Re: [SSHGuard-users] sshguard on trunk with debian

[jungle B. <jun...@gm...>]

On 8 December 2016 at 16:18, Daniel Aleksandersen <co...@da...> wrote:
> On Thu, Dec 8, 2016, at 19:12, jungle Boogie wrote:
>> Hi All,
>>
>> First, I don't know how to determine the version of sshguard I'm
>> currently running, but I compiled it from master on the 5th. So it's a
>> version from around that time.
>
> You’re running an experimental build from the master branch that hasn’t
> been released . So there is no version number to refer to other than the
> latest git commit hash of the master branch when you built it. December
> 5th? Then your version is master/ff69989.

Gotcha. Thanks for the info.

>
>> It looks like this latest version now includes a config file:
>> https://bitbucket.org/sshguard/sshguard/src/1fcd467b78ea5a4ddcba6efb3920cea860839e31/examples/sshguard.conf.sample?at=master&fileviewer=file-view-default
>>
>> and a service file:
>> https://bitbucket.org/sshguard/sshguard/src/1fcd467b78ea5a4ddcba6efb3920cea860839e31/examples/sshguard.service?at=master&fileviewer=file-view-default
>
> You should set your configuration in the config file instead of in the
> service file. I’ve removed the switches from the example service file to
> encourage people to use the configuration file instead. (Making changes
> to the service file shouldn’t be necessary for anyone but distribution
> package maintainers.)
> https://bitbucket.org/sshguard/sshguard/pull-requests/17

Okay, I modified the file /etc/systemd/system/sshguard.service:

[Service]
ExecStartPre=-/sbin/iptables -N sshguard
ExecStart=/usr/local/sbin/sshguard
Restart=always

>
>> I have the service running and it's using that file:
>>  1324 ?        Ss     0:00 /bin/sh /usr/local/sbin/sshguard -w
>> /etc/sshguard.whitelist -l /var/log/auth.log -b
>> 60:/var/db/sshguard/blacklist.db
>>  1325 ?        S      0:00 /bin/sh /usr/local/sbin/sshguard -w
>> /etc/sshguard.whitelist -l /var/log/auth.log -b
>> 60:/var/db/sshguard/blacklist.db
>>
>> (don't quite know why I have two running instances)
>
> How did you start it? and under which distro?

sudo service sshguard start:
 1902 ?        Ss     0:00 /bin/sh /usr/local/sbin/sshguard
 1903 ?        S      0:00 /bin/sh /usr/local/sbin/sshguard

>
>> However, it's not actively blocking traffic and the /var/db/sshguard
>> directory doesn't exist.
>
> That would be because the -l option doesn’t exist. At least, I’ve never
> seen it before and I can’t find it anywhere but in the example service
> file. You should add the log files you want to monitor to the FILES
> option in the configuration file. Move the other options there too, it
> should be easier to maintain that way.

/usr/local/etc/sshguard.conf contains these:
BACKEND="/sbin/iptables"
BLACKLIST_FILE=/var/lib/sshguard/enemies
BLACKLIST_THRESHOLD=30
FILES="/var/log/auth.log"

running 3.10.102-2-pine64-longsleep
This is on a pine64 SoC:
https://www.pine64.org/?product=pine-a64-board-2gb


>
>> iptables:
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>> -N sshguard
>> -A INPUT -p tcp -m tcp --dport 22 -j sshguard
>>
>>
>> Any suggestions on what I should do to have sshugard read the
>> /var/log/auth.log and start blocking?
>
> I do believe the issue is that SSHGuard isn’t monitoring any log files
> because of the aforementioned configuration issue.

Now knowing the services file is setup correct, what else should I
review to determine why sshguard is not blocking?


> --
> Daniel Aleksandersen
> https://www.slightfuture.com/