Re: [SSHGuard-users] Centos sshguard "error"

[<li...@la...>]

On Wed, 27 Dec 2017 06:16:21 +0100
Daniel Aleksandersen <co...@da...> wrote:

> On Wed, Dec 27, 2017, at 04:36, li...@la... wrote:
> > I'm running Centos 7.3 using Firewalld. Is this error really an
> > error? Also any help to see what IP is being blocked would help.  
> 
> TL;DR: Commands included at the bottom.
> 
> > Dec 27 02:04:05 centos-1gb-sfo1-01 sshd[3829]: error: maximum
> > authentication attempts exceeded for root from 197.251.5.165 port
> > 42280 ssh2 [preauth] Dec 27 02:04:05 centos-1gb-sfo1-01 sshd[3829]:
> > Disconnecting: Too many authentication failures [preauth]  
> 
> The above messages are from OpenSSH and are processed by SSHGuard.
> That appears to be working as SSHGuard logs a warning about having
> detected a login attempt:
> 
> > Dec 27 02:04:05 centos-1gb-sfo1-01 sshguard[2934]: Attack from
> > "197.251.5.165" on service 100 with danger 10.  
> 
> The attacking source 197.251.5.165 now has a dangerousness score of
> 10. SSHGuard doens’t block an IP until it reaches 30, by the default
> configuration. 197.251.5.165 would need to attack your two more times
> within the configured detection time before it would be blocked. See
> the sshguard.conf file, especially the THRESHOLD, BLOCK_TIME, and
> DETECTION_TIME in particular.
> 
> > Perhaps useful info:
> > firewall-cmd  --list-icmp-blocks
> > returns noting.  
> 
> ICMP blocks have nothing to do with SSHGuard.
> 
> > I used this as a guide:
> > https://www.ctrl.blog/entry/how-to-sshguard-firewalld  
> 
> full disclosure: I’m the author.
> 
> > Unfortunately Centos does not use firewallctl but rather
> > firewall-cmd, so the commands don't tranlate.   
> 
> firewallctl was added to FirewallD in version 0.4.3 released more
> than 18 months ago, and there have been many releases of FirewallD
> since then. You must be using an even older version of FirewallD. You
> should keep the version of FirewallD (and other software) you’re
> using up to date. Software on CentOS is often years out of date. :(
> 
> Please note that the most recent version of SSHGuard still use
> firewall-cmd internally for backwards compatibility. firewallctl is
> equivalent to firewall-cmd, but the former is believed to better for
> end-users as the syntax is simpler and more similar to that of other
> tools on CentOS/Fedora/RHEL.
> 
> > Here is the suggested command to see what IP has been blocked:  
> 
> The following commands are equivalent for firewall-cmd:
> 
> firewall-cmd --ipset=sshguard4 --get-entries [--permanent]
> firewall-cmd --ipset=sshguard6 --get-entries [--permanent]
> 
> 
> I hope this helps! :-) Let us know if you have any further questions.
> 
> PS: What resources other than my blog post did you use when learning
> about SSHGuard? Did you read the man page? or the configuration file?
> SSHGuard website? Have a look in your browser’s history if possible.
> I’m curious about this as we can use such information to help improve
> documentation.

Regarding firewalld: firewalld-0.4.4.4-6.el7.noarch
So I am one update beyond 0.4.3

I don't think I found a centos page for sshguard plus firewalld, but I
figured fedora should be very close. I'm familiar with compiling code,
loading dependencies, using wget, etc. I do that on my own computers,
but was hoping not to do that on a server since you rather just use
repositories. But even if I never compiled a program in my life, the
instructions were very detailed and I would have no problem following
them. (wget isn't stock either, but I assume the reader would figure
that out.) The page is much appreciated. 

About the only thing I haven't done is made sshguard a service since I
want to see what it blocks. On a VPS with no root password, you really
need ssh to work. I'm paranoid to the point that I do full image
backups and then boot from that backup to verify both that it is
bootable and ssh works. I keep two images. Cloud storage is really
cheap.

Regarding centos being old, they were on postfix2(2.6 I think). I loaded
ghetto forge to get postfix3, which I have been running on my freeBSD
server. Anyway, I have updated the centos repos, well such as they are.

firewall-cmd --ipset=sshguard4 --get-entries --permanent
returns a blank line. I run the old version of sshguard on freeBSD, and
it nails hackers night and day, so maybe the limits have changed.

But my question was regarding the line being declared an error. But
looking at my older sshguard on a freeBSD server, that also declared an
errpr.

I found no blacklisted IP addresses. I grepped out the blocking of my
worst offender on the Centos server:

egrep -e 88.99.96.49/32 junk
Dec 26 20:17:53 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 120 secs (3 attacks in 103 secs, after 1 abuses over 103 secs.)
Dec 26 20:22:05 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 240 secs (3 attacks in 100 secs, after 2 abuses over 355 secs.)
Dec 26 20:29:06 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 480 secs (3 attacks in 112 secs, after 3 abuses over 776 secs.)
Dec 26 20:38:27 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 960 secs (3 attacks in 48 secs, after 4 abuses over 1337 secs.)
Dec 26 20:56:13 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 1920 secs (3 attacks in 57 secs, after 5 abuses over 2403 secs.)
Dec 26 21:29:39 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 3840 secs (3 attacks in 60 secs, after 6 abuses over 4409 secs.)
Dec 26 22:35:30 centos-1gb-sfo1-01 sshguard[2934]: Blocking "88.99.96.49/32" for 7680 secs (3 attacks in 63 secs, after 7 abuses over 8360 secs.)

Using a key rather than a password, it is highly unlikely any of these fools will get ssh access, so I'm OK with the geometric blocking time increases rather than a blacklist. 

IP comes back to hetzner.de. Oh I'm so shocked. ;-) I will probably do
a geographic block in the firewall to cut out countries where I'm not
located. That works great for email ports, just don't block 25.