Menu
▾
▴
Re: [SSHGuard-users] inet question
|
From: Alan A. <al...@an...> - 2019-01-01 23:32:29
|
On 01 Jan 2019, at 06:10, ssh...@li... wrote: [snip] > From: Doug Denault <do...@sa...> [snip] > The way FreeBSD jails work, is that the guest hosts share the kernel with the > base system. At the process level this is "virtually" invisible to running > process. There are some commands that depend on kernel structures that do not > work. Anyway the result of this is there can only be one IPFW as that is a > kernel process. So inetd is the only choice using sshguard. I much prefer > sshguard to fail2ban which is far too complex for my taste. I've some FreeBSD hosts running SSHguard v2.2.0 and note that version can tail arbitrary files. While a jailed SSH+SSHGuard pair may not be able to make modifications to things outside the jail, an SSHGuard process outside the jail should be able to read logs generated by the jailed SSHd. I would expect that to be able to make modification's to the host's (unjailed) PF or IPFW configurations. > In the older version it may be that all blacklist entries are removed from > hosts.allow as they normally time out and then a blacklisted IP is added back to > hosts.allow on its first attempt. If the current system does not do that, I > think that would be a nice addition. If using BerkleyDB makes that faster, that > is both a small footprint tool and at least in FreeBSD, any server other than a > stand-alone DNS server is likely to have that as a requirement. From a > performance standpoint I think anything less than 10-20k entries in a flat file > can be grep'd. In computer time it's centuries between ssh logins. If you're using the IPFW or PF backend, maybe having the jail log normally and having an SSHGuard process running outside the jail that looks at the jail's logs may do what you want? The PF version seems quite responsive, and I'd expect the IPFW variant to be similar. I would certainly expect both to be faster for very large lists when compared with TCP wrappers (i.e., libwrap). Caveat emptor, but I hope that helps. Keep in mind I likely do not understand the details of your environment because I don't have root there. ;-) -- Alan |
