Menu
▾
▴
Re: [Sshguard-users] Is sshguard working?
|
From: Willem J. W. <wj...@di...> - 2015-08-22 11:23:23
|
On 22-8-2015 06:53, li...@la... wrote:
> I think I understand how the rule-number works. Doing the ipfw list, unless a number is specified, all the denies are at the end. That is where my new rule is at the moment.
That will work.
BUT why not much sooner, like on after rule 500?
The sooner the better.
It kills the icmp to those hosts, but then they are bad-guys.
And by putting the rule on 2450, you will allow traffic from your host
the setup a connection to a bad host. I would not want that either.
By denying before any check-state, keep=state, established a connection
will never be able to work.
That is why I have them very early in my list.
--WjW
> How about if I made the new rule be number 2450?
>
> # ipfw list
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from any to ::1
> 00500 deny ip from ::1 to any
> 00600 allow ipv6-icmp from :: to ff02::/16
> 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
> 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
> 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
> 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
> 01100 check-state
> 01200 allow tcp from me to any established
> 01300 allow tcp from me to any setup keep-state
> 01400 allow udp from me to any keep-state
> 01500 allow icmp from me to any keep-state
> 01600 allow ipv6-icmp from me to any keep-state
> 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
> 01800 allow udp from any 67 to me dst-port 68 in
> 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
> 02000 allow udp from fe80::/10 to me dst-port 546 in
> 02100 allow icmp from any to any icmptypes 8
> 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
> 02300 allow icmp from any to any icmptypes 3,4,11
> 02400 allow ipv6-icmp from any to any ip6 icmp6types 3
> 02500 allow tcp from any to me dst-port 22
> 02600 allow tcp from any to me dst-port 25
> 02700 allow tcp from any to me dst-port 80
> 02800 allow tcp from any to me dst-port 143
> 02900 allow tcp from any to me dst-port 443
> 03000 allow tcp from any to me dst-port 465
> 03100 allow tcp from any to me dst-port 500
> 03200 allow tcp from any to me dst-port 993
> 03300 allow tcp from any to me dst-port 4500
> 03400 allow tcp from any to me dst-port 110 in setup
> 03500 allow tcp from any to me dst-port 995 in setup
> 03600 allow tcp from any to me dst-port 25 in setup
> 03700 allow tcp from me to any dst-port 25 out setup
> 03800 allow tcp from any to me dst-port 465 in setup
> 03900 allow tcp from any to me dst-port 143 in setup
> 04000 allow tcp from any to me dst-port 993 in setup
> 65000 count ip from any to any
> 65100 allow log udp from any to any dst-port 500 keep-state
> 65200 allow log udp from any 500 to any keep-state
> 65300 allow log udp from any to any dst-port 4500 keep-state
> 65400 allow log udp from any 4500 to any keep-state
> 65500 deny log ip from table(22) to any
> 65500 deny { tcp or udp } from any to any dst-port 135-139,445 in
> 65500 deny { tcp or udp } from any to any dst-port 1026,1027 in
> 65500 deny { tcp or udp } from any to any dst-port 1433,1434 in
> 65500 deny ip from any to 255.255.255.255
> 65500 deny ip from any to 224.0.0.0/24 in
> 65500 deny udp from any to any dst-port 520 in
> 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
> 65500 deny log logamount 500 ip from any to any
> 65535 deny ip from any to any
>
>
>
> Original Message
> From: Willem Jan Withagen
> Sent: Friday, August 21, 2015 2:57 AM
> To: ssh...@li...
> Reply To: ssh...@li...
> Subject: Re: [Sshguard-users] Is sshguard working?
>
> On 21-8-2015 10:11, li...@la... wrote:
>> I cut the table down a bit and I also logged some of the blocking notices. It looks like the offending IPs do enter the table, but the blocking is not occurring, probably due to the "reset" line not being parsed.
>>
>> I'm assuming table(22) is linked to port 22, hence ssh.
>
> Hi,
>
> It is actually my suggestion long, long ago.
> And indeed it suggests the reasons why an IP got blocked.
> and indeed 22 = ssh, is ssh-bad-guys.
>
> if you type ípfw list' you should see your reset somewhere.
> Put if you just type:
> ${fwcmd} add deny log all from "table(22)" to any
> on the commandline, the rules gets added at the END of the FW-rules.
> And there it does not do anything....
>
> You needs to select a sensible place in the order of the rules, and
> insert it at the right place by going:
> ${fwcmd} add <RULENR> deny log all from "table(22)" to any
>
> If you do that in the /etc/rc.firewall file, then sequencing gets done
> automagically.
>
> --WjW
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
