Menu
▾
▴
sshguard-users — User questions and answers, bugs, and general support
You can subscribe to this list here.
| 2007 |
Jan
|
Feb
|
Mar
(10) |
Apr
(7) |
May
(6) |
Jun
(13) |
Jul
(4) |
Aug
|
Sep
|
Oct
(17) |
Nov
(5) |
Dec
(4) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2008 |
Jan
(2) |
Feb
|
Mar
|
Apr
(4) |
May
(2) |
Jun
(7) |
Jul
(10) |
Aug
(4) |
Sep
(14) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2009 |
Jan
(17) |
Feb
(20) |
Mar
(11) |
Apr
(14) |
May
(8) |
Jun
(3) |
Jul
(22) |
Aug
(9) |
Sep
(8) |
Oct
(6) |
Nov
(4) |
Dec
(8) |
| 2010 |
Jan
(17) |
Feb
(9) |
Mar
(15) |
Apr
(24) |
May
(14) |
Jun
(1) |
Jul
(21) |
Aug
(6) |
Sep
(2) |
Oct
(2) |
Nov
(6) |
Dec
(9) |
| 2011 |
Jan
(11) |
Feb
(1) |
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
(2) |
Aug
(3) |
Sep
(2) |
Oct
(29) |
Nov
(1) |
Dec
(1) |
| 2012 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(13) |
May
(4) |
Jun
(9) |
Jul
(2) |
Aug
(2) |
Sep
(1) |
Oct
(2) |
Nov
(11) |
Dec
(4) |
| 2013 |
Jan
(2) |
Feb
(2) |
Mar
(4) |
Apr
(13) |
May
(4) |
Jun
|
Jul
|
Aug
(1) |
Sep
(5) |
Oct
(3) |
Nov
(1) |
Dec
(3) |
| 2014 |
Jan
|
Feb
(3) |
Mar
(3) |
Apr
(6) |
May
(8) |
Jun
|
Jul
|
Aug
(1) |
Sep
(1) |
Oct
(3) |
Nov
(14) |
Dec
(8) |
| 2015 |
Jan
(16) |
Feb
(30) |
Mar
(20) |
Apr
(5) |
May
(33) |
Jun
(11) |
Jul
(15) |
Aug
(91) |
Sep
(23) |
Oct
(10) |
Nov
(7) |
Dec
(9) |
| 2016 |
Jan
(22) |
Feb
(8) |
Mar
(6) |
Apr
(23) |
May
(38) |
Jun
(29) |
Jul
(43) |
Aug
(43) |
Sep
(18) |
Oct
(8) |
Nov
(2) |
Dec
(25) |
| 2017 |
Jan
(38) |
Feb
(3) |
Mar
(1) |
Apr
|
May
(18) |
Jun
(2) |
Jul
(16) |
Aug
(2) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(14) |
| 2018 |
Jan
(15) |
Feb
(2) |
Mar
(3) |
Apr
(5) |
May
(8) |
Jun
(12) |
Jul
(19) |
Aug
(16) |
Sep
(8) |
Oct
(13) |
Nov
(15) |
Dec
(10) |
| 2019 |
Jan
(9) |
Feb
(3) |
Mar
|
Apr
(2) |
May
|
Jun
(1) |
Jul
|
Aug
(5) |
Sep
(5) |
Oct
(12) |
Nov
(4) |
Dec
|
| 2020 |
Jan
(2) |
Feb
(6) |
Mar
|
Apr
|
May
(11) |
Jun
(1) |
Jul
(3) |
Aug
(22) |
Sep
(8) |
Oct
|
Nov
(2) |
Dec
|
| 2021 |
Jan
(7) |
Feb
|
Mar
(19) |
Apr
|
May
(10) |
Jun
(5) |
Jul
(7) |
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(10) |
Dec
(4) |
| 2022 |
Jan
(17) |
Feb
|
Mar
(7) |
Apr
(3) |
May
|
Jun
(1) |
Jul
(3) |
Aug
|
Sep
|
Oct
(6) |
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
(5) |
Mar
(1) |
Apr
(3) |
May
|
Jun
(3) |
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
(15) |
Apr
(8) |
May
(10) |
Jun
|
Jul
|
Aug
|
Sep
(6) |
Oct
|
Nov
|
Dec
|
|
From: <li...@la...> - 2016-06-26 14:31:25
|
Are these really events that you want to trigger a block? I see the "from unknown" message from time to time and haven't investigated it to see if it is associated with bad intent. What I would want to block are the password guessers. The thing with sshguard is it only has one blocking table. At the moment, I only block port 22 no matter what event triggered it. So how would you set up your firewall implementation of the block list? Would you block the IP address totally? Or just 22 and all mail ports? Postfix has a throttling feature to slow down traffic that is repeatably coming from one IP. I had set up a script to trigger it just to see if it works. This keeps the password guessers from flooding the server, but there is no blocking. The thing with email is you don't want false positives. If you just block an IP address from a port, the sender doesn't get a message from the email server notifying that the email was rejected. They should eventually get a notice that the email didn't go through. People get cranky when email doesn't go through. It isn't like ssh, where only a small number of IP addresses should have access. Original Message From: Gerard Seibert Sent: Sunday, June 26, 2016 4:29 AM To: ssh...