Menu
▾
▴
Re: [Sshguard-users] sshguard+iptables
|
From: Mij <mi...@ss...> - 2010-11-20 12:10:07
|
On Sep 21, 2010, at 16:43 , mihkel matson wrote: > Hello, > > I use the following raw file method: > tail -n0 -f /var/log/auth.log | /usr/local/sbin/sshguard -w /etc/sshguard.wl -a 10 -b 10:/etc/sshguard.bl > > My iptables default config is > iptables -N sshguard > iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT > iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --dport 22 -j sshguard > > And my chain policies are: > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT (just for testing purposes) > > So if I have default policy to DROP everything and if it didn't pass any of my default rules - it will be dropped, right? Yep > Until the sshguard chain is empty, I cant access to my ssh server. What could be the solution? Read the note on http://www.sshguard.net/docs/setup/firewall/netfilter-iptables/ """ Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. """ :) You want to say: - block whatever SSHGuard says is dangerous - allow everything else (to ssh) in iptables parlance, could look like: iptables -N sshguard iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -j sshguard iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT sshguard inserts per-address DROP rules. Whatever is not catched in that chain will be allowed onto sshd. > If I start the sshguard, will it immediately add whitelist IP-s to sshguard chain. I cant see them, is there something wrong in my logic? whitelisting is an internal thing of SSHGuard, it's not reflected in the firewall. It works like this: the parser detects an attack. If the originator is in the whitelist (internal data structure) than ignore it, else proceed. > Thank you in advance! > BR, > z > > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
