Re: blocklistd configuration

Mon, 24 Nov 2025 14:42:20 -0800 

On Mon, 24 Nov 2025, Sad Clouds wrote:


RVP <[email protected]> wrote:


You'll have to trace the forked child sshd instance...



I think that is what "ktruss -d" option does.



You'll have to add `-i' to "inherit"; and the FD may have changed in the child,
which is the one logging to blocklistd. What I mean is that the FDs'll have to
be tracked carefully.


Can you add a line like:

```
user.*                                          /var/log/messages
```

to /etc/syslog.conf, reboot the system then check what messages `blocklistd'
logs now?

-RVP


I have already checked this a few days ago on evbarm running
10.1_STABLE for which I did cvs update last week. There is nothing
useful reported in any of the logs.



Not even:

```
Nov 24 22:16:21 qemu blocklistd: Connected to blocklist server
```

?


Is this a bug, or login failures for valid users are for some reason
deliberately not passed by sshd to blocklistd?



Just checked and it works as expected in:

```
qemu# uname -a
NetBSD qemu.local 10.1_STABLE NetBSD 10.1_STABLE (GENERIC) #0: Sun Oct 26 
13:13:49 UTC 2025  
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC i386
qemu#
```

Both valid users with an empty password and invalid users increment the fail
counter; and a successful login deletes the failed entry (for testing, I only
enabled blocklistd--not npf too). But, it takes time for the updated data to
be reflected in a `blocklistctl dump -a' (not instantaneous).

```
qemu# blocklistctl dump -a
        address/ma:port id      nfail   last access
       10.0.2.2/32:22           1/3     2025/11/24 22:29:23
qemu# blocklistctl dump -a
        address/ma:port id      nfail   last access
       10.0.2.2/32:22           1/3     2025/11/24 22:29:23
qemu# blocklistctl dump -a
        address/ma:port id      nfail   last access
       10.0.2.2/32:22           1/3     2025/11/24 22:29:23
qemu# blocklistctl dump -a
        address/ma:port id      nfail   last access

qemu# fgrep blocklistd /var/log/messages
[...]
Nov 24 22:23:58 qemu blocklistd[1190]: released 10.0.2.2/32:22 after 21600 
seconds
Nov 24 22:25:16 qemu blocklistd[1190]: blocked 10.0.2.2/32:22 for 21600 seconds
Nov 24 22:25:18 qemu blocklistd[1190]: released 10.0.2.2/32:22 after 21600 
seconds
Nov 24 22:28:13 qemu blocklistd: Connected to blocklist server
qemu#
```

There's something wrong in your setup, I think.

-RVP

Reply via email to