@li... Reply To: ssh...@li... Subject: [SSHGuard-users] Blocking IP with Postifx Normally, sshguard works perfectly with Postfix. It detects new IPs and blocks them as appropriate. However, there is one that it never blocks. This is the Postfix log entry (one of many) that relate to this IP. Jun 26 06:37:20 scorpio postfix/smtpd[98953]: warning: hostname 50-246-67-11-static.hfc.comcastbusiness.net does not resolve to address 50.246.67.11: hostname nor servname provided, or not known Jun 26 06:37:20 scorpio postfix/smtpd[98953]: connect from unknown[50.246.67.11] Jun 26 06:37:21 scorpio postfix/smtpd[98953]: disconnect from unknown[50.246.67.11] ehlo=1 quit=1 commands=2 Why is this particular IP not being added to the database and then blocked. I am running FreeBSD-11 / amd64 with Postfix: version 3.2-20160612 and sshguard 1.6.4 Is there a way to manually add the IP to the sshguard database? Thank you. :) -- Carmel ------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Gerard S. <car...@ou...> - 2016-06-26 11:29:10
|
Normally, sshguard works perfectly with Postfix. It detects new IPs and blocks them as appropriate. However, there is one that it never blocks. This is the Postfix log entry (one of many) that relate to this IP. Jun 26 06:37:20 scorpio postfix/smtpd[98953]: warning: hostname 50-246-67-11-static.hfc.comcastbusiness.net does not resolve to address 50.246.67.11: hostname nor servname provided, or not known Jun 26 06:37:20 scorpio postfix/smtpd[98953]: connect from unknown[50.246.67.11] Jun 26 06:37:21 scorpio postfix/smtpd[98953]: disconnect from unknown[50.246.67.11] ehlo=1 quit=1 commands=2 Why is this particular IP not being added to the database and then blocked. I am running FreeBSD-11 / amd64 with Postfix: version 3.2-20160612 and sshguard 1.6.4 Is there a way to manually add the IP to the sshguard database? Thank you. :) -- Carmel |
|
From: Henri S. <hen...@gm...> - 2016-06-13 07:41:34
|
> SSHGuard currently ships as one executable. In considering some redesigns. This is an interesting idea! It could work really well. On the flip side, the advantage as you have already mentioned regarding the current developer controlled and maintained binary is that the people who maintain this know what is going on and perhaps more importantly it is trivially simply for end users to install and upgrade. I am all for flexibility. However, end user simplicity is also something to consider. My 2ç -------------------------------------------------------------------- InstallPKG, an open source installation system. Install multiple apple .pkg and .mpkg files via the command line : http://www.henri.shustak.org/tools/installpkg |
|
From: Kevin Z. <kev...@gm...> - 2016-06-13 05:53:48
|
Hi all,
SSHGuard currently ships as one executable. In considering some
redesigns, one possibility is to segregate distinct functionality into
several different programs that are chained (piped) together. For
example, a common invocation could be:
# tail -F /var/log/auth.log ... | sshg-parser | \
sshg-analyzer -a 30 -b 60:blacklist.db | sshg-fw
The value of this approach is its modularity, flexibility, and security.
These programs can be chained together in different ways to provide
different functionality. For example, to find out if SSHGuard is
detecting your attacks using saved logs, you could run:
# cat /var/log/auth.log.* | sshg-parser
If you wanted to replace the default blocking behavior, you could
replace sshg-analyzer with custom blocking rules.
