Menu
▾
▴
Re: [Sshguard-users] sshguard working but not blocking, functioning in debug mode
|
From: Peter B. <be...@an...> - 2009-07-22 02:03:12
|
On Tue, 21 Jul 2009, Mij wrote:
>
> On Jul 21, 2009, at 21:17 , Peter Beckman wrote:
>
>> On Tue, 21 Jul 2009, Mij wrote:
>>
>>> Naturally the same machinery is used for blocking with or without -
>>> d, so
>>> if in the latter case it works, is sshguard run as root from the
>>> syslog
>>> instance?
>>
>> syslogd is running as root, and since I've tested it in the past and
>> it
>> has worked, and I haven't updated anything, I was surprised to see the
>> failure.
>
> 2 things:
> 1) you show that with -d the address is visible in the PF table after
> blocking.
> What about the normal run?
Wasn't around at the time of the attack, I only get notified at the end of
the day when I get emailed the log.
I upgraded to 1.4rc5 and tested manually, and it blocked successfully.
Hopefully the bot-net tries again soon, and I'll see if the issue was
resolved by upgrading.
PS -- If you were bored, you could always create a few new FreeBSD Ports:
sshguard-devel
sshguard-devel-pf (or modify the sshguard-pf to have a flag to use
sshguard-devel)
I built a pseudo-hack port, but didn't spend enough time to figure out how
to install it as sshguard-devel-1.4rc5 without figuring out how to tell it
to download sshguard-1.4rc5.tar.gz from SourceForge. Probably could with
some time and effort, the former of which I have none of!
> 2) sshguard always logs debug messages (filtering/dispatching left up to
> syslogd). Have a look at your debug.log or all.log for debug messages.
> There you find whether/why the actual blocking command fails.
Unfortunately FreeBSD sets the logging and rotation of debug.log extremely
short, and the logs that would have given some insight into the issue are
now rotated. I've set my debug.log to rotate weekly instead of hourly,
which should give some insight if things go wrong.
---------------------------------------------------------------------------
Peter Beckman Internet Guy
be...@an... http://www.angryox.com/
---------------------------------------------------------------------------
|
