{"id":3174,"date":"2026-05-02T11:52:44","date_gmt":"2026-05-02T02:52:44","guid":{"rendered":"https:\/\/www.next-hop.net\/blog\/hiraga\/?p=3174"},"modified":"2026-05-05T01:18:59","modified_gmt":"2026-05-04T16:18:59","slug":"sshd-with-blacklistd","status":"publish","type":"post","link":"https:\/\/www.next-hop.net\/blog\/hiraga\/freebsd\/sshd-with-blacklistd\/","title":{"rendered":"blacklistd\u3067sshd\u3078\u306e\u653b\u6483\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308b"},"content":{"rendered":"<p>sshd\u3078\u306e\u7dcf\u5f53\u305f\u308a\u653b\u6483\u3092\u81ea\u52d5\u7684\u306b\u30d6\u30ed\u30c3\u30af\u3059\u308b\u305f\u3081\u306bblacklistd\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<h2>\u524d\u63d0<\/h2>\n<ul>\n<li>ipfw<\/li>\n<\/ul>\n<h2>blacklistd\u306e\u6709\u52b9\u5316<\/h2>\n<h3>Ansible Playbook<\/h3>\n<h4>freebsd.yaml<\/h4>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\n---\r\n- hosts: all\r\n  gather_facts: false\r\n  become: true\r\n  roles:\r\n    - freebsd\r\n<\/pre>\n<h4>roles\/freebsd\/tasks\/main.yml<\/h4>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\n- name: blacklistd\r\n  import_tasks: blacklistd.yaml\r\n\r\n- name: sshd\r\n  import_tasks: sshd.yaml\r\n<\/pre>\n<h4>roles\/freebsd\/tasks\/blacklistd.yaml<\/h4>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\n- name: Activate blacklistd\r\n  community.general.sysrc:\r\n    name: blacklistd_enable\r\n    value: &quot;YES&quot;\r\n  notify:\r\n    - restart_blacklistd\r\n\r\n- name: Update blacklistd flags\r\n  community.general.sysrc:\r\n    name: blacklistd_flags\r\n    value: &quot;-r&quot;\r\n  notify:\r\n    - restart_blacklistd\r\n\r\n- name: Create \/etc\/ipfw-blacklist.rc\r\n  copy:\r\n    dest: \/etc\/ipfw-blacklist.rc\r\n    owner: root\r\n    group: wheel\r\n    mode: &quot;0644&quot;\r\n    content: |\r\n      ipfw_offset=2000\r\n  notify:\r\n    - restart_blacklistd\r\n<\/pre>\n<h4>roles\/freebsd\/tasks\/sshd.yaml<\/h4>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\n- name: Append Include\r\n  lineinfile:\r\n    path: \/etc\/ssh\/sshd_config\r\n    regexp: &#039;^Include \/etc\/ssh\/sshd_config.d\/*.conf$&#039;\r\n    line: Include \/etc\/ssh\/sshd_config.d\/*.conf\r\n  notify:\r\n    - reload_sshd\r\n\r\n- name: Ensure \/etc\/ssh\/sshd_config.d exists\r\n  file:\r\n    path: \/etc\/ssh\/sshd_config.d\r\n    owner: root\r\n    group: wheel\r\n    mode: &quot;0700&quot;\r\n    state: directory\r\n\r\n- name: Add UseBlacklist to auth.conf\r\n  lineinfile:\r\n    path: \/etc\/ssh\/sshd_config.d\/auth.conf\r\n    create: true\r\n    owner: root\r\n    group: wheel\r\n    mode: &quot;0600&quot;\r\n    regexp: &#039;^UseBlacklist&#039;\r\n    line: UseBlacklist yes\r\n  notify:\r\n    - reload_sshd\r\n<\/pre>\n<h4>roles\/freebsd\/handlers\/main.yml<\/h4>\n<pre class=\"brush: yaml; title: ; notranslate\" title=\"\">\r\n- name: Reload sshd service\r\n  service:\r\n    name: sshd\r\n    state: reloaded\r\n  listen:\r\n    - reload_sshd\r\n\r\n- name: Restart blacklistd service\r\n  service:\r\n    name: blacklistd\r\n    state: restarted\r\n  listen:\r\n    - restart_blacklistd\r\n<\/pre>\n<h2>Ansible Playbook\u306e\u5b9f\u884c<\/h2>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nansible-playbook -i hosts freebsd.yaml\r\n<\/pre>\n<h2>\u7d50\u679c<\/h2>\n<p>\u30eb\u30fc\u30eb\u306fblacklistd\u306b\u3088\u3063\u3066\u81ea\u52d5\u7684\u306b\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# ipfw list | grep port22\r\n02022 deny tcp from table(port22) to any 22\r\n<\/pre>\n<p>blacklistd\u304c\u653b\u6483\u7684\u306a\u3075\u308b\u307e\u3044\u3092\u691c\u77e5\u3059\u308b\u3068\u81ea\u52d5\u7684\u306bIP\u30a2\u30c9\u30ec\u30b9\u3092\u30ea\u30b9\u30c8\u5316\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# blacklistctl dump -a\r\n        address\/ma:port id      nfail   last access\r\n   XX.79.45.243\/32:22   OK      20\/3    XXXX\/XX\/XX XX:XX:XX\r\n   XX.248.35.30\/32:22   OK      345\/3   XXXX\/XX\/XX XX:XX:XX\r\n   XX.94.92.168\/32:22   OK      4\/3     XXXX\/XX\/XX XX:XX:XX\r\n...\r\n<\/pre>\n<p>\u30ea\u30b9\u30c8\u5316\u3055\u308c\u305fIP\u30a2\u30c9\u30ec\u30b9\u306fblacklistd\u306b\u3088\u3063\u3066\u81ea\u52d5\u7684\u306btable(port22)\u306b\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\n# ipfw table port22 list\r\nXX.79.45.243\/32 0\r\nXX.248.35.30\/32 0\r\nXX.94.92.168\/32 0\r\n...\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>sshd\u3078\u306e\u7dcf\u5f53\u305f\u308a\u653b\u6483\u3092\u81ea\u52d5\u7684\u306b\u30d6\u30ed\u30c3\u30af\u3059\u308b\u305f\u3081\u306bblacklistd\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002 \u524d\u63d0 ipfw blacklistd\u306e\u6709\u52b9\u5316 Ansible Playbook freebsd.yaml &#8212; &#8211; hosts: \u2026 <span class=\"read-more\"><a href=\"https:\/\/www.next-hop.net\/blog\/hiraga\/freebsd\/sshd-with-blacklistd\/\">\u7d9a\u304d\u3092\u8aad\u3080 &raquo;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3174","post","type-post","status-publish","format-standard","hentry","category-freebsd"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/posts\/3174"}],"collection":[{"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/comments?post=3174"}],"version-history":[{"count":21,"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/posts\/3174\/revisions"}],"predecessor-version":[{"id":3213,"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/posts\/3174\/revisions\/3213"}],"wp:attachment":[{"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/media?parent=3174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/categories?post=3174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.next-hop.net\/blog\/hiraga\/wp-json\/wp\/v2\/tags?post=3174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}