[SSHGuard-users] Results from running 1.6.4

[<li...@la...>]

Old ipfw line:
${fwcmd} add  550 deny log all  from 'table(22)' to any

Suggested line from current docuemntation
# ipfw add 5000 reset ip from table\(22\) to me
-------------------------------------------------------------
I noticed the updated sshguard made it to /usr/ports, so I compiled the
code there and did a reinstall so it would be more like a typical user
installation.
--------------------------------------------------------
This is the error message when starting sshguard:
# service sshguard restart
Stopping sshguard.
Starting sshguard.
# 
# ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
-----------------------------------------------------------------
The standard daemon file doesn't include dovecot. I added the dovecot
log, but I don't see it mentioned in the auth.log. Also should I delete
the old block list?

May  7 02:53:13 theranch sshguard[21444]: Exiting on signal
May  7 02:53:13 theranch sshguard[23159]: blacklist: blocking 1644 addresses
May  7 02:53:16 theranch sshguard[23159]: Monitoring attacks from log files
May  7 02:53:16 theranch sshguard[23159]: Reloading rotated file /var/log/auth.log.
May  7 02:53:16 theranch sshguard[23159]: Reloading rotated file /var/log/maillog.
May  7 02:53:16 theranch sshguard[23159]: blacklist: 217.199.161.135 is already blacklisted
May  7 02:53:16 theranch sshguard[23159]: 217.199.161.135: blocking forever (3 attacks in 0 secs, after 1 abuses over
0 secs)
May  7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May  7 02:53:16 theranch sshguard[23159]: blacklist: 185.103.109.70 is already blacklisted
May  7 02:53:16 theranch sshguard[23159]: 185.103.109.70: blocking forever (3 attacks in 0 secs, after 1 abuses over 0
 secs)
May  7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May  7 02:53:16 theranch sshguard[23159]: blacklist: 155.133.82.69 is already blacklisted
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: blocking forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May  7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked


---------------------------------------------------------
May  7 02:53:13 theranch sshguard[21444]: Exiting on signal
May  7 02:53:13 theranch sshguard[23159]: blacklist: blocking 1644
addresses
May  7 02:53:16 theranch sshguard[23159]: Monitoring attacks from log
files
May  7 02:53:16 theranch sshguard[23159]: Reloading rotated
file /var/log/auth.log.
May  7 02:53:16 theranch sshguard[23159]: Reloading rotated
file /var/log/maillog.
May  7 02:53:16 theranch sshguard[23159]: blacklist: 217.199.161.135 is
already blacklisted
May  7 02:53:16 theranch sshguard[23159]: 217.199.161.135: blocking
forever (3 attacks in 0 secs, after 1 abuses over
0 secs)
May  7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May  7 02:53:16 theranch sshguard[23159]: blacklist: 185.103.109.70 is
already blacklisted
May  7 02:53:16 theranch sshguard[23159]: 185.103.109.70: blocking
forever (3 attacks in 0 secs, after 1 abuses over 0
 secs)
May  7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May  7 02:53:16 theranch sshguard[23159]: blacklist: 155.133.82.69 is
already blacklisted
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: blocking
forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May  7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
May  7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked




-----------------------------------------
My recollection is it was suggested to change the regex in the daemon a
bit. Is this still valid?
-----------------------------------------------




The daemon file /usr/local/etc/rc.d/sshguard (well
truncatred a bit) follows. 

#!/bin/sh


#
# Add the following lines to /etc/rc.conf to enable sshguard:
# sshguard_enable (bool):       Set to "NO" by default.
#                               Set it to "YES" to enable sshguard
# sshguard_pidfile (str):       Path to PID file.
#                               Set to "/var/run/sshguard.pid" by default
# sshguard_watch_logs (str):    Colon splitted list of logs to watch.
#                               Set to "/var/log/auth.log:/var/log/maillog"
#                               by default.
# The following options directly maps to their command line options,
# please read manual page sshguard(8) for detailed information:
# sshguard_blacklist (str):     [thr:]/path/to/blacklist.
#                               Set to "30:/var/db/sshguard/blacklist.db"
#                               by default.
# sshguard_danger_thresh (int): Danger threshold.  Set to "30" by default.
# sshguard_release_interval (int):
#                               Minimum interval an address remains
#                               blocked.  Set to "120" by default.
# sshguard_reset_interval (int):
#                               Interval before a suspected attack is
#                               forgotten and danger is reset to 0.
#                               Set to "1800" by default.
# sshguard_whitelistfile (str): Path to the whitelist.
#                               Set to "/usr/local/etc/sshguard.whitelist"
#                               by default.
# sshguard_flags (str):         Set additional command line arguments.
#


. /etc/rc.subr

name=sshguard
rcvar=sshguard_enable

load_rc_config sshguard

: ${sshguard_enable:=NO}
: ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
: ${sshguard_danger_thresh=30}
: ${sshguard_release_interval=120}
: ${sshguard_reset_interval=1800}
: ${sshguard_whitelistfile="/usr/local/etc/sshguard.whitelist"}
: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}

pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}

command=/usr/sbin/daemon
actual_command="/usr/local/sbin/sshguard"
procname="${actual_command}"
start_precmd=sshguard_prestart
command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"

sshguard_prestart()
{
        # Clear rc_flags so sshguard_flags can be passed to sshguard
        # instaed of daemon(8)
        rc_flags=""

        if [ ! -z ${sshguard_blacklist} ]; then
            mkdir -p $(dirname ${sshguard_blacklist##*:})
            sshguard_blacklist_params="-b ${sshguard_blacklist}"
        fi

        [ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}

        sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
}

run_rc_command "$1