问题

问题

我已经启用了PF(4) 防火墙黑名单(8)。尽管 IP 地址已被添加到黑名单中,但我仍然可以看到来自单个 IP 地址的多次失败尝试。然而,当我自己测试时,我的 IP 地址被正确列入黑名单:它被添加到黑名单中,我无法从中发起任何更多连接。

/etc/rc.conf:

blacklistd_enable="YES"
pf_enable="YES"

/etc/blacklistd.conf:

# adr/mask:port type    proto   owner           name    nfail   disable
[local]
ssh             stream  *       *               *       1       365d
# Extra lines removed

/etc/ssh/sshd_config:

...
UseBlacklist Yes
...

/etc/pf.conf:

intf="wlan0"
set skip on { lo0, em0 }

# Packet normalization
scrub in

# Integrate blacklistd to protect sshd
anchor "blacklistd/*" in on $intf

### FIREWALL RULES

# Default firewall rules
block in
pass out
# Allow inbound SSH on the default port (22)
pass in on $intf proto tcp to ($intf) port 22
# Allow basic ICMP functionality
pass in on $intf inet proto icmp to ($intf) icmp-type { unreach, redir, timex, echoreq }

grep sshd /var/log/messages | grep sshd /var/log/messages | grep sshd /var/log/messages尾-20

Mar  2 00:21:11 [...] illegal user admin from 120.92.147.56
Mar  2 00:21:30 [...] illegal user alix from 120.92.147.56
Mar  2 00:21:51 [...] illegal user gotubego from 120.92.147.56
Mar  2 00:23:35 [...] illegal user tsbot from 120.92.147.56
Mar  2 00:23:40 [...] illegal user spravce from 120.92.147.56
Mar  2 00:25:34 [...] root from 120.92.147.56
Mar  2 00:25:57 [...] illegal user admin from 120.92.147.56
Mar  2 00:27:29 [...] illegal user admin from 120.92.147.56
Mar  2 00:29:13 [...] root from 120.92.147.56
Mar  2 00:30:06 [...] root from 120.92.147.56
Mar  2 00:33:09 [...] illegal user admin from 120.92.147.56
Mar  2 00:33:23 [...] illegal user admin from 120.92.147.56
Mar  2 00:34:15 [...] illegal user bogalfb from 120.92.147.56
Mar  2 00:35:34 [...] root from 120.92.147.56
Mar  2 00:35:59 [...] illegal user admin from 120.92.147.56
Mar  3 13:35:35 [...] illegal user user from 103.200.23.124
Mar  4 19:47:59 [...] root from 111.207.23.140
Mar  5 02:09:39 [...] illegal user user from host2.awolphoto.com
Mar  5 16:02:33 [...] illegal user user from 103.221.221.189
Mar  7 04:43:38 [...] illegal user user from server28.pixeled.net

为了便于阅读,我截断了行。整个第一行内容如下:

Mar  2 00:21:11 phoenix sshd[94473]: error: PAM: authentication error for illegal user admin from 120.92.147.56

我已经删除了无用的部分。

须藤 blacklistctl 转储 -br

 150.95.156.167/32:22   OK      2/1     1y3d22h45m57s
  27.79.178.252/32:22   OK      2/1     1y3d29h16m55s
  194.61.24.162/32:22   OK      40/1    20d2h19m32s
 76.242.160.219/32:22   OK      2/1     22d42h8m58s
 91.121.173.184/32:22   OK      2/1     2d12h1m40s
116.127.174.152/32:22   OK      2/1     7d34h39m45s
   88.214.26.49/32:22   OK      62/1    9d11h56m22s
...

该列表包含 1069 个条目,但不包含 IP 地址120.92.147.56

问题

  1. 某些 IP 地址会在(更多)一年内超时(理应如此),而其他 IP 地址则仅在几天内超时(例如 2 天)。
  2. 某些 IP 地址(例如120.92.147.56)是不是显然应该添加到列表中。
  3. 某些地址在被列表阻止之前可以执行多达 62 次尝试。

我的配置中缺少什么才能使其按预期工作?

答案1

我的配置几乎相同,我在 /var/log/messages 中看不到任何 sshd“...非法用户...”

唯一的区别在于我的 rc.conf

blacklistd_flags="-r"

并在 pf.conf 中。代替

pass in on $intf proto tcp to ($intf) port 22

你可以考虑这个

pass in on $intf proto tcp from any to any port ssh flags S/SA synproxy state

FWIW。为了使配置可重现,我使用我的Ansible 的角色

笔记

  • 条目“88.214.26.49/32:22 OK 62/1 9d11h56m22s”看起来很可疑。第一次失败后应该被列入黑名单。 62次失败是怎么做到的?

  • 条目“194.61.24.162/32:22 OK 40/1 20d2h19m32s”dtto

  • 您配置为禁用“365d”,但上面的条目显示几天后的剩余时间。这些条目真的被列入黑名单超过 11 个月了吗?

相关内容