Menu
▾
▴
Re: [Sshguard-users] How do I use a custom backend .h, and other newbie Qs
|
From: Yves G. <yve...@ya...> - 2008-07-08 12:46:59
|
Hello, I use freebsd and ipfw, are we able to do the same thing with ipfw ? I read the following articles as mention in the last e-mail (http://osdir.com/ml/os.freebsd.devel.net/2003-05/msg00225.html) or may be just develop a custom bash script to do the same thing via the syslogd facilities (may I will try this way, stay tune)? Regards, Yves --- En date de : Mar 17.6.08, Mij <mi...@bi...> a écrit : De: Mij <mi...@bi...> Objet: Re: [Sshguard-users] How do I use a custom backend .h, and other newbie Qs À: ssh...@li... Date: Mardi 17 Juin 2008, 1h46 Hello Mike thanks for your post, please find the comments throughout your text On Jun 12, 2008, at 7:32 AM, Mike Brown wrote: > On my FreeBSD system, I've been using route(4) to manually > manipulate my > routing tables, setting up blackhole routes for IPs from which attacks > originate. This works much more efficiently than ipfw, and very > thoroughly > blocks all communication with the compromised hosts. thanks, in general I appreciate contributions and customization so I look fwd to include this into the trunk as soon as it becomes a convenient solution. In which circumstances does this work more efficiently than ipfw or another firewall? I consider quite negligible the load of rejecting connections: what is the load at which you see this improvement? A benefit that I see is that there is no dependency on specific firewalls anymore. A drawback is that routing tables are not meant for this, so it might be tricky to manage sshguard rules and avoid messing up with "manual" ones. If you're interested in contributing this, please have a look at the question of the portability across systems different from linux. > Rather than using my own custom, buggy script, I thought I'd try > sshguard with > a custom backend. I used sshguard_backendgen.sh to generate a .h file. > I used the commands below for the block, release, and flush, and > left the > init and finalize commands empty: > > /sbin/route -q add $SSHG_ADDR 127.0.0.1 -blackhole > /sbin/route -q delete $SSHG_ADDR 127.0.0.1 > netstat -r -n -W | head | tr -s ' ' '\t' | cut -f 3,1 | rev | grep > '^B' | cut -f 2 | rev | xargs -n 1 -J % /sbin/route -q delete % > 127.0.0.1 > > The flush command is a bit kludgy, obviously, and I haven't tested > it, but the > idea is to avoid using 'route flush', which is generally a bad idea, > and > rather just flush the blackholed routes. Unfortunately, the way I > have it, it > will flush _all_ blackholed routes, not just the ones sshguard > blocked. Is > there a way to get just the ones sshguard did? It'd be nice if it > could write > a single log somewhere, other than what shows up in my auth.log > (which gets > rotated). you're perfectly able to do it, just compose the "add" script with a further logging piece, eg (just guessing) /sbin/route -q add $SSHG_ADDR 127.0.0.1 -blackhole && echo $SSHG_ADDR >> /var/db/sshguard-blocked.log then flush with cat /var/db/sshguard-blocked.log | while read $blocked ; do /sbin/ route -q delete $blocked 127.0.0.1 ; done > Anyway, my main problem is that I don't know what to do with that .h > file now. > How do I tell sshguard to use it? Sorry if this is a dumb question. > I couldn't > find the answer in the docs. This is not a dumb question :) the thing was meant to provide 90% of the work with 10% of the effort, so it works like this: 1) you generate your .h file 2) you ./configure --with-firewall=pf the script copies src/fwalls/command_pf.h to src/fwalls/command.h command.h is the file containing the commands of the backend 3) you just replace src/fwalls/command.h with your generated .h file 4) you proceed to compiling & installing > Also, a third question: do I put the -w option (for whitelisting) in > my > syslog.conf? That part wasn't clear either. -w and the other options of whitelisting ( http://sshguard.sourceforge.net/doc/usage/whitelisting.html ) are command line options that can be passed to the sshguard process no matter where it is started from. Syslog is also fine, eg this line is fine: auth.info;authpriv.info |/usr/local/sbin/sshguard -w 1.2.3.4 - w 5.6.7.0/24 bye > > > Thanks, > Mike > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users _____________________________________________________________________________ Envoyez avec Yahoo! Mail. Une boite mail plus intelligente http://mail.yahoo.fr |
