I've enabled the PF(4) firewall and blacklistd(8). Although IP addresses are being added to to blacklist, I can still see multiple failed attempts from a single IP address. Yet when I test it myself, my IP address gets blacklisted properly: it's added to the blacklist and I can't initiate any more connections from it.

/etc/rc.conf:

blacklistd_enable="YES"
pf_enable="YES"

/etc/blacklistd.conf:

# adr/mask:port type proto owner name nfail disable
[local]
ssh stream * * * 1 365d
# Extra lines removed

/etc/ssh/sshd_config:

...
UseBlacklist Yes
...

/etc/pf.conf:

intf="wlan0"
set skip on lo0, em0 

# Packet normalization
scrub in

# Integrate blacklistd to protect sshd
anchor "blacklistd/*" in on $intf

### FIREWALL RULES

# Default firewall rules
block in
pass out
# Allow inbound SSH on the default port (22)
pass in on $intf proto tcp to ($intf) port 22
# Allow basic ICMP functionality
pass in on $intf inet proto icmp to ($intf) icmp-type unreach, redir, timex, echoreq 

grep sshd /var/log/messages | tail -20

Mar 2 00:21:11 [...] illegal user admin from 120.92.147.56
Mar 2 00:21:30 [...] illegal user alix from 120.92.147.56
Mar 2 00:21:51 [...] illegal user gotubego from 120.92.147.56
Mar 2 00:23:35 [...] illegal user tsbot from 120.92.147.56
Mar 2 00:23:40 [...] illegal user spravce from 120.92.147.56
Mar 2 00:25:34 [...] root from 120.92.147.56
Mar 2 00:25:57 [...] illegal user admin from 120.92.147.56
Mar 2 00:27:29 [...] illegal user admin from 120.92.147.56
Mar 2 00:29:13 [...] root from 120.92.147.56
Mar 2 00:30:06 [...] root from 120.92.147.56
Mar 2 00:33:09 [...] illegal user admin from 120.92.147.56
Mar 2 00:33:23 [...] illegal user admin from 120.92.147.56
Mar 2 00:34:15 [...] illegal user bogalfb from 120.92.147.56
Mar 2 00:35:34 [...] root from 120.92.147.56
Mar 2 00:35:59 [...] illegal user admin from 120.92.147.56
Mar 3 13:35:35 [...] illegal user user from 103.200.23.124
Mar 4 19:47:59 [...] root from 111.207.23.140
Mar 5 02:09:39 [...] illegal user user from host2.awolphoto.com
Mar 5 16:02:33 [...] illegal user user from 103.221.221.189
Mar 7 04:43:38 [...] illegal user user from server28.pixeled.net

I've truncated the lines for readability. The entire first lines reads as:

Mar 2 00:21:11 phoenix sshd[94473]: error: PAM: authentication error for illegal user admin from 120.92.147.56

I've deleted the unuseful bits.

sudo blacklistctl dump -br

 150.95.156.167/32:22 OK 2/1 1y3d22h45m57s
 27.79.178.252/32:22 OK 2/1 1y3d29h16m55s
 194.61.24.162/32:22 OK 40/1 20d2h19m32s
 76.242.160.219/32:22 OK 2/1 22d42h8m58s
 91.121.173.184/32:22 OK 2/1 2d12h1m40s
116.127.174.152/32:22 OK 2/1 7d34h39m45s
 88.214.26.49/32:22 OK 62/1 9d11h56m22s
...

The list contains 1069 entries but not the IP address 120.92.147.56.

Questions

1. Some IP addresses time out in (more) a year (as they should) while others time out in only a couple of days (e.g. 2 days).


2. Some IP addresses (e.g. 120.92.147.56) are not added to the list while they clearly should be.


3. Some addresses could execute as much as 62 attempts before being blocked in the list.

What am I missing in my configuration to make it work as desired?

My configuration is pretty much the same and I can't see any sshd "... illegal user ..." in /var/log/messages

The only differences are in my rc.conf

blacklistd_flags="-r"

and in pf.conf. Instead of

pass in on $intf proto tcp to ($intf) port 22

you might consider this one

pass in on $intf proto tcp from any to any port ssh flags S/SA synproxy state

FWIW. To make the configuration reproducible I use my Ansible role

Notes

• Entry "88.214.26.49/32:22 OK 62/1 9d11h56m22s" looks suspicious. Should have been blacklisted after 1st failure. How did it manage to fail 62 times?




• Entry "194.61.24.162/32:22 OK 40/1 20d2h19m32s" dtto




• You configured to disable for "365d", but the entries above show remaining times in couple of days. Have these entries really been blacklisted over 11 months?