Re: [SSHGuard-users] inet question

[Doug D. <do...@sa...>]

I've configured sshguard correctly to use inetd. On host 2 it blocks 50k+ 
attempts/day. Configuration is straight forward enough. What I am trying to say, 
apparently not very well, is the IPs blacklisted are never removed from 
/etc/hosts.allow. In the older version of sshguard blacklisted IPs do not appear 
in the hosts.allow file.

Out of the 3,000 or so IPs in hosts.allow all but 500-600 are duplicated in the 
blacklist file. Can a configuration error cause this behavior?

I kinda assumed this was a bug, so my question was really, if I prune the 
hosts.allow file will the blacklist entries be honored. The answer to that is, I 
take from your email, yes.

Maybe I have not properly turned on blacklisting. AFAIK FreeBSD jails are not 
sandboxes. E.g., a process can not ascertain if it running in a jail or 
natively. My config file:

__________________sshguard.conf__________________
#!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
BACKEND="/usr/local/libexec/sshg-fw-hosts"
#BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"

# Space-separated list of log files to monitor. (optional, no default)
FILES="/var/log/auth.log /var/log/maillog"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o 
cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath 
contains \"sshd\")'"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800

# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. 
(optional, default to 128)
#IPV6_SUBNET=128

# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. 
(optional, default to 32)
#IPV4_SUBNET=32

#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

# Full path to PID file (optional, no default)
#PID_FILE=/var/run/sshguard.pid

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db


On Sun, 30 Dec 2018, Kevin Zheng wrote:

> Hi Doug,
>
> I noticed that you're running two different versions of SSHGuard.
>
> In 1.5, the port you install determines how SSHGuard blocks attacks. In
> 2.1, you need to specify the backend you use by yourself.
>
> SSHGuard uses blacklist.db to keep track of hosts it has blacklisted,
> because with firewalls like pf and ipfw, SSHGuard removes all of its
> blocks (including those that it has blacklisted) when it exits. While
> it's running, everything in blacklist.db should also be in hosts.allow.
>
> When SSHGuard exits, hosts.allow should be cleared. blacklist.db tells
> SSHGuard what addresses to add back once it starts again.
>
> So, they're not redundant. Is that what you're asking?
>
> Regards,
> Kevin
>
> On 12/30/18 2:39 PM, Doug Denault wrote:
>> I am using sshguard with inet with FreeBSD jails. Having multiple
>> [virtual] servers with differing blocking requirements this is really
>> the only option. It appears to me that with the switch from BerkleyDB to
>> a flat file that the blacklist is implemented by using the
>> /etc/hosts.allow entries.
>>
>> Whether I am correct or not here is what happens on two systems:
>>
>>   host 1: sshguard-1.5_2
>>      blacklist: 7,151 entries
>>      hosts.allow: 30 lines; max of 270 IPs (9/line) with very little
>> overlap
>>
>>   host 2: sshguard-2.1.0_1
>>      blacklist: 3,251 lines
>>      hosts.allow: 338 line; max of 3,042 entries
>>
>> first line in hosts.allow:
>>   ALL : 218.92.1.141 121.22.80.117 118.25.63.24 219.234.88.119
>> 167.114.235.137 \
>>         185.143.223.191 61.184.247.8 115.238.245.4 : DENY
>>
>> This entire line is in /var/db/sshguard/:
>>
>>   1544124029|100|4|218.92.1.141     December 6, 2018 7:20:29 PM
>>   1544126972|100|4|121.22.80.117    December 6, 2018 8:09:32 PM
>>   1544128387|100|4|118.25.63.24         |
>>   1544130000|100|4|219.234.88.119       V
>>   1544135312|100|4|167.114.235.137
>>   1544135835|100|4|185.143.223.191
>>   1544136112|100|4|61.184.247.8
>>   1544137146|100|4|115.238.245.4    December 6, 2018 10:59:06
>>
>> Taking a random entry, say line 2,800 from blacklist:
>>   1545136493|100|4|51.38.186.48     December 18, 2018 12:34:53 PM
>>   1545136864|100|4|182.162.96.184
>>   1545136941|100|4|212.88.123.198
>>
>> All three are in hosts.allow
>>
>> So is /var/db/sshguard/blacklist.db redundant or can hosts.allow be
>> pruned? This is the better answer to me. Also as blacklist.db is a flat
>> file I assume the epoch time is the time of the blacklisting and not the
>> last reference.
>>
>>
>>
>> _____
>> Douglas Denault
>> http://www.safeport.com
>> do...@sa...
>> Voice: 301-217-9220
>>   Fax: 301-217-9277
>>
>>
>> _______________________________________________
>> sshguard-users mailing list
>> ssh...@li...
>> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -- 
> Kevin Zheng
> kev...@gm... | ke...@be... | PGP: 0xC22E1090
>

_____
Douglas Denault
http://www.safeport.com
do...@sa...
Voice: 301-217-9220
   Fax: 301-217-9277