Menu
▾
▴
[Sshguard-users] How do I use a custom backend .h, and other newbie Qs
|
From: Mike B. <mi...@sk...> - 2008-06-12 05:32:29
|
On my FreeBSD system, I've been using route(4) to manually manipulate my routing tables, setting up blackhole routes for IPs from which attacks originate. This works much more efficiently than ipfw, and very thoroughly blocks all communication with the compromised hosts. Rather than using my own custom, buggy script, I thought I'd try sshguard with a custom backend. I used sshguard_backendgen.sh to generate a .h file. I used the commands below for the block, release, and flush, and left the init and finalize commands empty: /sbin/route -q add $SSHG_ADDR 127.0.0.1 -blackhole /sbin/route -q delete $SSHG_ADDR 127.0.0.1 netstat -r -n -W | head | tr -s ' ' '\t' | cut -f 3,1 | rev | grep '^B' | cut -f 2 | rev | xargs -n 1 -J % /sbin/route -q delete % 127.0.0.1 The flush command is a bit kludgy, obviously, and I haven't tested it, but the idea is to avoid using 'route flush', which is generally a bad idea, and rather just flush the blackholed routes. Unfortunately, the way I have it, it will flush _all_ blackholed routes, not just the ones sshguard blocked. Is there a way to get just the ones sshguard did? It'd be nice if it could write a single log somewhere, other than what shows up in my auth.log (which gets rotated). Anyway, my main problem is that I don't know what to do with that .h file now. How do I tell sshguard to use it? Sorry if this is a dumb question. I couldn't find the answer in the docs. Also, a third question: do I put the -w option (for whitelisting) in my syslog.conf? That part wasn't clear either. Thanks, Mike |
