Re: blocklistd configuration

RVP Mon, 24 Nov 2025 04:59:27 -0800

On Mon, 24 Nov 2025, Sad Clouds wrote:

Get sshd PID:
# ps aux | grep sshd
root    2348  0.0  0.2 71728  3364 ?     Ss    9:19AM 0:00.01 sshd: 
/usr/sbin/sshd [listener] 0 of 10-100 startups (ssh


Looks like it is using fd 5 for blocklistd socket:
# fstat -p 2348
USER     CMD          PID   FD  MOUNT         INUM MODE         SZ|DV R/W
root     sshd        2348   wd  /                2 drwxr-xr-x     512 r
root     sshd        2348    0  /          1489292 crw-rw-rw-    null rw
root     sshd        2348    1  /          1489292 crw-rw-rw-    null rw
root     sshd        2348    2  /          1489292 crw-rw-rw-    null rw
root     sshd        2348    3* internet6 stream tcp *:ssh
root     sshd        2348    4* internet stream tcp *:ssh
root     sshd        2348    5* unix dgram  <-> /var/run/blocklistd.sock [using]

Now trace all syscalls while simulating ssh login failure:
ktruss -d -t A -p 2348

... No read/write calls are made to fd 5 by sshd


You'll have to trace the forked child sshd instance...

Can you add a line like:

```
user.*                                          /var/log/messages
```

to /etc/syslog.conf, reboot the system then check what messages `blocklistd'
logs now?

-RVP

Re: blocklistd configuration

Reply via email to