Re: [Sshguard-users] How do I use a custom backend .h, and other newbie Qs

[Mij <mi...@bi...>]

Mike's idea to use route may also be combined with the discard  
interface. This case distinguishes
for connections not to be reset back to the attacker (anything else?),  
although it is only available
in FreeBSD I guess.
Again, portability is a huge benefit as it abstracts away all the  
problems of dealing with different
distributions for different operating systems. This doesn't forbid to  
create a repository on the website
for collecting all the scripts contributed by the users and permit to  
possibly flag them by operating system.


On Jul 8, 2008, at 14:46 , Yves Guérin wrote:

> Hello,
>
> I use freebsd and ipfw, are we able to do the same thing with ipfw ?  
> I read the following articles as mention in the last e-mail (http://osdir.com/ml/os.freebsd.devel.net/2003-05/msg00225.html 
> )
>
> or may be just develop a custom bash script to do the same thing via  
> the syslogd facilities  (may I will try this way, stay tune)?
>
>
> Regards,
>
> Yves
> --- En date de : Mar 17.6.08, Mij <mi...@bi...> a écrit :
> De: Mij <mi...@bi...>
> Objet: Re: [Sshguard-users] How do I use a custom backend .h, and  
> other newbie Qs
> À: ssh...@li...
> Date: Mardi 17 Juin 2008, 1h46
>
> Hello Mike
>
> thanks for your post, please find the comments throughout your text
>
>
> On
>  Jun 12, 2008, at 7:32 AM, Mike Brown wrote:
>
> > On my FreeBSD system, I've been using route(4) to manually
> > manipulate my
> > routing tables, setting up blackhole routes for IPs from which  
> attacks
> > originate. This works much more efficiently than ipfw, and very
> > thoroughly
> > blocks all communication with the compromised hosts.
>
> thanks, in general I appreciate contributions and customization so I
> look fwd to
> include this into the trunk as soon as it becomes a convenient  
> solution.
>
> In which circumstances does this work more efficiently than ipfw or
> another firewall?
> I consider quite negligible the load of rejecting connections: what is
> the load at which
> you see this improvement?
>
> A benefit that I see is that there is no dependency on specific
> firewalls anymore. A
> drawback is that routing tables are not meant for this, so it might be
> tricky to
>  manage
> sshguard rules and avoid messing up with "manual" ones. If you're
>
> interested in
> contributing this, please have a look at the question of the
> portability across systems
> different from linux.
>
>
> > Rather than using my own custom, buggy script, I thought I'd try
> > sshguard with
> > a custom backend. I used sshguard_backendgen.sh to generate a .h  
> file.
> > I used the commands below for the block, release, and flush, and
> > left the
> > init and finalize commands empty:
> >
> > /sbin/route -q add $SSHG_ADDR 127.0.0.1 -blackhole
> > /sbin/route -q delete $SSHG_ADDR 127.0.0.1
> > netstat -r -n -W | head | tr -s ' ' '\t' | cut -f 3,1
> | rev | grep
> > '^B' | cut -f 2 | rev | xargs -n 1 -J % /sbin/route -q delete %
> > 127.0.0.1
> >
> > The flush command is a bit kludgy, obviously, and I haven't tested
> > it, but the
> > idea is to avoid using
>  'route flush', which is generally a bad
> idea,
> > and
> > rather just flush the blackholed routes. Unfortunately, the way I
> > have it, it
> > will flush _all_ blackholed routes, not just the ones sshguard
> > blocked. Is
> > there a way to get just the ones sshguard did? It'd be nice if it
> > could write
> > a single log somewhere, other than what shows up in my auth.log
> > (which gets
> > rotated).
>
> you're perfectly able to do it, just compose the "add" script
> with a
> further logging piece, eg (just guessing)
>
> /sbin/route -q add $SSHG_ADDR 127.0.0.1 -blackhole && echo $SSHG_ADDR
>  >> /var/db/sshguard-blocked.log
>
> then flush with
>
> cat /var/db/sshguard-blocked.log | while read $blocked ; do /sbin/
> route -q delete $blocked 127.0.0.1 ; done
>
>
> > Anyway, my main problem is that I don't know what to do with that .h
> > file
>  now.
> > How do I tell sshguard to use it? Sorry if this is a dumb question.
> > I couldn't
> > find the answer in the docs.
>
> This is not a dumb question :)
> the thing was meant to provide 90% of the work with 10% of the effort,
> so it works like this:
>
> 1) you generate your .h file
> 2) you ./configure --with-firewall=pf
> 	the script copies src/fwalls/command_pf.h to src/fwalls/command.h
> 	command.h is the file containing the commands of the backend
> 3) you just replace src/fwalls/command.h with your generated .h file
> 4) you proceed to compiling & installing
>
>
> > Also, a third question: do I put the -w option (for whitelisting) in
> > my
> > syslog.conf? That part wasn't clear either.
>
> -w and the other options of whitelisting
> ( http://sshguard.sourceforge.net/doc/usage/whitelisting.html ) are
> command line options
> that can be passed to the sshguard process no matter where
>  it is
> started from. Syslog is also fine,
> eg this line is fine:
>      auth.info;authpriv.info    |/usr/local/sbin/sshguard -w 1.2.3.4 -
> w 5.6.7.0/24
>
> bye
>
>
> >
> >
> > Thanks,
> > Mike
> >
> >  
> -------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It's the best place to buy or sell services for
> > just about anything Open Source.
> > http://sourceforge.net/services/buy/index.php
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open
>  Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
> Envoyé avec Yahoo! Mail.
> Une boite mail plus intelligente.  
> -------------------------------------------------------------------------
> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
> Studies have shown that voting for your favorite open source project,
> along with a healthy diet, reduces your potential for chronic lameness
> and boredom. Vote Now at http://www.sourceforge.net/community/cca08_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users