Re: [SSHGuard-users] Blocked attackers can still access docker containers

[<gi1...@gm...>]

On Sat, Feb 08, 2020 at 08:25:24AM -0800, Kevin Zheng wrote:

>>>> 1) changing the blacklist chain to 'hook prerouting' instead of 'hook
>>>> input', with a higher priority than that of chain PREROURTING, i.e.
>>>> block the traffic before it even reaches the NAT chain. This should
>>>> make sshguard block both container- and host-destined traffic.
>> Kev, could you implement/default that in the next update/grade of
>> SSHGuard? Have a good weekend y'all!
> 
> I don't have a machine that I can test that on. Is somebody impacted
> by this willing to submit a patch that a few on the list can test?

It worked perfectly for me, and I can test it if you include it in the
official code.

The changes I made to get it working are at the bottom of this message.
You can use it as a patch by changing the diff filenames of course.

Best,

Gautam


--- /usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets  2019-02-11 22:11:23.000000000 -0500
+++ /etc/sshguard/sshg-fw-nft-sets-local    2019-10-31 22:10:03.475621324 -0400
@@ -24,8 +24,8 @@
     run_nft "add table" "" 4
     run_nft "add table" "" 6

-    run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 4
-    run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 6
+    run_nft "add chain" "${NFT_CHAIN}"' { type filter hook prerouting priority -200 ; }' 4
+    run_nft "add chain" "${NFT_CHAIN}"' { type filter hook prerouting priority -200 ; }' 6

     # Create sets
     run_nft "add set" "${NFT_SET} { type ipv4_addr; flags interval; }" 4

-- 
TWELVE REASONS WHY GOD NEVER RECEIVED TENURE
12. His office hours were infrequent and usually held on a mountaintop.