If you wanted to instantly block attacks when the username matches
'root', you could insert another program in the pipeline that raises the
score that comes from sshg-parser before it reaches sshg-analyzer.
This pipeline is also intrinsically parallel and trivially sandboxable.
There are probably few bugs in `tail`, `sshg-parser` can be run without
privileges, `sshg-analyzer` needs only access to the blacklist, and
`sshg-fw` continues to require root access to configure the firewall.
Comments, suggestions, ideas?
Best,
Kevin
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
|
|
From: Kevin Z. <kev...@gm...> - 2016-06-12 17:06:06
|
On 06/12/16 00:38, Jos Chrispijn wrote: > Jun 11 01:06:33 ceto postfix/smtpd[39048]: warning: > unknown[36.6.252.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Thanks, I'll add it when I get around to it. > Just a question: how do you process these updates? Do you do this in the > SSHGuard itself (new version update) or do you keep an online database > with these examples that is inquired every time SSHGuard is activated on > our side? Best, Jos Chrispijn All attack signatures are built into the SSHGuard binary itself. You can see for yourself how this is done in src/parser. This means that updating attack signatures requires an SSHGuard update. This was a design choice that prefers ease of setup and simplicity over ease of configuration. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Jos C. <ssh...@cl...> - 2016-06-12 07:39:01
|
Hi Kevin, FYI - found another one: Jun 11 01:06:33 ceto postfix/smtpd[39048]: warning: unknown[36.6.252.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Just a question: how do you process these updates? Do you do this in the SSHGuard itself (new version update) or do you keep an online database with these examples that is inquired every time SSHGuard is activated on our side? Best, Jos Chrispijn |
|
From: Kevin Z. <kev...@gm...> - 2016-06-11 14:54:32
|
On 06/11/16 07:31, li...@la... wrote: > Assuming sshguard finds suspicious activity via postfix, what port does > it block? It just adds the address to your block table, so it depends on how you have your firewall rules configured. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2016-06-11 14:31:20
|
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style> body { font-family: "Calibri","Slate Pro",sans-serif,"sans-serif"; color:#262626 }</style> </head> <body lang="en-US"><div><span>Assuming sshguard finds suspicious activity via postfix, what port does it block?</span></div><div></div></body></html>
|
|
From: Kevin Z. <kev...@gm...> - 2016-06-11 14:25:06
|
On 06/10/16 23:34, Henri Shustak wrote: > A couple of further questions relating to this discussion (sorry for thread hijacking) : > > (Q1) The main page makes no mention of this db file. > Is there a default location for this argument which > allows you to specify a path to the blocked db file? > Man Page Link : http://www.sshguard.net/docs/man/sshguard/1_5/ We've been calling it the 'db' file, but it's actually just the blacklist. You can specify the path and threshold using the '-b' option. > (Q2) Is it possible to have SSH guard just hold the blocked IP > addresses in memory (rather than disk) so that a restart > will clear all the blocked entires? Yes, just don't use the '-b' option. Some startup scripts (for example, FreeBSD's rc.d) enables blacklisting by default. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Jos C. <ssh...@cl...> - 2016-06-11 13:23:22
|
In een bericht van 9-6-2016 23:06: >> Can you tell me what the best way is of removing a blocked IP from SSHGuard? Thanks everyone for your reply - issue solved. ./Jos |
|
From: chebo <it...@ch...> - 2016-06-11 11:56:11
|
I'll answer my question in the first letter. Came to the conclusion. If you use sshguard in the role of demon in each run it reads the logs from the beginning, and blocks everything again. I think it is inconvenient and maybe it can be somehow off. I decided not to bother and to use the method proposed on the official website. I apologize for the inconvenience. 10.06.2016, 18:10, "li...@la..." <li...@la...>: > Unfortunately I'm not in a location to check my server, but all I did in rc.conf is enable sshguard. I edited a different file to set parameters. It is the file that contains the regex. > > From: chebo > Sent: Friday, June 10, 2016 11:03 AM > To: ssh...