Menu
▾
▴
Re: [SSHGuard-users] "should have already been blocked"
|
From: <li...@la...> - 2016-12-03 20:23:55
|
I just shut down that PC, but will double check later. However, the security log does show the rule blocking some IP, which I then verified is in the table 22.
Original Message
From: Willem Jan Withagen
Sent: Saturday, December 3, 2016 12:15 PM
To: li...@la...; Petri Riihikallio
Cc: ssh...@li...
Subject: Re: [SSHGuard-users] "should have already been blocked"
On 3-12-2016 21:05, li...@la... wrote:
> I block 22 pretty early in the rc.firewall
> ${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
>
> A quick check to see if sshguard is working:
> # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
> security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP 116.31.116.4:25559 redacted:22 in via vtnet0
>
> and
>
> # ipfw table 22 list | grep "116.31.116.4"
> 116.31.116.4/32 0
> 116.31.116.41/32 0
> 116.31.116.43/32 0
> 116.31.116.47/32 0
'ipfw show' should tell you if the rule is really working.
Like:
03500 371 22260 deny ip from table(22) to any
If the first numbers are zero, then it does not get hit.
--WjW
>
>
>
> On Sat, 3 Dec 2016 11:38:57 +0200
> Petri Riihikallio <pet...@me...> wrote:
>
>>> Cliff notes version:
>>> -----------------
>>> auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
>>> added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
>>> sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
>>> secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
>>> theranch sshguard[803]: 186.125.190.156: should already have been
>>> blocked ----------------
>>
>> Have you run
>> ipfw "add 55000 deny ip from table(22) to me”
>> It should be in your startup scripts someplace. Without it SSHGuard
>> works, but the collected IPs aren’t used anywhere.
>>
>> This baffled me first when I started using SSHGuard. The FreeBSD port
>> doesn’t add that automatically, because it doesn’t want to mess your
>> firewall setup. The rule number depends on your existing rules.
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sshguard-users mailing list
> ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
