February 28, 2017

Blacklistd Porting Project Completion

Internet-connected servers regularly face brute-force attacks on services that they provide, such as SSH or authenticated SMTP. We’d like to limit the number of brute-force attempts that may be made, both to prevent unwarranted access to the resources and to limit the impact of noisy log files.

There are a number of existing tools to mitigate brute force attacks, including fail2ban and sshguard. These operate by monitoring log files for entries corresponding to failed access attempts, and then automatically installing a firewall rule to temporarily disallow further access from the same source.  These tools are functional but can be somewhat fragile and require ongoing maintenance to track any changes in log message formats.

NetBSD’s Christos Zoulas developed the blacklistd daemon, which takes a different approach. It consists of the blacklistd daemon itself, and minor modifications to other daemons which accept external connections, like sshd. These modified daemons connect to blacklistd and upon each connection attempt notify it with a tuple of the action, port, protocol, address, and owner. Blacklistd automatically installs and removes firewall rules based on these notifications and its configuration.

The Foundation awarded Kurt Lidl a grant to port blacklistd to FreeBSD and integrate it into a set of base system and ports daemons. This project is now complete and blacklistd is available in FreeBSD. The FreeBSD-CURRENT development branch has the most up-to-date version.

Blacklistd is included in FreeBSD 11.0, although a few bugs remain that were not resolved before the release. They are fixed in the stable/11 branch and will be fixed in the upcoming 11.1 release. Kurt has more information on configuring blacklistd, and replacement binaries (addressing the known bugs) for FreeBSD 11.0 at https://people.freebsd.org/~lidl/blacklistd.html

To enable blacklistd, add to /etc/rc.conf:


Blacklistd uses a configuration file /etc/blacklistd.conf to control its behavior. A default blacklistd configuration may look like:

# Blacklist rule
# adr/mask:port type    proto   owner     name   nfail  disable
ssh             stream  *       *         *      3      24h
ftp             stream  *       *         *      3      24h
smtp            stream  *       *         *      3      24h
submission      stream  *       *         *      3      24h
*               *       *       *         *      3      60

This specifies that ssh, ftp, smtp and the mail submission ports should firewall the source address for 24 hours after 3 failed attempts, while any other blacklistd-using services should install a firewall rule for 60 seconds.

Individual daemons may need to be configured to communicate with the blacklistd daemon. For sshd Kurt added the UseBlacklist configuration option; in order to enable blacklistd with sshd add the following to /etc/ssh/sshd_config:

UseBlacklist Yes

Blacklistd includes a companion blacklistdctl utility which can be used to examine the current state of the blacklist database. Blacklistd works with the pf and ipfw firewalls, using the presence of a special configuration file in order to enable ipfw and configure the starting rule number:

echo "ipfw_offset=4000" > /etc/ipfw-blacklist.rc

As part of the porting effort Kurt implemented several bug fixes and improvements in blacklistd, which have been committed to the upstream NetBSD repository. These include changes to make the source code more portable, support for the firewalls available in FreeBSD (ipfw, pf, and ipfilter) in addition to NetBSD’s npf, and improved logging.

— Contributed by Ed Maste