@li... > Subject: [SSHGuard-users] sshguard restart and ipfw table 22 rewritten > > Hello. I use a translator. > > My apologies if I'm doing something wrong. The first time I use a mailing list in this situation. > I found a similar problem, but the final answer is not there https://sourceforge.net/p/sshguard/mailman/message/35119986/ > I wanted to write directly to the author of the last letter, but his address closed. > ______________ > My problem. > > 1. The guard blocked my host and added it to the blacklist. > 2. I can see it in the blacklist and with the command: ipfw table 22 list. > 3. I removed the host from the blacklist (vi /var/db/sshguard/blacklist.db) and then removed from the table 22 (table 22 ipfw delete 192.168.0.1). > 4. After every reboot of the computer or just restarting the daemon. The host again 5. appears in table 22 and disappears from there after 5 minutes. > > Why? From there he is taken if the blacklist is empty. > > ____________ > I installed from the latest ports sshguard-ipfw-1.6.4_1 > OS - Freebsd 10.3 > > I tried to use the defaults and changed. > > sshguard_enable="yes" > sshguard_watch_logs="/var/log/auth.log" > sshguard_danger_thresh="30" > sshguard_blacklist="100:/var/db/sshguard/blacklist.db" > sshguard_release_interval="120" > #sshguard_reset_interval="1800" > #sshguard_whitelistfile=/var/db/sshguard/whitelist.db > #shguard_flags="" > > -- -- |
|
From: <li...@la...> - 2016-06-11 11:55:59
|
I think you need to flush the firewall. Editing the db file is not enough. Original Message From: chebo Sent: Saturday, June 11, 2016 7:40 AM To: li...@la...; ssh...@li... Subject: Re: [SSHGuard-users] sshguard restart and ipfw table 22 rewritten I'll answer my question in the first letter. Came to the conclusion. If you use sshguard in the role of demon in each run it reads the logs from the beginning, and blocks everything again. I think it is inconvenient and maybe it can be somehow off. I decided not to bother and to use the method proposed on the official website. I apologize for the inconvenience. 10.06.2016, 18:10, "li...@la..." <li...@la...>: > Unfortunately I'm not in a location to check my server, but all I did in rc.conf is enable sshguard. I edited a different file to set parameters. It is the file that contains the regex. > > From: chebo > Sent: Friday, June 10, 2016 11:03 AM > To: ssh...@li... > Subject: [SSHGuard-users] sshguard restart and ipfw table 22 rewritten > > Hello. I use a translator. > > My apologies if I'm doing something wrong. The first time I use a mailing list in this situation. > I found a similar problem, but the final answer is not there https://sourceforge.net/p/sshguard/mailman/message/35119986/ > I wanted to write directly to the author of the last letter, but his address closed. > ______________ > My problem. > > 1. The guard blocked my host and added it to the blacklist. > 2. I can see it in the blacklist and with the command: ipfw table 22 list. > 3. I removed the host from the blacklist (vi /var/db/sshguard/blacklist.db) and then removed from the table 22 (table 22 ipfw delete 192.168.0.1). > 4. After every reboot of the computer or just restarting the daemon. The host again 5. appears in table 22 and disappears from there after 5 minutes. > > Why? From there he is taken if the blacklist is empty. > > ____________ > I installed from the latest ports sshguard-ipfw-1.6.4_1 > OS - Freebsd 10.3 > > I tried to use the defaults and changed. > > sshguard_enable="yes" > sshguard_watch_logs="/var/log/auth.log" > sshguard_danger_thresh="30" > sshguard_blacklist="100:/var/db/sshguard/blacklist.db" > sshguard_release_interval="120" > #sshguard_reset_interval="1800" > #sshguard_whitelistfile=/var/db/sshguard/whitelist.db > #shguard_flags="" > > -- -- |
|
From: Henri S. <hen...@gm...> - 2016-06-11 06:47:10
|
> /var/db/sshguard/blacklist.db $ cat /var/db/sshguard/blacklist.db cat: /var/db/sshguard/blacklist.db: No such file or directory On two OS X systems which I checked, this file was not present. I must admit that the installs I have which are on OS X are not on the bleeding edge version of SSHGuard. So is there an argument which should be passed to SSHGuard in order to specify this file or is it a newly added feature? -------------------------------------------------------------------- This email is protected by LBackup, an open source backup solution http://www.lbackup.org |
|
From: Henri S. <hen...@gm...> - 2016-06-11 06:34:41
|
> Yes, remove the address from the db file. If SSHGuard is running, then
> that address is probably blocked in the firewall, too. In that case,
> either restart SSHGuard or manually remove the block from the firewall
> ruleset.
Thank you for the clarification on this point Kevin.
A couple of further questions relating to this discussion (sorry for thread hijacking) :
(Q1) The main page makes no mention of this db file.
Is there a default location for this argument which
allows you to specify a path to the blocked db file?
