Re: [Sshguard-users] sshguard stops itself?

[Colin K. <col...@gm...>]

On Wed, Jan 12, 2011 at 12:09 PM, Mij <mi...@ss...> wrote:
> As a side note, the "exited 1" message is likely up to ip6tables, since you
> mention you didn't configure its tables.
> In that case, you can get over that too.

My first guess was ip6tables since that has always caused headaches
for me. As such the patch is to change

--- sshguard-1.5rc3/src/fwalls/command_iptables.h.orig  2010-04-27
11:13:53.000000000 -0400
+++ sshguard-1.5rc3/src/fwalls/command_iptables.h   2010-04-27
12:40:16.000000000 -0400
@@ -38,7 +38,7 @@
  *  $SSHG_ADDRKIND  the code of the address type [see
sshguard_addresskind.h] (e.g. 4)
  *  $SSHG_SERVICE   the code of the service attacked [see
sshguard_services.h] (e.g. 10)
  */
-#define COMMAND_BLOCK       "case $SSHG_ADDRKIND in 4) exec "
IPTABLES_PATH "/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
" IPTABLES_PATH "/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *)
exit -2 ;; esac"
+#define COMMAND_BLOCK       "case $SSHG_ADDRKIND in 4) exec "
IPTABLES_PATH "/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit
-2 ;; esac"

 /* iptables does not support blocking multiple addresses in one call.
  * COMMAND_BLOCK_LIST can not be provided here, a sequence of calls to
@@ -50,10 +50,10 @@
  *  $SSHG_ADDRKIND  the code of the address type [see
sshguard_addresskind.h] (e.g. 4)
  *  $SSHG_SERVICE   the code of the service attacked [see
sshguard_services.h] (e.g. 10)
  */
-#define COMMAND_RELEASE     "case $SSHG_ADDRKIND in 4) exec "
IPTABLES_PATH "/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; 6) exec
" IPTABLES_PATH "/ip6tables -D sshguard -s $SSHG_ADDR -j DROP ;; *)
exit -2 ;; esac"
+#define COMMAND_RELEASE     "case $SSHG_ADDRKIND in 4) exec "
IPTABLES_PATH "/iptables -D sshguard -s $SSHG_ADDR -j DROP ;; *) exit
-2 ;; esac"

 /* for releasing all blocked IPs at once (blocks flush) */
-#define COMMAND_FLUSH       IPTABLES_PATH "/iptables -F sshguard ; "
IPTABLES_PATH "/ip6tables -F sshguard"
+#define COMMAND_FLUSH       IPTABLES_PATH "/iptables -F sshguard ; "


 #endif



------

Sorry if the mail program breaks the patch file but you'll get the
gist of it. I don't know if it would be easy to add a check to
configure.ac for this, perhaps something like:

     iptables)
        AC_CHECK_PROG(hasip6tables, iptables, `which ip6tables | xargs
dirname`, "")
        if test x$hasip6tables = x
        then
          AC_DEFINE(IPTABLES_HAS_IP6TABLES,1, [can use ip6tables])
        fi


then update command_iptables.h to have COMMAND_BLOCK, COMMAND_RELEASE
and COMMAND_FLUSH use either iptables or iptables and ip6tables. E.g.


/* for releasing all blocked IPs at once (blocks flush) */
#ifdef IPTABLES_HAS_IP6TABLES
#define COMMAND_FLUSH       IPTABLES_PATH "/iptables -F sshguard ; "
IPTABLES_PATH "/ip6tables -F sshguard"
#else
#define COMMAND_FLUSH       IPTABLES_PATH "/iptables -F sshguard"
#end


Sorry this isn't a full patch, it is just an idea that occurred to me
as I was writing.

Regards,
Colin.


-- 
Colin Keith
Systems Administrator
Hagen Software Inc.