Menu
▾
▴
[SSHGuard-users] Does Debian 10 install sshguard with nftables as the backend?
|
From: <81...@2r...> - 2021-03-21 01:20:30
|
Hello, Jack, list,
Did you install both nftables and sshguard using command line apt install on Debian 10? If so, that could mean the .deb files from Debian 10 automatically install sshguard with ntables as the backend. Debian 9 (I think) tries to keep iptables when it installs nftables, and I'm guessing 9 won't pick up the nftables backend in sshguard config. I might try to download the .deb files from Debian 10 for both onto the Debian 9 server, and then install them with gdebi or dpkg.
Again, many thanks,
Gordon
Mar 16, 2021, 14:49 by cm...@li...:
> Hello
>
> I use nftables + sshguard 2.4.1 on Debian 10
> ________________________________________
> >De : 8187--- via sshguard-users <ssh...@li...>
> >Envoyé : mardi 16 mars 2021 04:53
> >À : Sshguard Users
> >Objet : [SSHGuard-users] Is blacklist permanent? If so move ip addresses to /etc/hosts.deny?
>
>>
>>
> >How does the blacklist work exactly? From the manpage on Debian 9 I assumed (wrongly?) that sshguard writes to a blacklist file only to >reload it on start or restart.
>
> Whe an IP adress is blocked forever, sshguard add this Ip address on the blacklist (/usr/local/etc/blacklist for me) with a unix timestamp *and*
> add this IP address on the 'table ip sshguard' of nftables. This way, the whole blacklist is reloaded on nftables whenever you restart sshguard.
> Notice that in the example below, the whole /24 subnet is blaccklisted, which is my own choice. YMMV
>
> --------8<-- nft list ruleset ---------
> ...
> table ip sshguard {
> set attackers {
> type ipv4_addr
> flags interval
> elements = { 1.212.145.0/24, 31.210.20.0/24,
> 31.210.22.0/24, 40.123.248.0/24,
> 43.246.139.0/24, 45.95.169.0/24,
> 45.133.1.0/24, 45.141.84.0/24,
> 46.101.73.0/24, 74.201.28.0/24,
> 77.108.96.0/24, 81.161.63.0/24 }
> ....
> -----ENDOF ---8<-- nft list ruleset ---------
>
> --
> cmic, retired sysadmin 8-))
>
>
>
>
>
> But from the list archives it appears that on some distros the blacklist file is permanent, and that it aggregates all blacklisted ip addresses without releasing them.
>
> I have this in /etc/default/sshguard:
>
> # See man page sshguard(8) for documentation of the command line options
> ENABLE_FIREWALL=1
>
> # By default all units are monitored in SystemD
> # list of log files to scan delimited by space (Kfreebsd only)
> LOGFILES="/var/log/auth.log"
>
> # Whitelist configuration file
> WHITELIST="/etc/sshguard/whitelist"
>
> # Other options
> ARGS="-a 30 -b 100:/etc/sshguard/blacklist -p 420 -s 3600"
>
> When I'm able to install sshguard from source and set hosts as the backend, I think (but I'm not sure) that it does eventually remove blocked ip addresses. But with a firewall, do blocked ip's remain in the blacklist file?
>
> Thanks!
>
|