Man Page Link : http://www.sshguard.net/docs/man/sshguard/1_5/
(Q2) Is it possible to have SSH guard just hold the blocked IP
addresses in memory (rather than disk) so that a restart
will clear all the blocked entires?
------------------------------------------------------
Fresh beats now available for free download from HTRAX :
http://www.htrax.xyz
|
|
From: chebo <it...@ch...> - 2016-06-11 04:57:19
|
Adding options to rc.conf described in the instructions and should not influence negatively on the program. However, as I said in the first letter I have tried to use defaults parameters. I tried to use only sshguard_enable="YES" and I tried again today on a virtual machine. On the virtual machine after rebooting or restarting the daemon blocked host reappears not only in table 22, but also in the black list. I tried to carefully examine the program website and FAQ, but have not met for instructions on deleting blocked addresses. Simple removal from the black list and the table doesn't help. 10.06.2016, 18:10, "li...@la..." <li...@la...>: > Unfortunately I'm not in a location to check my server, but all I did in rc.conf is enable sshguard. I edited a different file to set parameters. It is the file that contains the regex. > > From: chebo > Sent: Friday, June 10, 2016 11:03 AM > To: ssh...@li... > Subject: [SSHGuard-users] sshguard restart and ipfw table 22 rewritten > > Hello. I use a translator. > > My apologies if I'm doing something wrong. The first time I use a mailing list in this situation. > I found a similar problem, but the final answer is not there https://sourceforge.net/p/sshguard/mailman/message/35119986/ > I wanted to write directly to the author of the last letter, but his address closed. > ______________ > My problem. > > 1. The guard blocked my host and added it to the blacklist. > 2. I can see it in the blacklist and with the command: ipfw table 22 list. > 3. I removed the host from the blacklist (vi /var/db/sshguard/blacklist.db) and then removed from the table 22 (table 22 ipfw delete 192.168.0.1). > 4. After every reboot of the computer or just restarting the daemon. The host again 5. appears in table 22 and disappears from there after 5 minutes. > > Why? From there he is taken if the blacklist is empty. > > ____________ > I installed from the latest ports sshguard-ipfw-1.6.4_1 > OS - Freebsd 10.3 > > I tried to use the defaults and changed. > > sshguard_enable="yes" > sshguard_watch_logs="/var/log/auth.log" > sshguard_danger_thresh="30" > sshguard_blacklist="100:/var/db/sshguard/blacklist.db" > sshguard_release_interval="120" > #sshguard_reset_interval="1800" > #sshguard_whitelistfile=/var/db/sshguard/whitelist.db > #shguard_flags="" > > -- -- |
|
From: <li...@la...> - 2016-06-10 15:10:12
|
<html><head></head><body lang="en-US" style="background-color: rgb(255, 255, 255); line-height: initial;"> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);">Unfortunately I'm not in a location to check my server, but all I did in rc.conf is enable sshguard. I edited a different file to set parameters. It is the file that contains the regex.</div><div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><span style="font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; font-size: initial; text-align: initial; line-height: initial;"><br></span></div> <div style="width: 100%; font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"><br style="display:initial"></div> <div style="font-size: initial; font-family: Calibri, 'Slate Pro', sans-serif, sans-serif; color: rgb(31, 73, 125); text-align: initial; background-color: rgb(255, 255, 255);"></div> <table width="100%" style="background-color:white;border-spacing:0px;"> <tbody><tr><td colspan="2" style="font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"> <div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in; font-family: Tahoma, 'BB Alpha Sans', 'Slate Pro'; font-size: 10pt;"> <div><b>From: </b>chebo</div><div><b>Sent: </b>Friday, June 10, 2016 11:03 AM</div><div><b>To: </b>ssh...@li...</div><div><b>Subject: </b>[SSHGuard-users] sshguard restart and ipfw table 22 rewritten</div></div></td></tr></tbody></table><div style="border-style: solid none none; border-top-color: rgb(186, 188, 209); border-top-width: 1pt; font-size: initial; text-align: initial; background-color: rgb(255, 255, 255);"></div><br><div id="_originalContent" style=""><div>Hello. I use a translator.