /var/log/messages | grep sshd /var/log/messages尾-20
Mar 2 00:21:11 [...] illegal user admin from 120.92.147.56
Mar 2 00:21:30 [...] illegal user alix from 120.92.147.56
Mar 2 00:21:51 [...] illegal user gotubego from 120.92.147.56
Mar 2 00:23:35 [...] illegal user tsbot from 120.92.147.56
Mar 2 00:23:40 [...] illegal user spravce from 120.92.147.56
Mar 2 00:25:34 [...] root from 120.92.147.56
Mar 2 00:25:57 [...] illegal user admin from 120.92.147.56
Mar 2 00:27:29 [...] illegal user admin from 120.92.147.56
Mar 2 00:29:13 [...] root from 120.92.147.56
Mar 2 00:30:06 [...] root from 120.92.147.56
Mar 2 00:33:09 [...] illegal user admin from 120.92.147.56
Mar 2 00:33:23 [...] illegal user admin from 120.92.147.56
Mar 2 00:34:15 [...] illegal user bogalfb from 120.92.147.56
Mar 2 00:35:34 [...] root from 120.92.147.56
Mar 2 00:35:59 [...] illegal user admin from 120.92.147.56
Mar 3 13:35:35 [...] illegal user user from 103.200.23.124
Mar 4 19:47:59 [...] root from 111.207.23.140
Mar 5 02:09:39 [...] illegal user user from host2.awolphoto.com
Mar 5 16:02:33 [...] illegal user user from 103.221.221.189
Mar 7 04:43:38 [...] illegal user user from server28.pixeled.net
为了便于阅读,我截断了行。整个第一行内容如下:
Mar 2 00:21:11 phoenix sshd[94473]: error: PAM: authentication error for illegal user admin from 120.92.147.56
我已经删除了无用的部分。
须藤 blacklistctl 转储 -br
150.95.156.167/32:22 OK 2/1 1y3d22h45m57s
27.79.178.252/32:22 OK 2/1 1y3d29h16m55s
194.61.24.162/32:22 OK 40/1 20d2h19m32s
76.242.160.219/32:22 OK 2/1 22d42h8m58s
91.121.173.184/32:22 OK 2/1 2d12h1m40s
116.127.174.152/32:22 OK 2/1 7d34h39m45s
88.214.26.49/32:22 OK 62/1 9d11h56m22s
...
该列表包含 1069 个条目,但不包含 IP 地址120.92.147.56。
问题
- 某些 IP 地址会在(更多)一年内超时(理应如此),而其他 IP 地址则仅在几天内超时(例如 2 天)。
- 某些 IP 地址(例如
120.92.147.56)是不是显然应该添加到列表中。 - 某些地址在被列表阻止之前可以执行多达 62 次尝试。
我的配置中缺少什么才能使其按预期工作?
答案1
我的配置几乎相同,我在 /var/log/messages 中看不到任何 sshd“...非法用户...”
唯一的区别在于我的 rc.conf
blacklistd_flags="-r"
并在 pf.conf 中。代替
pass in on $intf proto tcp to ($intf) port 22
你可以考虑这个
pass in on $intf proto tcp from any to any port ssh flags S/SA synproxy state
FWIW。为了使配置可重现,我使用我的Ansible 的角色
笔记
条目“88.214.26.49/32:22 OK 62/1 9d11h56m22s”看起来很可疑。第一次失败后应该被列入黑名单。 62次失败是怎么做到的?
条目“194.61.24.162/32:22 OK 40/1 20d2h19m32s”dtto
您配置为禁用“365d”,但上面的条目显示几天后的剩余时间。这些条目真的被列入黑名单超过 11 个月了吗?