Re: [SSHGuard-users] switch to firewalld

[Daniel A. <co...@da...>]

On Wed, 2017-08-02 at 09:37 +0200, Ingmar wrote:
> Hey guys,
> 
> First message to the mailing list ;).
> 
> I've succesfully set up sshguard 2.0 on archlinux. I had firewalld 
> running and was manually blocking IP's I found repeatedly trying to
> get into ssh. This list had around 1000 IP's in it. As you might
> imagine I was getting really tired of the manual maintenance.
> 
> When I was looking into sshguard, the documents page made no mention
> of firewalld support, so I uninstalled it and cleared my iptables
> setup to let sshguard handle it.
> 
> Just now, I read there firewalld support in version 2.0, so my
> question is, can I switch back to firewalld? How do I need to setup
> sshguard.conf to use firewalld instead?

I wrote this tutorial for using SSHGuard with the FirewallD backend. It
says “Fedora” on the tin, but that really just refers to an systemd +
firewalld environment. It should work for you on Arch as well.
It says "Fedora" on the tin, but that really just refers to the
systemd+selinux+firewalld technology stack and should work for you on

https://ctrl.blog/entry/how-to-sshguard-firewalld

Please let me know if you have any questions or comments, and I can
update the tutorial to answer them.

> Another thing I don't quite get is when I see sshguard blocking
> someone, I see this line:
> Aug 02 09:11:38 hostname sshguard[848]: Blocking "84.137.66.201"
> for 960 secs (3 attacks in 140 secs, after 4 abuses over 1624 secs.).
> I also see a corresponding line with iptables --list, but I don't see
> this being saved to /etc/iptables/iptables.rules file. How is
> sshguard saving its blocks? 
> 
> When I reboot the server or restart services, it won't retain
> whatever sshguard has blocked so far, so how does this work?

SSHGuard doesn't store blocks permanently by design. Whenever an
attacker is detected in the configured time window, it will be blocked
for a certain block time. The block time is doubled on subsequent
attacks from the same IP address. Restarting SSHGuard resets every
block. This prevents your block rules from getting out of hand. (Most
attacks don't persist from the same source for more than a couple of
days at the most.)

You can actually change this behaviour to a permanent block. Copy the
firewalld backend (it’s just a shell script that talks with firewalld)
and no-op the release and flush functions. Then add --permanent lags to
all the calls to firewalld and reload the firewall afterwards. Have a
look at the script, and you should be able to work it out in five
minutes.

> Last but not least, I see some sshguard blocks being resolved to 
> hostnames in iptables --list. How can I prevent it from doing that?
> I want it to block IP's, because there are dynamic DNS entries in
> there and others are just DSL/home internet lines that constantly
> change anyway. Besides that, it also takes time to try and do reverse
> lookups all the time, especially if they can't be resolved and wait
> for timeouts so I rather have sshguard just use IP addresses.

This shouldn’t be a problem with a smaller blocklist. A local DNS cache
such as dnsmasq would also all but eliminate this problem. Again, you
can modify the backend script and resolve to IP addresses before
injecting the rules into firewalld.

I’m somewhat surprised that you’re seeing hostnames, actually. Please
retest.

> Thanks for this tool! Hopefully someone can help me here.

I hope this helps! Let us know if you run into any problems!
-- 
Daniel Aleksandersen
SSHGuard contributor
https://daniel.priv.no