Re: [SSHGuard-users] Firewalld backend: do I need to create the two ipsets ?

[Kevin B. <kev...@gm...>]

On 2022/01/06 23:30, Christopher Engelhard wrote:
> On 06.01.22 06:18, Kevin Buckley wrote:
> 
>> though my expeience with the IPTables backend suggests that I should
>> read the above as saying that
>> 
>>      You need to create the two ipsets in the default zone
>> 
>> but, is that the case, or does SSHGuard do /some things/everything/
>> for you in firewalld-land, as long as you use the default (as in zone
>> in effect when SHHGuard starts) zone ?
> 
> For both firewalld and nft backends SSHGuard should take care of setting
> up the rules.
> 
> For firewalld it does so in the default zone, so if you're not using
> that you might need to change that, otherwise things should Just Work(TM).
> 
> Christopher

I note the (TM), Christopher !

having started a 2.4.2 instance up, and watched the slow crawl through
the ingest of an existing blacklist, I have seen a new IP address blocked
forever, as well as seeing a few addresses blocked temporarily and then
ublocked, but have since seen that there was something amis with the
ipset, right from the start:

Jan 10 11:03:41 ln01 sshguard[66617]: blacklist: blocking 28793 addresses
Jan 10 11:03:44 ln01 firewalld[48409]: WARNING: sshguard4: INVALID_TYPE: 'hash:net' is not supported by ipset., ignoring for run-time.
Jan 10 11:03:44 ln01 firewalld[48409]: WARNING: sshguard6: INVALID_TYPE: 'hash:net' is not supported by ipset., ignoring for run-time.
Jan 10 11:03:45 ln01 firewalld[48409]: WARNING: INVALID_IPSET: sshguard6
Jan 10 11:03:45 ln01 firewalld[48409]: WARNING: INVALID_IPSET: sshguard4
Jan 10 11:03:45 ln01 firewalld[48409]: ERROR: INVALID_IPSET: sshguard4
Jan 10 11:03:46 ln01 firewalld[48409]: ERROR: INVALID_IPSET: sshguard4
Jan 10 11:03:46 ln01 firewalld[48409]: ERROR: INVALID_IPSET: sshguard4
...

where I think those ERRORs, close to the startup, are coming from each
attempt to ingest an address from the blacklist.

Looking at the ipset itself shows:

# firewall-cmd --permanent --info-ipset=sshguard4
sshguard4
   type: hash:net
   options: family=inet
   entries:
#

Perhaps because this is my first time with SSHGuard using firewalld,
I was expecting to have seen some entries there. given the standard
SSHGuard activity I had been seeing in the systemctl status outputs,
but have seen nothing as yet.

This suggests to me that, despite what the logs say, nothing has
actually been blocked?

Kevin