Menu
▾
▴
Re: [SSHGuard-users] Should sshguard check iptables setup?
|
From: Kevin B. <kev...@gm...> - 2021-11-19 02:01:29
|
On 2021/11/19 07:58, Kevin Zheng wrote:
>
> I'm not very familiar with iptables. How does this happen (that the
> table gets unlinked), and is there a command that sshguard can run to
> double check the iptables setup?
Here are a couple of stanza of Makefile code (not the full
Makefile) that check to see if you have the SSHGuard chain
and a jump rule, and tells you where to stick it, if you
haven't, but doesn't do any manipulation of things for you.
You could probably extract the code to a script, but some
of us still like Make.
Typically, if you have an IPtables setup that hasn't been
initialised for SSHGuard, though we're on SLES boxes, not
Ubuntu, as the original poster was, you would see something
akin to:
# make check-and-insert
No IPv4 sshguard chain exists: you should type
/usr/sbin/iptables -N sshguard
No IPv6 sshguard chain exists: you should type
/usr/sbin/ip6tables -N sshguard
You need to insert an IPv4 rule here, as follows
/usr/sbin/iptables -I input_ext 4 \
-m multiport -p tcp --destination-ports 22 -j sshguard
You need to insert an IPv6 rule here, as follows
/usr/sbin/ip6tables -I input_ext 8 \
-m multiport -p tcp --destination-ports 22 -j sshguard
#
where the 4 and 8 are specific to the IPTables environment
being interrogated. You may see other numbers.
Similarly, organisations that move SSH off port 22, might
also need to alter the 22 in the snippets.
Note also that the name of the chain being looked for,
so as to identify where to insert the jump, "input_ext",
may be different in your IPTables environment, but the
principles encoded above should still be valid.
IPT4=/usr/sbin/iptables
IPT6=/usr/sbin/ip6tables
SSHG_CHAIN=sshguard
check-and-insert: pull-the-chain where-to-stick-it
pull-the-chain:
@$(IPT4) -L $(SSHG_CHAIN) -n >& /dev/null ; \
if [ 1 == $$? ] ; then \
echo "No IPv4 $(SSHG_CHAIN) chain exists: you should type" ; \
echo "" ; \
echo " /usr/sbin/iptables -N $(SSHG_CHAIN)" ; \
else \
echo "An IPv4 $(SSHG_CHAIN) chain already exists" ; \
fi ; \
$(IPT6) -L $(SSHG_CHAIN) -n >& /dev/null ; \
if [ 1 == $$? ] ; then \
echo "" ; \
echo "No IPv6 $(SSHG_CHAIN) chain exists: you should type" ; \
echo "" ; \
echo " /usr/sbin/ip6tables -N $(SSHG_CHAIN)" ; \
else \
echo "An IPv6 $(SSHG_CHAIN) chain already exists" ; \
fi
where-to-stick-it:
@$(IPT4) -L input_ext -n | grep -q "^$(SSHG_CHAIN)" ; \
if [ 0 == $$? ] ; then \
echo "An IPv4 jump to the $(SSHG_CHAIN) chain rule already exists" ; \
else \
$(IPT4) -L input_ext -n --line-numbers | grep -q "dpt:22" ; \
if [ 0 == $$? ] ; then \
line=`iptables -L input_ext -n --line-numbers | grep "dpt:22" | cut -d\ -f 1` ; \
echo "" ; \
echo "You need to insert an IPv4 rule here, as follows" ; \
echo "" ; \
echo " /usr/sbin/iptables -I input_ext $$line \\" ; \
echo " -m multiport -p tcp --destination-ports 22 \
-j $(SSHG_CHAIN)" ; \
echo "" ; \
else \
echo "No IPv4 rule to stick it before exists" ; \
fi ; \
fi ; \
$(IPT6) -L input_ext -n | grep -q "^$(SSHG_CHAIN)" ; \
if [ 0 == $$? ] ; then \
echo "An IPv6 jump to the $(SSHG_CHAIN) chain rule already exists" ; \
else \
$(IPT6) -L input_ext -n --line-numbers | grep -q "dpt:22" ; \
if [ 0 == $$? ] ; then \
line=`ip6tables -L input_ext -n --line-numbers | grep "dpt:22" | cut -d\ -f 1` ; \
echo "" ; \
echo "You need to insert an IPv6 rule here, as follows" ; \
echo "" ; \
echo " /usr/sbin/ip6tables -I input_ext $$line \\" ; \
echo " -m multiport -p tcp --destination-ports 22 \
-j $(SSHG_CHAIN)" ; \
echo "" ; \
else \
echo "No IPv6 rule to stick it before exists" ; \
fi ; \
fi
HTH.
(Usual terms and conditions apply if you choose to use it in
any way. No salesman will call: you will not be contacted
for feedback.)
Kevin
|
