Re: [Sshguard-users] sshguard 1.4 onCentOS 5.5 i386

[Colin K. <col...@gm...>]

If you run "make install" then it will install the files for that
version. As the names are the same from one version to another it
means that your old version will be over written with the new version.

The running process will be the old version though so you'll then need
to kill off the old process and start it running again. I posted my
configs that I use for init scripts on the list a while ago. If you
don't have one you're welcome to copy those, but they're basically
copies of an init script for another program like ssh with the name of
the program changed.

You can pretty much make it as simple as:

cat /etc/init.d/ssh{,d} | sed 's/ssh/sshguard/g' > /etc/init.d/sshguard
(cd /etc/rc3.d; ln -s ../init.d/sshguard S11sshguard; ln -s
../init.d/sshguard K85sshguard)


Depending on where ssh and sshguard are installed you'll probably need
to fix the paths as well, but that is left to the viewer.


I'm not sure quite what you are asking in your second question.
SSHguard was originally designed to mitigate dictionary/spam attacks
against SSH servers. It does this by looking at the log files for
failed login attempts. It turns out that this same process is very
handy for other types of log files too so the developers expanded it
to include patterns in other log files such as FTP logs and mail
server logs.

When it sees bad behaviour - a certain number of failed attempts, for
example - it issues a call to your firewall, for example iptables,
ipchains, ipfw etc. to block the access. It will try to add it to a
unique list for supporting firewalls. For example for iptables it adds
it to the "sshguard" chain. E.g. iptables -A sshguard -s <ip> -j DROP

You can modify this yourself to have it do whatever you want. Simply
look at the src/fwalls/command_*.h files for the command that is being
issued. For example I use iptables but I don't use IPv6 so I remove
the ip6tables commands to avoid errors. This is also the same command
that this ddos.sh script uses, but you could modify this to use
whatever you want for example if you use the TARPIT target (sadly no
longer maintained and so removed from iptables), send the IP off to a
customer facing firewall box or the like.

Sshguard doesn't scan web server logs but you could also use snort or
similar tools. Adding patterns is a little harder than some apps
because they're hard coded rather than written dynamically. But one
suggestion (possible classed as horrible suggestion, but that's left
to the viewer) is to fake-out SSHguard. Rather than trying to work out
your own patterns you could simply tell sshguard to look at another
log file besides those that you actually want to monitor. Nothing
writes to this log file normally. You could then have a script that
looks at the web server logs (or is written to by your web scripts, if
you wanted) and if it finds something that is bad then it writes an
entry to your new log file in the form of a failed SSH login. The only
difference is that the IP in that fake log file entry that you write
is the one that made the bad web server access. That causes sshguard
to block the IP as normal.

Beyond that you need to then push all traffic through the sshguard
chain. So rather than just sending port 22 or port 21, etc. traffic to
it, you also send port 80, or as I do, all traffic once my iptable
rules have been passed (which amongst other things allow me to always
have ssh access to the box just in case sshguard hiccups and adds my
IP to the block list)

It is really a case of piping data from one form to another just as
you do all the time with unix tools.

Colin.

-- 
Colin Keith
Systems Administrator
Hagen Software Inc.