On Thu, Jun 01, 2023 at 07:21:40PM +0200, Michael van Elst wrote: > On Thu, Jun 01, 2023 at 05:05:16PM +0100, Patrick Welche wrote: > > > > What puzzles me is: > > > > # blocklistctl dump -a | wc > > 53 218 2497 > > > > BUT: > > > > # npfctl rule blocklistd list | wc > > 3 45 254 > > > > Only 3 hosts apparently being blocked by npf vs 53. > > > blocklistctl dumps the policy database. > > npf doesn't implement that policy, but only specfic > blocking rules. blocklistd adds npf rules when the > policy is violated (e.g. the 3rd login failure) > and removes rules when a timeout is reached.
I agree that that is the way it is meant to work, but I am not convinced that that is happening. e.g., from the logs: l# grep 62.122.184.124 /var/log/messages | tail -15 Jun 1 05:03:22 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 05:39:28 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 06:51:21 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 07:26:12 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 08:00:59 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 09:12:25 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 10:23:17 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 14:32:10 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 18:41:37 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 1 20:28:15 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 2 00:05:22 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 2 00:39:22 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 2 02:26:52 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 2 07:40:59 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds Jun 2 08:36:43 mail blocklistd[596]: blocked 62.122.184.124/32:22 for 172800 seconds 172800 seconds is 48 hours as per # grep ssh /etc/blocklistd.conf ssh stream * * * 3 48h The login attempts are well spaced out in time, so probably not "races". # blocklistctl dump -a | grep 62.122.184.124 62.122.184.124/32:22 7 49/3 2023/06/02 08:36:43 BUT # npfctl rule blocklistd list block in final family inet4 proto tcp from 103.125.253.124/32 to any port 22 # id="1" block in final family inet4 proto tcp from 107.172.103.170/32 to any port 22 # id="2" block in final family inet4 proto tcp from 46.148.41.186/32 to any port 22 # id="3" block in final family inet4 proto tcp from 45.9.74.101/32 to any port 22 # id="4" block in final family inet4 proto tcp from 46.148.41.185/32 to any port 22 # id="5" block in final family inet4 proto tcp from 159.223.177.128/32 to any port 22 # id="6" no sign of 62.122.184.124, even though one might expect a id="7" rule to alude to it, but it isn't in the npfctl list... Cheers, Patrick
