Menu
▾
▴
sshguard-users
|
From: Ryan P. <tro...@gm...> - 2007-12-12 15:11:25
|
Hi All, I have been using the pre-1.0 release perfectly fine, but something broke with the latest ports update to 1.0. It doesn't appear that a user is getting blocked by the firewall. Any help would be appreciated. Thanks, Ryan pf config: table <sshguard> persist pass in all pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. block in all block return-rst out quick proto tcp from any to any port 113 block in quick on $ext_if from <block_hosts> to any block in quick on $ext_if from <sshguard> to any ... auth.log: Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 539 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 538 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 537 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 535 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 534 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 531 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 11 23:59:27 zeus sshguard[61062]: Releasing 77.246.240.82 after 526 seconds. Dec 11 23:59:27 zeus sshguard[61062]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 11 23:59:27 zeus sshguard[61062]: Run command "/sbin/pfctl -Tdel -t sshguard $SSHG_ADDR": exited 0. Dec 12 00:00:01 zeus sshguard[61062]: Got exit signal, flushing blocked addresses and exiting... Dec 12 00:00:01 zeus sshguard[61062]: Run command "/sbin/pfctl -Tflush -t sshguard": exited 0. Dec 12 00:00:01 zeus sshguard[83693]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan. Dec 12 00:00:20 zeus postfix/smtpd[83948]: sql auxprop plugin using mysql engine Dec 12 00:00:20 zeus sshd[83929]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:20 zeus sshd[83929]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:20 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshd[83930]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83930]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshd[83931]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83931]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshd[83934]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83934]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshd[83933]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83933]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Blocking 77.246.240.82: 4 failures over 1 seconds. Dec 12 00:00:21 zeus sshguard[83693]: Setting environment: SSHG_ADDR=77.246.240.82;SSHG_ADDRKIND=4;SSHG_SERVICE=10. Dec 12 00:00:21 zeus sshguard[83693]: Run command "/sbin/pfctl -Tadd -t sshguard $SSHG_ADDR": exited 0. Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshd[83935]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83935]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshd[83938]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83938]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 Dec 12 00:00:21 zeus sshd[83942]: reverse mapping checking getaddrinfo for 240-82.umostel.ru [77.246.240.82] failed - POSSIBLE BREAK-IN ATTEMPT! Dec 12 00:00:21 zeus sshd[83942]: Invalid user alexis from 77.246.240.82 Dec 12 00:00:21 zeus sshguard[83693]: Matched IP address 77.246.240.82 |
|
From: Ryan P. <tro...@gm...> - 2007-12-12 15:54:27
|
On Dec 12, 2007 9:11 AM, Ryan Phillips <tro...@gm...> wrote: > Hi All, > > I have been using the pre-1.0 release perfectly fine, but something > broke with the latest ports update to 1.0. It doesn't appear that a > user is getting blocked by the firewall. > > Any help would be appreciated. > Sorry for the noise... SSH was listening on all interfaces and the pf rule only blocked on one. For historical sake: block in quick from <sshguard> to any Thanks for the great software! -Ryan |
|
From: Ryan P. <tro...@gm...> - 2007-12-12 16:08:33
|
On Dec 12, 2007 9:54 AM, Ryan Phillips <tro...@gm...> wrote: > On Dec 12, 2007 9:11 AM, Ryan Phillips <tro...@gm...> wrote: > > Hi All, > > > > I have been using the pre-1.0 release perfectly fine, but something > > broke with the latest ports update to 1.0. It doesn't appear that a > > user is getting blocked by the firewall. > > > > Any help would be appreciated. > > > > Sorry for the noise... SSH was listening on all interfaces and the pf > rule only blocked on one. > > For historical sake: block in quick from <sshguard> to any I guess the 'on' directive would have taken care of that scenario. I'm a newb with pf. Any comments with this problem would be appreciated. -ryan |
|
From: Mij <mi...@bi...> - 2007-12-16 15:19:41
|
On 12/dic/07, at 17:00, Ryan Phillips wrote:
> On Dec 12, 2007 9:54 AM, Ryan Phillips <tro...@gm...> wrote:
>> On Dec 12, 2007 9:11 AM, Ryan Phillips <tro...@gm...> wrote:
>>> Hi All,
>>>
>>> I have been using the pre-1.0 release perfectly fine, but something
>>> broke with the latest ports update to 1.0. It doesn't appear that a
>>> user is getting blocked by the firewall.
>>>
>>> Any help would be appreciated.
>>>
>>
>> Sorry for the noise... SSH was listening on all interfaces and the pf
>> rule only blocked on one.
>>
>> For historical sake: block in quick from <sshguard> to any
>
> I guess the 'on' directive would have taken care of that scenario.
> I'm a newb with pf.
>
> Any comments with this problem would be appreciated.
"on $ext_if" matches all the traffic coming in to the ext_if physical
interface, so
yes, in case that you have multiple addressess assigned to one
physical interface.
If instead ssh is reachable from different addressess on different
interfaces, "on"
is just a limitation, and you should instead use something like
block in quick from <sshguard> to any port 22 label "ssh
bruteforce"
or use multiple rules with "on $intrf" for every external interface.
The advantage of using "on $interface" is that you protect LAN
addresses from being
blocked, even if they behave like attackers. Of course this can be
managed by sshguard
itself with whitelisting anyway.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X