<br><br>My apologies if I'm doing something wrong. The first time I use a mailing list in this situation. </div><div><span data-align="222:229">I found</span><span> </span><span data-align="230:250">a similar problem</span><span>, </span><span data-align="252:269">but the final</span><span> </span><span data-align="270:276">answer</span><span> </span><span data-align="277:284">is not there</span><span> </span><span data-align="285:344">https://sourceforge.net/p/sshguard/mailman/message/35119986</span><span>/</span></div><div>I wanted to write directly to the author of the last letter, but his address closed.<br>______________<br>My problem.<br><br>1. The guard blocked my host and added it to the blacklist.<br>2. I can see it in the blacklist and with the command: ipfw table 22 list.<br>3. I removed the host from the blacklist (vi /var/db/sshguard/blacklist.db) and then removed from the table 22 (table 22 ipfw delete 192.168.0.1).<br>4. After every reboot of the computer or just restarting the daemon. The host again 5. appears in table 22 and disappears from there after 5 minutes.<br><br>Why? From there he is taken if the blacklist is empty. </div><div> </div><div>____________</div><div>I installed from the latest ports sshguard-ipfw-1.6.4_1<br>OS - Freebsd 10.3<br><br>I tried to use the defaults and changed.<br><br>sshguard_enable="yes"<br>sshguard_watch_logs="/var/log/auth.log"<br>sshguard_danger_thresh="30"<br>sshguard_blacklist="100:/var/db/sshguard/blacklist.db"<br>sshguard_release_interval="120"<br>#sshguard_reset_interval="1800"<br>#sshguard_whitelistfile=/var/db/sshguard/whitelist.db<br>#shguard_flags=""</div><div> </div><div>-- </div><br><!--end of _originalContent --></div></body></html> |
|
From: Kevin Z. <kev...@gm...> - 2016-06-10 15:08:10
|
On 06/10/16 00:57, Jos Chrispijn wrote: > In een bericht van 9-6-2016 23:06: > >>> Can you tell me what the best way is of removing a blocked IP >>> from SSHGuard? >> >> Someone please correct me if I am mistaken. But typically a reboot >> of the system / SSHGuard will take care of this? > > Don't think so - blocked IP's are normally registered in a *.db > (which isn't a database but a textfile (I think). My question > actually referred to this file - can I just edit the file and remove > some of the IP's or should I do that from the sshguard command line? Yes, remove the address from the db file. If SSHGuard is running, then that address is probably blocked in the firewall, too. In that case, either restart SSHGuard or manually remove the block from the firewall ruleset. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: chebo <it...@ch...> - 2016-06-10 12:38:33
|
<div>Hello. I use a translator.<br /><br />My apologies if I'm doing something wrong. The first time I use a mailing list in this situation. </div><div><span data-align="222:229">I found</span><span> </span><span data-align="230:250">a similar problem</span><span>, </span><span data-align="252:269">but the final</span><span> </span><span data-align="270:276">answer</span><span> </span><span data-align="277:284">is not there</span><span> </span><span data-align="285:344">https://sourceforge.net/p/sshguard/mailman/message/35119986</span><span>/</span></div><div>I wanted to write directly to the author of the last letter, but his address closed.<br />______________<br />My problem.<br /><br />1. The guard blocked my host and added it to the blacklist.<br />2. I can see it in the blacklist and with the command: ipfw table 22 list.<br />3. I removed the host from the blacklist (vi /var/db/sshguard/blacklist.db) and then removed from the table 22 (table 22 ipfw delete 192.168.0.1).<br />4. After every reboot of the computer or just restarting the daemon. The host again 5. appears in table 22 and disappears from there after 5 minutes.<br /><br />Why? From there he is taken if the blacklist is empty. </div><div> </div><div>____________</div><div>I installed from the latest ports sshguard-ipfw-1.6.4_1<br />OS - Freebsd 10.3<br /><br />I tried to use the defaults and changed.<br /><br />sshguard_enable="yes"<br />sshguard_watch_logs="/var/log/auth.log"<br />sshguard_danger_thresh="30"<br />sshguard_blacklist="100:/var/db/sshguard/blacklist.db"<br />sshguard_release_interval="120"<br />#sshguard_reset_interval="1800"<br />#sshguard_whitelistfile=/var/db/sshguard/whitelist.db<br />#shguard_flags=""</div><div> </div><div>-- </div> |
|
From: James H. <jam...@gm...> - 2016-06-10 08:20:06
|
