Menu
▾
▴
Re: [Sshguard-users] sshguard doesn't add to pf sshguard table?
|
From: Mij <mi...@bi...> - 2008-09-10 23:40:56
|
Hello Kacper, if you see the blocking/releasing messages, then the problem to debug is restricted to how the blocking goes. You can always use the -d flag to inspect this in detail. In your case, do: 1) temporarily disable sshguard from the system: killall -STP sshguard 2) run a debugging sshguard instance: sshguard -d 3) paste a "suspicious" entry line in its standard input (+ enter) 4 times sshguard shows a "Matched IP address 101.102.103.104" message after each paste, and concludes something like: "Blocking 101.102.103.104: 4 failures over 5 seconds. Setting environment: SSHG_ADDR= 101.102.103.104;SSHG_ADDRKIND=4;SSHG_SERVICE=100. <MESSAGE> Blocking command failed. Exited: -1" If you get a failure, <MESSAGE> should point out what's wrong. If you can't solve on your own, or you think that is a bug, please report the whole blocking message so we can find out. On 9 Sep 2008, at 05:59, Kacper Wysocki wrote: > Hello all, > I've setup sshguard-pf 1.1 to run through syslog as recommended: > > # pkg_info | grep sshguard > sshguard-pf-1.1_1 Protect hosts from brute force attacks against > ssh and othe > > # cat /etc/syslog.conf | grep sshguard > auth.info;authpriv.info |exec /usr/local/sbin/sshguard > > and it reports that it runs fine: > # cat /var/log/auth.log | grep sshguard > Sep 8 12:00:00 interzone sshguard[35281]: Started successfully > [(a,p,s)=(4, 420, 1200)], now ready to scan. > x > Sep 8 12:20:36 interzone sshguard[35281]: Blocking XX.XX.XX.XX: 4 > failures over 6 seconds. > Sep 8 12:38:36 interzone sshguard[35281]: Releasing XX.XX.XX.XX after > 445 seconds. > (..output cropped for brevity..) > > my pf.conf is set up to work with sshguard: > # cat /etc/pf.conf | grep sshguard > table <sshguard> persist > block in quick on $ext_if proto tcp from <sshguard> to any port 22 > label "ssh bruteforce" > > yet when I look at what pf is doing, I see no addresses added to the > sshguard table, nor do I see any incoming packets blocked through > pflog: > # pfctl -t sshguard -vTshow > No ALTQ support in kernel > ALTQ related functions disabled > # tcpdump -n -e -ttt -i pflog0 > listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture > size 96 bytes > (nothing) > > Now, I'm sure I've fumbled something - why aren't sshguard blocked IPs > being added to the pf table? > > TIA, > Kacper Wysocki > -- > http://kacper.doesntexist.org > Employ no technique to gain supreme enlightment. > - Mar pa Chos kyi blos gros > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win > great prizes > Grand prize is a trip for two to an Open Source event anywhere in > the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
