Re: [SSHGuard-users] "should have already been blocked"

[<li...@la...>]

I block 22 pretty early in the rc.firewall
${fwcmd} add  550 deny log all  from 'table(22)' to any dst-port 22

A quick check to see if sshguard is working:
# bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
security:Dec  3 20:00:01 theranch kernel: ipfw: 550 Deny TCP 116.31.116.4:25559 redacted:22 in via vtnet0

and

# ipfw table 22 list | grep "116.31.116.4"
116.31.116.4/32 0
116.31.116.41/32 0
116.31.116.43/32 0
116.31.116.47/32 0



On Sat, 3 Dec 2016 11:38:57 +0200
Petri Riihikallio <pet...@me...> wrote:

> > Cliff notes version:
> > -----------------
> > auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
> > added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
> > sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
> > secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
> > theranch sshguard[803]: 186.125.190.156: should already have been
> > blocked ----------------  
> 
> Have you run 
>   ipfw "add 55000 deny ip from table(22) to me”
> It should be in your startup scripts someplace. Without it SSHGuard
> works, but the collected IPs aren’t used anywhere.
> 
> This baffled me first when I started using SSHGuard. The FreeBSD port
> doesn’t add that automatically, because it doesn’t want to mess your
> firewall setup. The rule number depends on your existing rules. 
>