Just delete the line from the text file. I believe historically the file had been binary but was converted to text. You can also whitelist addresses you know are good. I whitelist the rfc 1918 addresses just to prevent any parsing error causing too much trouble. On Fri, Jun 10, 2016 at 12:57 AM, Jos Chrispijn <ssh...@cl...> wrote: > In een bericht van 9-6-2016 23:06: > > >> Can you tell me what the best way is of removing a blocked IP from > SSHGuard? > > > > Someone please correct me if I am mistaken. But typically a reboot of > the system / SSHGuard will take care of this? > > Don't think so - blocked IP's are normally registered in a *.db (which > isn't a database but a textfile (I think). My question actually referred > to this file - can I just edit the file and remove some of the IP's or > should I do that from the sshguard command line? > > /Jos > > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > -- James Harris Software Engineer jam...@gm... |
|
From: Jos C. <ssh...@cl...> - 2016-06-10 07:57:11
|
In een bericht van 9-6-2016 23:06: >> Can you tell me what the best way is of removing a blocked IP from SSHGuard? > > Someone please correct me if I am mistaken. But typically a reboot of the system / SSHGuard will take care of this? Don't think so - blocked IP's are normally registered in a *.db (which isn't a database but a textfile (I think). My question actually referred to this file - can I just edit the file and remove some of the IP's or should I do that from the sshguard command line? /Jos |
|
From: Henri S. <hen...@gm...> - 2016-06-09 21:07:03
|
> Can you tell me what the best way is of removing a blocked IP from SSHGuard? Someone please correct me if I am mistaken. But typically a reboot of the system / SSHGuard will take care of this? Is it possible to use a persistent file so that a reboot will not cause a blocked IP address from being removed. I could be wrong on this (reboot) point ; if someone knows 100%, please reply to this message. Hope that helps. Now there is another question? ------------------------------------------------------ Fresh beats now available for free download from HTRAX : http://www.htrax.xyz On 10/06/2016, at 6:15 AM, Jos Chrispijn <ssh...@cl...> wrote: |
|
From: Jos C. <ssh...@cl...> - 2016-06-09 18:15:40
|
Can you tell me what the best way is of removing a blocked IP from SSHGuard? Thanks, Jos Chrispijn |
|
From: <li...@la...> - 2016-06-04 13:38:51
|
I'm using IPFW as well. I haven't seen anything in my maillog that should be triggering sshguard. I just want to test it. Original Message From: Carmel Sent: Friday, June 3, 2016 9:04 AM To: ssh...@li... Subject: Re: [SSHGuard-users] Stow away On Fri, 03 Jun 2016 08:43:20 -0400 li...@la... wrote: > I've yet to trigger sshguard with postfix, so I appreciate this post. > It will help me make a pentest, such as it is. A real pentest would > trigger everything known about sshguard detection and in theory > unknown attacks. I've thrown a lot of random text at postfix and > because of the limited "vocabulary" of MTA, it all gets rejected by > postfix. I use Postfix and on an average, sshguard is triggered twice a day and sometimes more. I use sshguard in conjunction with IPFW so my setup may be different from yours. It would really help is you posted your "postfix -n" output plus a few examples of log entries that you believe should be triggering a response. -- Carmel ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: <li...@la...> - 2016-06-04 13:36:58
|
So does this mean I would have to IP spoof to test this feature of sshguard? Original Message From: Kevin Zheng Sent: Friday, June 3, 2016 11:31 AM To: ssh...@li... Subject: Re: [SSHGuard-users] Stow away On 06/03/16 01:04, Jos Chrispijn wrote: > Just saw that this one slipped trough SSHGuard: > > Jun 2 01:11:35 ceto postfix/smtpd[43199]: warning: hostname 178.217.186.124-host.valuehosted.com does not resolve to address 178.217.186.124: hostname nor servname provided, or not known > > Can you provide a link with which I can upload this text string on your website instead of in this mailing list? Thanks! The issue tracker on Bitbucket is a good place: https://bitbucket.org/sshguard/sshguard/issues?status=new&status=open The list is fine, too, except I've been a bit busy lately and haven't been processing bug reports or list posts. Sorry. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Jos C. <ssh...@cl...> - 2016-06-03 16:14:08
|
In een bericht van 3-6-2016 17:31: > On 06/03/16 01:04, Jos Chrispijn wrote: > The issue tracker on Bitbucket is a good place: > > https://bitbucket.org/sshguard/sshguard/issues?status=new&status=open > Thanks, I will use that and post my Postfix information as well there then. ./Jos |
2 messages has been excluded from this view by a project administrator.
