Menu
▾
▴
Re: [SSHGuard-users] "should have already been blocked"
|
From: Willem J. W. <wj...@di...> - 2016-12-04 11:30:24
|
On 4-12-2016 08:11, li...@la... wrote:
> On Sat, 3 Dec 2016 21:14:59 +0100
> Willem Jan Withagen <wj...@di...> wrote:
>
>> On 3-12-2016 21:05, li...@la... wrote:
>>> I block 22 pretty early in the rc.firewall
>>> ${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
>>>
>>> A quick check to see if sshguard is working:
>>> # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
>>> security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP
>>> 116.31.116.4:25559 redacted:22 in via vtnet0
>>>
>>> and
>>>
>>> # ipfw table 22 list | grep "116.31.116.4"
>>> 116.31.116.4/32 0
>>> 116.31.116.41/32 0
>>> 116.31.116.43/32 0
>>> 116.31.116.47/32 0
>>
>> 'ipfw show' should tell you if the rule is really working.
>> Like:
>>
>> 03500 371 22260 deny ip from table(22) to any
>>
>> If the first numbers are zero, then it does not get hit.
>>
>> --WjW
>
> I'm not sure I understand your comment, but here is the relevant line
> from ipfw list:
> 00550 deny log ip from table(22) to any dst-port 22
>
> Now I don't block all ports because possible the hacker is on a
> hosting company with an email server. I suppose I could add blocks for
> the browser, 587, and 143.
The difference was to use 'ipfw show' which gives you a first indication
if you firewall is ever being hit.
if the counters are 0, then one way or another you would have an error
in your firewall.
My firewall got hit 371 times.
--WjW
|
