Menu
▾
▴
Re: [Sshguard-users] Is sshguard working?
|
From: Willem J. W. <wj...@di...> - 2015-08-21 09:57:39
|
On 21-8-2015 10:11, li...@la... wrote:
> I cut the table down a bit and I also logged some of the blocking notices. It looks like the offending IPs do enter the table, but the blocking is not occurring, probably due to the "reset" line not being parsed.
>
> I'm assuming table(22) is linked to port 22, hence ssh.
Hi,
It is actually my suggestion long, long ago.
And indeed it suggests the reasons why an IP got blocked.
and indeed 22 = ssh, is ssh-bad-guys.
if you type ípfw list' you should see your reset somewhere.
Put if you just type:
${fwcmd} add deny log all from "table(22)" to any
on the commandline, the rules gets added at the END of the FW-rules.
And there it does not do anything....
You needs to select a sensible place in the order of the rules, and
insert it at the right place by going:
${fwcmd} add <RULENR> deny log all from "table(22)" to any
If you do that in the /etc/rc.firewall file, then sequencing gets done
automagically.
--WjW
> # ipfw table 22 list
> 1.93.23.118/32 0
> 1.233.92.197/32 0
> 5.56.59.73/32 0
> 5.196.76.172/32 0
> 12.237.115.7/32 0
> 23.94.30.10/32 0
> 23.101.27.189/32 0
> 24.97.197.131/32 0
> 87.106.187.166/32 0
> 87.106.217.214/32 0
> 87.230.86.157/32 0
> 89.248.171.19/32 0
> 91.236.74.6/32 0
> 93.174.93.63/32 0
> 93.174.93.129/32 0
> 93.174.93.146/32 0
> 94.102.49.33/32 0
> 94.102.49.197/32 0
> 180.211.164.131/32 0
> 182.74.190.170/32 0
> 182.100.67.4/32 0
> 182.100.67.52/32 0
> 182.100.67.59/32 0
> 182.100.67.113/32 0
> 183.56.131.43/32 0
> 183.195.251.112/32 0
> 185.11.165.178/32 0
> 218.65.30.23/32 0
> 218.65.30.38/32 0
> 218.65.30.61/32 0
> 218.65.30.73/32 0
> 218.65.30.92/32 0
> 218.65.30.217/32 0
> 218.87.109.60/32 0
> 218.87.109.62/32 0
> 218.87.111.71/32 0
> 218.87.111.107/32 0
> 218.87.111.108/32 0
> 218.87.111.109/32 0
> 218.87.111.110/32 0
> 218.87.111.116/32 0
> 218.87.111.117/32 0
> 218.94.94.86/32 0
> 219.144.162.174/32 0
> 219.235.1.84/32 0
> 220.178.7.181/32 0
>
>
> Aug 21 07:08:05 theranch sshguard[808]: blacklist: added 93.174.93.63
> Aug 21 07:08:05 theranch sshguard[808]: Blocking 93.174.93.63:4 for
>> 0secs: 40 danger in 4 attacks over 1 seconds (all: 40d in 1 abuses
>
> Aug 21 04:19:02 theranch sshguard[808]: blacklist: 218.65.30.61 is already blacklisted
> Aug 21 04:19:02 theranch sshguard[808]: Blocking 218.65.30.61:4 for >0secs: 40 danger in 3 attacks over 1 seconds (all: 40d in 1 abuses over 1s).
> Aug 21 04:19:02 theranch sshguard[808]: Blocking command failed. Exited: -1
>
> Aug 21 02:11:16 theranch sshguard[808]: blacklist: 182.100.67.113 is already blacklisted
> Aug 21 02:11:16 theranch sshguard[808]: Blocking 182.100.67.113:4 for >0secs: 40 danger in 3 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
> Aug 21 02:11:16 theranch sshguard[808]: Blocking command failed. Exited: -1
>
> Original Message
> From: SASAKI Katuhiro
> Sent: Thursday, August 20, 2015 8:39 PM
> To: ssh...@li...
> Reply To: ssh...@li...
> Subject: Re: [Sshguard-users] Is sshguard working?
>
> How is next commnd ?
> % sudo ipfw table 22 list
>
> On my FreeBSD 10.1, it looks fine.
>
> On Thu, 20 Aug 2015 19:19:39 -0700
> li...@la... wrote:
>
>> Yeah, I had the $ in the actual file, it just didn't make it to the email. ( I've noticed failing to match curly brackets locks up my VPS, but that is another story.)
>>
>> So basically I had entered what you suggested. Who creates this table?
>>
> Tables are automatically created. And we can use there.
>>From my /etc/rc.ipfw script.
>> ...
>> # Allow "mandatory" ICMP/ICMP6 in.
>> ${fwcmd} add pass icmp from any to any icmptypes 3,4,11 keep-state
>> if [ $ipv6_available -eq 0 ]; then
>> ${fwcmd} add pass ipv6-icmp from any to any icmp6type 3 keep-state
>> fi
>>
>> # New sshguard uses table.
>> ${fwcmd} add deny log all from "table(22)" to any
>>
>> # Allow packets for which a state has been built.
>> ${fwcmd} add check-state
>> ...
> These rules works fine.
>
>
|
