Re: [SSHGuard-users] Does Debian 10 install sshguard with nftables as the backend?

[<81...@2r...>]

Jack,

Good, thank you for letting me know.  I am also very new to nftables, but I like it so far.  It has some things that remind me of the packet filter firewall in BSD distro's (pf, pfsense, etc.).  My next step is to get a Debian 10 VPS, and try to install sshguard from source, and see if I can set the BACKEND correctly as you did.  Compiling sshguard on Debian 9 did not work for me, so instead of patching that, let me see if Debian 10 compiles.


Kevin, if it compiles on Debian 10 and the backend sets, I'm in good shape.  As I mentioned, nftables on Debian 9 may not have enough users to patch that tarball for nftables.


Gordon

>>
>>  
>> Hello, Jack, list,
>>
>> Did you install both nftables and sshguard using command line apt install on Debian 10?  If so, that could mean the .deb files from Debian 10 automatically install sshguard with ntables as the backend.  
>>
>>
>>> When buster (Debian 10.0) was first installed (upgrading from Debian 9), I had the surprise to discover the Nftables. By the way, the old version of sshguard didn't worked anymore.
>>> So I downloaded and compiled Ssshg-ard-2.4.1, installed the correct linked files for nftables, learned nftables with their wiki, etc.
>>> Now everything works OK.
>>> Hope it helps...
>>> regards
>>> --
>>> Michel (aka cmic , aka Jack Keradec...)
>>>
>>>
>> Debian 9 (I think) tries to keep iptables when it installs nftables, and I'm guessing 9 won't pick up the nftables backend in sshguard config.  I might try to download the .deb files from Debian 10 for both onto the Debian 9 server, and then install them with gdebi or dpkg.
>>
>> Again, many thanks,
>>
>> Gordon
>>
>> Mar 16, 2021, 14:49 by cm...@li...:
>>
>>> Hello
>>>
>>> I use nftables + sshguard 2.4.1 on Debian 10
>>> ________________________________________
>>> >De : 8187--- via sshguard-users <ssh...@li...>
>>> >Envoyé : mardi 16 mars 2021 04:53
>>> >À : Sshguard Users
>>> >Objet : [SSHGuard-users] Is blacklist permanent? If so move ip addresses to /etc/hosts.deny?
>>>
>>>>
>>>>
>>> >How does the blacklist work exactly? From the manpage on Debian 9 I assumed (wrongly?) that sshguard writes to a blacklist file only to >reload it on start or restart. 
>>>
>>> Whe an IP adress is blocked forever, sshguard add this Ip address on the blacklist (/usr/local/etc/blacklist for me) with a unix timestamp *and* 
>>> add this IP address on the 'table ip sshguard' of nftables. This way, the whole blacklist is reloaded on nftables whenever you restart sshguard.
>>> Notice that in the example below, the whole /24 subnet is blaccklisted, which is my own choice. YMMV 
>>>
>>> --------8<-- nft list ruleset ---------
>>> ...
>>> table ip sshguard {
>>> set attackers {
>>> type ipv4_addr
>>> flags interval
>>> elements = { 1.212.145.0/24, 31.210.20.0/24,
>>> 31.210.22.0/24, 40.123.248.0/24,
>>> 43.246.139.0/24, 45.95.169.0/24,
>>> 45.133.1.0/24, 45.141.84.0/24,
>>> 46.101.73.0/24, 74.201.28.0/24,
>>> 77.108.96.0/24, 81.161.63.0/24 }
>>> ....
>>> -----ENDOF ---8<-- nft list ruleset ---------
>>>
>>> --
>>> cmic, retired sysadmin 8-))
>>>
>>>
>>>
>>>
>>>
>>> But from the list archives it appears that on some distros the blacklist file is permanent, and that it aggregates all blacklisted ip addresses without releasing them.
>>>
>>> I have this in /etc/default/sshguard:
>>>
>>> # See man page sshguard(8) for documentation of the command line options
>>> ENABLE_FIREWALL=1
>>>
>>> # By default all units are monitored in SystemD
>>> # list of log files to scan delimited by space (Kfreebsd only)
>>> LOGFILES="/var/log/auth.log"
>>>
>>> # Whitelist configuration file
>>> WHITELIST="/etc/sshguard/whitelist"
>>>
>>> # Other options
>>> ARGS="-a 30 -b 100:/etc/sshguard/blacklist -p 420 -s 3600"
>>>
>>> When I'm able to install sshguard from source and set hosts as the backend, I think (but I'm not sure) that it does eventually remove blocked ip addresses. But with a firewall, do blocked ip's remain in the blacklist file?
>>>
>>> Thanks!
>>>
>>
>>
>
>