Re: [Sshguard-users] Push to multiple hosts/firewalls?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Nick,

> We're looking to setup sshguard on our central syslog server and have
> sshgaurd dynamically change the firewall rules on multiple hosts
> (running iptables), thus reducing the ability for an attacker to walk
> our IP ranges.
> 
> Has anyone attempted a configuration like this before, or does anyone
> have thoughts on how we should proceed?

This is one scenario SSHGuard has been designed to address.

You run SSHGuard on the central server (syslog collector); SSHGuard
will trigger a "block" or "release" action. You need to write the script to
issue the concrete command to block/release the address on the remote
server.

You can do this by writing a simple command list in command_remotes.h 
with definitions of COMMAND_BLOCK , COMMAND_RELEASE etc. See
one example in 
http://sshguard.svn.sourceforge.net/viewvc/sshguard/trunk/src/fwalls/command_iptables.h?view=markup

The next version of SSHGuard will support doing this with a simple script
that receives the relevant parameters (action, address, target service) from
the command line or the environment.

michele

Re: [Sshguard-users] Push to multiple hosts/firewalls?

Intelligently block brute-force attacks by aggregating system logs

Re: [Sshguard-users] Push to multiple hosts/firewalls?