Menu
▾
▴
Re: [Sshguard-users] SSHGuard 1.6.1 release announcement
|
From: Willem J. W. <wj...@di...> - 2015-08-05 15:46:42
|
On 5-8-2015 15:16, Alastair Hogge wrote: > On 2015-08-02 Sun 13:36:37 -0500 Gregory Putrich, wrote: >> For IPFW, did the change to use a table instead of individual rules make >> it in? I’ve installed 1.6.1 on FreeBSD from the ports (sshguard-ipfw) and >> its still creating individual rules, and also it crashes on start if the >> blacklist is larger than 4 lines or so. > > If you want to make use of a table id in ifpw follow these steps below: > > # pkg install security/sshguard-null > # sysrc sshguard_flags="-e /usr/local/sbin/sshguard-null" > > $ cat /usr/local/sbin/sshguard-null > > #!/bin/sh > # Source: > # http://sourceforge.net/p/sshguard/mailman/message/34151601/ > > fwcmd="/sbin/ipfw" > table_id="sshguard" > print_debug="0" > > fwcmd_debug() { > if [ ${print_debug} -gt 0 ]; then > /usr/bin/logger -i -p local0.notice -t sshguard-null ${@} > fi > } > > fwcmd_debug "${0}: Incoming sshguard(8) action" > > case ${SSHG_ACTION} in > init) > # create table? > fwcmd_debug "${SSHG_ACTION}" > ;; > fin) > fwcmd_debug "${fwcmd} table ${table_id} flush" > ${fwcmd} table ${table_id} flush > ;; > block) > fwcmd_debug "${fwcmd} table ${table_id} add ${SSHG_ADDR}" > ${fwcmd} table ${table_id} add ${SSHG_ADDR} > ;; > block_list) > for a in `echo ${SSHG_ADDR} | sed 's/,/ /g'` ; do > fwcmd_debug "${fwcmd} table ${table_id} add ${a}" > ${fwcmd} table ${table_id} add ${a} > done > ;; > release) > fwcmd_debug "${fwcmd} table ${table_id} delete ${SSHG_ADDR}" > ${fwcmd} table ${table_id} delete ${SSHG_ADDR} > ;; > flush) > fwcmd_debug "${fwcmd} table ${table_id} flush" > ${fwcmd} table ${table_id} flush > ;; > *) > fwcmd_debug "${SSHG_ACTION} unsupported" > ;; > esac > > exit 0 > > I have been using this method on FreeBSD-11-CURRENT for >3 weeks now & have > not observed any crashes. sshguard & ipfw continue to function as expected. Right, Haven't looked into the new stuff due to $work, but that is the way I'm still doing it. More or less based on KISS. (and I think shell-scripts are KISS :) Funny thing I see in your script is that your table ID is: sshguard. So you are already using one of the features I saw that was in the new IPFW code: IDs don't have to be numbers any longer. Now the fun part is that you can reload your firewall without erasing the tables... So the blacklisting is kept in order. If you'd want to remove all blacklisting for testing purposes: ipfw table all flush is your friend. Need to know if a customer landed himself in the blacklist: ipfw table all list | grep ip-nr and so on, and so on. And with alphanumeric table names things get even more fun... I also load table from: swatch for watching httpd/mail/... log files for scriptkidies portsentry for catching people trying portscanning etc... Everything could be improved upon al lot, but it gets most obnoxous tries down. So otehr things have a bigger chance of standing out. --WjW Now for the counterpart: Here is the top part of my ipfw config.... ---- 01000 count ip from any to any # delete (by hand) major blocks that are harasing me # They could also go into a table... 01010 deny ip from 82.75.147.236,77.249.92.231,178.170.161.34,60.208.0.0/13,61.182.0.0/15,116.224.0.0/12,218.108.0.0/15,1.93.0.0/16,222.186.0.0/16,222.240.128.0/17,46.105.102.221 to any 01020 deny ip from any to 82.75.147.236,77.249.92.231,178.170.161.34,60.208.0.0/13,61.182.0.0/15,116.224.0.0/12,218.108.0.0/15,1.93.0.0/16,222.186.0.0/16,222.240.128.0/17,46.105.102.221 # skip over the blocking rules for hackers/spammers for my trusted # IPs.... could also go into a table .... 01030 skipto 2000 ip from ${trustedipnrs} to any 01040 deny ip from table(10) to any 01050 deny ip from table(21) to any 01060 deny ip from table(22) to any 01070 deny ip from table(25) to any 01080 deny ip from table(26) to any 01090 deny ip from table(40) to any 01100 deny ip from table(41) to any 01110 deny ip from table(42) to any 01120 deny ip from table(43) to any 01130 deny ip from table(50) to any 01140 deny ip from table(53) to any 01150 deny ip from table(54) to any 01160 deny ip from table(55) to any 01170 deny ip from table(56) to any 01180 deny ip from table(57) to any 01190 deny ip from table(58) to any 01200 deny ip from table(59) to any 01210 deny ip from table(60) to any 01220 deny ip from table(70) to any 01230 deny ip from table(75) to any 01240 deny ip from table(80) to any 01250 deny ip from table(81) to any 01260 deny ip from table(86) to any # landingpoint if not on the spammerlists 02000 count ip from any to any ------ |
