Re: [Sshguard-users] SSHGuard 1.5.0 on OS X Lion: sshguard cannot write to ipfw

[Bradley G. <pi...@ma...>]

On Jun 5, 2012, at 10:45 AM, Daniel I Golden wrote:

> Hi all,
> 
> I'm using SSHguard 1.5.0 from macports on OS X lion. To test whether ssh guard is working, I've logged onto a different computer and attempted to "break in" to my server by SSHing in with invalid username/password combos. After four invalid attempts, I see this message in system.log (I've redacted hostnames and IP addresses):
> 
> Jun  5 10:29:58 my_hostname sshguard[16887]: Blocking xxx.xxx.xxx.xxx:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: No ALTQ support in kernel
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: ALTQ related functions disabled
> Jun  5 10:29:58 my_hostname org.macports.sshguard[16883]: 1/1 addresses added.
> 
> However, when I list the ipfw rules, nothing is there:
> $ sudo ipfw list
> 65535 allow ip from any to any
> 
> And I can continue to attempt to log in from my other computer.
> 
> sshguard is running as root, as verified by ps:
> 
> [my_user@my_hostname my_username]$ ps aux|grep sshguard
> my_user        17075   0.0  0.0  2434892    572 s001  R+   10:37AM   0:00.00 grep --color sshguard
> root           16998   0.0  0.0  2445088    916   ??  S    10:32AM   0:00.02 /opt/local/sbin/sshguard -l /var/log/system.log -l /var/log/secure.log -w /opt/local/etc/sshguard/whitelist -b 50:/opt/local/var/db/sshguard/blacklist.db -s 3600
> root           16995   0.0  0.0  2435492    832   ??  S    10:32AM   0:00.00 /bin/sh /opt/local/libexec/sshguard/sshguard-options-wrapper
> root           16994   0.0  0.0  2466876   1180   ??  Ss   10:32AM   0:00.00 /opt/local/bin/daemondo --label=sshguard --start-cmd /opt/local/libexec/sshguard/sshguard-options-wrapper ; --pid=exec
> 
> 
> So I don't understand why sshguard isn't writing to ipfw. Can anyone offer any debugging suggestions?

Lion has switched from ipfw to pf for it's firewall. It looks like you are using the MacPorts sshguard port in which case on Lion the port would have configured sshguard to use pf.

I am not familiar enough with pf commands to help further but it looks like pf has a man page.


Regards,
Bradley Giesbrecht (pixilla)