Menu
▾
▴
Re: [Sshguard-users] SSHGuard not working
|
From: David H. <dho...@gm...> - 2009-09-23 15:18:01
|
On Wed, Sep 23, 2009 at 9:10 AM, Emmanuel Alves <man...@gm...> wrote:
> Hi Mmj,
>
> There is my -list output
>
> 00010 allow ip from any to any via lo0
> 00020 deny ip from any to 127.0.0.0/8
> 00030 deny ip from 127.0.0.0/8 to any
> 00040 deny tcp from any to any frag
> 00050 check-state
> 00060 allow tcp from any to any established
> 00070 allow ip from any to any out keep-state
> 00080 allow icmp from any to any
> 00110 allow tcp from any to any dst-port 21 in
> 00120 allow tcp from any to any dst-port 21 out
> 00130 allow tcp from any to any dst-port 22 in
There is a rule ordering issue here. sshguard with ipfw by default
uses rules 55000-55050, so any allow rules for ports sshguard is
protecting need to be AFTER 55050
This line (130) will allow anyone in to your ssh port regardless off
what sshguard detects, as ipfw only matches the first allow/deny line,
then stops processing. You need to change this line as follows:
ipfw delete 130
ipfw add 56000 allow tcp from any to any dst-port 22 in
man ipfw
for all the gory details
You can also change the portrange that sshguard uses by using a
./configure script parameter:
--with-ipfw-rules-range=MIN-MAX
Specify the IDs range in which sshguard can
put its block rules
(Default: "55000-55050")
> 00140 allow tcp from any to any dst-port 22 out
> 00150 allow tcp from any to any dst-port 25 in
> 00160 allow tcp from any to any dst-port 25 out
> 00170 allow udp from any to any dst-port 53 in
> 00175 allow tcp from any to any dst-port 53 in
> 00180 allow udp from any to any dst-port 53 out
> 00185 allow tcp from any to any dst-port 53 out
> 00200 allow tcp from any to any dst-port 80 in
> 00210 allow tcp from any to any dst-port 80 out
> 00220 allow tcp from any to any dst-port 110 in
> 00230 allow tcp from any to any dst-port 110 out
> 00240 allow udp from any to any dst-port 123 in
> 00250 allow udp from any to any dst-port 123 out
> 00260 allow tcp from any to any dst-port 443 in
> 00270 allow tcp from any to any dst-port 443 out
> 00500 deny log logamount 100 ip from any to any
>
> Before, my last entry was
>
> 65000 deny log logamount 100 ip from any to any
>
> Then, i changed to "00500" this morning and now i have a lot of blocks of
> the sabe ip.
No, leave the deny ip from any to any line at 65000. That is where is belongs.
>
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55000 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55001 deny ip from 60.217.229.220 to me
> 55048 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
> 55049 deny ip from 60.217.229.220 to me
>
> ...
>
> 65535 allow ip from any to any
>
> The firewall is blocking?
No, I do not believe ipfw is blocking for you, as your deny rule is
after your allow rule. If you do a 'ipfw show' you can see rule
matching and packet matching counts as well as the list of rules to be
sure. If you see 0 0 as your counts, then you know the rule has never
matched anything.
Good Luck.
--Dave
>
> []s
>
> Emmanuel Alves
> man...@gm...
>
> ---------------------------------------------------------------------
> Twitter: http://www.twitter.com/emartsnet
> Linked In: http://www.linkedin.com/in/emartsnet
>
>
> On Wed, Sep 23, 2009 at 9:30 AM, Mij <mi...@ss...> wrote:
>>
>> Hi Emmanuel,
>>
>> I don't quite get from your email: do you see the blocking rules in
>> the IPFW chain?
>> I.e. what does "ipfw list" output after one blocking? You can perform
>> further in-depth
>> tracing by running
>>
>> sshguard -d
>>
>> and pasting in its console multiple times (until you get the blocking)
>> a line such as
>>
>> Invalid user wolff from 192.168.1.66
>>
>>
>> On Sep 23, 2009, at 13:57 , Emmanuel Alves wrote:
>>
>> > Hello,
>> >
>> > i´m using the sshguard to protect my server against force brute
>> > atacks, i configurated the firewall (ipfw) to block all ports
>> > (unlike the default ports - apache, ftp...). But, i think that my
>> > sshguard doesnt blocking IP address that try to force access to SSH.
>> >
>> > This is my log from /var/log/security
>> >
>> > Sep 20 17:22:53 brain sshguard[97311]: Blocking 83.234.231.11: 4
>> > failures over 8 seconds.
>> > Sep 20 17:22:54 brain sshd[32502]: Invalid user accounts from
>> > 83.234.231.11
>> > Sep 20 17:22:55 brain sshd[32502]: error: PAM: authentication error
>> > for illegal user accounts from 83.234.231.11
>> > Sep 20 17:22:55 brain sshd[32502]: Failed keyboard-interactive/pam
>> > for invalid user accounts from 83.234.231.11 port 49912 ssh2
>> > Sep 20 17:22:57 brain sshd[32505]: Invalid user aaron from
>> > 83.234.231.11
>> > Sep 20 17:22:58 brain sshd[32505]: error: PAM: authentication error
>> > for illegal user aaron from 83.234.231.11
>> > Sep 20 17:22:58 brain sshd[32505]: Failed keyboard-interactive/pam
>> > for invalid user aaron from 83.234.231.11 port 33210 ssh2
>> > Sep 20 17:22:58 brain sshguard[97311]: Blocking 83.234.231.11: 4
>> > failures over 4 seconds.
>> >
>> > The same ip is blocking, but it can to access after.
>> >
>> > There is any configuration in my sshguard to especify the time of
>> > one ip address will stay blocked?
>> >
>> > Thanks.
>> >
>> > []s
>> >
>> > Emmanuel Alves
>> > man...@gm...
>> >
>> > ---------------------------------------------------------------------
>> > Twitter: http://www.twitter.com/emartsnet
>> > Linked In: http://www.linkedin.com/in/emartsnet
>> >
>> > ------------------------------------------------------------------------------
>> > Come build with us! The BlackBerry® Developer Conference in SF, CA
>> > is the only developer event you need to attend this year. Jumpstart
>> > your
>> > developing skills, take BlackBerry mobile applications to market and
>> > stay
>> > ahead of the curve. Join us from November 9-12, 2009. Register
>> > now!
>> >
>> > http://p.sf.net/sfu/devconf_______________________________________________
>> > Sshguard-users mailing list
>> > Ssh...@li...
>> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9-12, 2009. Register
>> now!
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> Sshguard-users mailing list
>> Ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
|
