Re: bl*cklist configuration, ssh only

To: Michael van Elst <mlelstv%serpens.de@localhost>
Subject: Re: bl*cklist configuration, ssh only
From: Patrick Welche <prlw1%welche.eu@localhost>
Date: Thu, 1 Jun 2023 17:05:16 +0100

On Tue, May 30, 2023 at 03:54:52PM -0000, Michael van Elst wrote:
> ignatios%cs.uni-bonn.de@localhost writes:
> 
> >Hello,
> 
> >is there a minimal example how to configure bl*cklistd and npf to
> >block attacks on sshd?
> 
> /etc/bl*cklistd.conf:
> # Bl*cklist rule
> # adr/mask:port type    proto   owner           name    nfail   disable
> [local]
> ssh             stream  tcp     *               *       5       3h
> ssh             stream  tcp6    *               *       5       3h
> 
> /etc/npf.conf:
> $primary_if = "wm0"
> group "external" on $primary_if {
>   ruleset "bl*cklistd"
> }
> 
> # bl*cklistctl dump -a | wc
>       13      53     609
> 
> 

What puzzles me is:

# blocklistctl dump -a | wc
      53     218    2497

BUT:

# npfctl rule blocklistd list | wc
       3      45     254

Only 3 hosts apparently being blocked by npf vs 53.


Cheers,

Patrick

Follow-Ups:
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst

References:
- bl*cklist configuration, ssh only
  - From: ignatios
- Re: bl*cklist configuration, ssh only
  - From: Michael van Elst

Prev by Date: mtree(8) vs mtree(5)
Next by Date: Re: bl*cklist configuration, ssh only
Previous by Thread: Re: bl*cklist configuration, ssh only
Next by Thread: Re: bl*cklist configuration, ssh only
Indexes:

Home | Main Index | Thread Index | Old Index