Re: [SSHGuard-users] "should have already been blocked"

[<li...@la...>]

On Sat, 3 Dec 2016 21:14:59 +0100
Willem Jan Withagen <wj...@di...> wrote:

> On 3-12-2016 21:05, li...@la... wrote:
> > I block 22 pretty early in the rc.firewall
> > ${fwcmd} add  550 deny log all  from 'table(22)' to any dst-port 22
> > 
> > A quick check to see if sshguard is working:
> > # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
> > security:Dec  3 20:00:01 theranch kernel: ipfw: 550 Deny TCP
> > 116.31.116.4:25559 redacted:22 in via vtnet0
> > 
> > and
> > 
> > # ipfw table 22 list | grep "116.31.116.4"
> > 116.31.116.4/32 0
> > 116.31.116.41/32 0
> > 116.31.116.43/32 0
> > 116.31.116.47/32 0  
> 
> 'ipfw show' should tell you if the rule is really working.
> Like:
> 
> 03500        371         22260 deny ip from table(22) to any
> 
> If the first numbers are zero, then it does not get hit.
> 
> --WjW

I'm not sure I understand your comment, but here is the relevant line
from ipfw list:
00550 deny log ip from table(22) to any dst-port 22

Now  I don't block all ports because possible the hacker is on a
hosting company with an email server.  I suppose I could add blocks for
the browser, 587, and 143.

> 
> 
> > 
> > 
> > 
> > On Sat, 3 Dec 2016 11:38:57 +0200
> > Petri Riihikallio <pet...@me...> wrote:
> >   
> >>> Cliff notes version:
> >>> -----------------
> >>> auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
> >>> added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
> >>> sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
> >>> secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
> >>> theranch sshguard[803]: 186.125.190.156: should already have been
> >>> blocked ----------------    
> >>
> >> Have you run 
> >>   ipfw "add 55000 deny ip from table(22) to me”
> >> It should be in your startup scripts someplace. Without it SSHGuard
> >> works, but the collected IPs aren’t used anywhere.
> >>
> >> This baffled me first when I started using SSHGuard. The FreeBSD
> >> port doesn’t add that automatically, because it doesn’t want to
> >> mess your firewall setup. The rule number depends on your existing
> >> rules. 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most 
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > sshguard-users mailing list
> > ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> >   
>