Menu
▾
▴
sshguard-users
|
From: Burton S. <Bu...@Bu...> - 2017-01-18 11:45:14
|
If sshguard shuts down other than cleanly, and you restart it, the blocklist
rules get doubled.
Does it hurt anything to add a flush command first? For iptables it would
be:
fw_init() {
run_iptables "-Z sshguard"
run_iptables "-L -n"
}
-----Burton
|
|
From: Kevin Z. <kev...@gm...> - 2017-01-18 18:30:28
|
On 01/18/17 03:45, Burton Strauss wrote: > If sshguard shuts down other than cleanly, and you restart it, the > blocklist rules get doubled. > > Does it hurt anything to add a flush command first? For iptables it > would be: In 1.7, if SSHGuard exits cleanly it should issue a 'flush' command before exiting. In 2.0, sshg-blocker sets 'flushonexit' and sshg-fw flushes before exiting. What version are you using? What backend are you using? If you're able to, does 2.0 fix your issue? Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: Burton S. <Bu...@Bu...> - 2017-01-18 23:15:24
|
1.7.1 + a couple of patches iptables No, I can't spare the effort to switch to 1.99.x now. I'm using systemd and systemctl stop sshguard.service or restart. And I'm not seeing the flush command being executed. It may be belt & suspenders, but I can't see the harm in flushing the chain regardless. Ultimately I want to create an sshguard and sshguard-perm chain so I can have the perm blocks just dumped before the Shorewall even logs them. The patch is working, but it will be cleaner to arrange the chains that way just so sshguard doesn't see the already blocked addresses in SYN log and whine. -----Burton -----Original Message----- From: Kevin Zheng [mailto:kev...@gm...] Sent: Wednesday, January 18, 2017 1:30 PM To: BSt...@ac...; ssh...@li... Subject: Re: [SSHGuard-users] Issue restarting sshguard On 01/18/17 03:45, Burton Strauss wrote: > If sshguard shuts down other than cleanly, and you restart it, the > blocklist rules get doubled. > > Does it hurt anything to add a flush command first? For iptables it > would be: In 1.7, if SSHGuard exits cleanly it should issue a 'flush' command before exiting. In 2.0, sshg-blocker sets 'flushonexit' and sshg-fw flushes before exiting. What version are you using? What backend are you using? If you're able to, does 2.0 fix your issue? Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2017-01-18 19:39:30
|
A funny thing about sshguard on FreeBSD IPFW is table 22 isn't flushed ever as far as I can tell. When I do a reboot, the table is still there. In fact, I'd like to know how that is done. The tables I create with scripts need to be created after booting. I'm still on 1.7. I had done some program updates a few days ago and made the VPS lose networking, though it was working after the updates. I only discovered the issue after booting after a backup. A good thing I had two images! Original Message From: Kevin Zheng Sent: Wednesday, January 18, 2017 10:30 AM To: BSt...@ac...; ssh...@li... Subject: Re: [SSHGuard-users] Issue restarting sshguard On 01/18/17 03:45, Burton Strauss wrote: > If sshguard shuts down other than cleanly, and you restart it, the > blocklist rules get doubled. > > Does it hurt anything to add a flush command first? For iptables it > would be: In 1.7, if SSHGuard exits cleanly it should issue a 'flush' command before exiting. In 2.0, sshg-blocker sets 'flushonexit' and sshg-fw flushes before exiting. What version are you using? What backend are you using? If you're able to, does 2.0 fix your issue? Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Burton S. <Bu...@Bu...> - 2017-01-18 23:27:47
|
When you run ./configure it creates sshg-fw.sh from the skeleton and whichever fw type you picked. Look in src/fwalls for the scripts.
If my iptables setup isn't having flush called, it's likely your's isn't either. Have to look in the sshguard.c source for the call to flush to see what conditions bypass it.
OK...
fw_flush is in finisher() which is called at the end of the program via atexit().
IF it is called,
static void finishup(void) {
sshguard_log(LOG_INFO, "Exiting on %s",
exit_sig == SIGHUP ? "SIGHUP" : "signal");
if (fw_flush() != FWALL_OK) {
sshguard_log(LOG_ERR, "fw: failed to flush blocked addresses");
}
So you would see the log message and then if the flush failed the 2nd message. I'm not seeing it. Next step would be to instrument the called code and log the call to the script and the chain at the end.
-----Burton
-----Original Message-----
From: li...@la... [mailto:li...@la...]
Sent: Wednesday, January 18, 2017 2:39 PM
To: Kevin Zheng <kev...@gm...>; BSt...@ac...; ssh...@li...
Subject: Re: [SSHGuard-users] Issue restarting sshguard
A funny thing about sshguard on FreeBSD IPFW is table 22 isn't flushed ever as far as I can tell. When I do a reboot, the table is still there. In fact, I'd like to know how that is done. The tables I create with scripts need to be created after booting.
I'm still on 1.7. I had done some program updates a few days ago and made the VPS lose networking, though it was working after the updates. I only discovered the issue after booting after a backup. A good thing I had two images!
Original Message
From: Kevin Zheng
Sent: Wednesday, January 18, 2017 10:30 AM
To: BSt...@ac...; ssh...@li...
Subject: Re: [SSHGuard-users] Issue restarting sshguard
On 01/18/17 03:45, Burton Strauss wrote:
> If sshguard shuts down other than cleanly, and you restart it, the
> blocklist rules get doubled.
>
> Does it hurt anything to add a flush command first? For iptables it
> would be:
In 1.7, if SSHGuard exits cleanly it should issue a 'flush' command before exiting. In 2.0, sshg-blocker sets 'flushonexit' and sshg-fw flushes before exiting.
What version are you using? What backend are you using? If you're able to, does 2.0 fix your issue?
Best,
Kevin
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________
sshguard-users mailing list
ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
|
From: Kevin Z. <kev...@gm...> - 2017-01-20 02:10:02
|
On 01/18/17 15:27, Burton Strauss wrote:
> fw_flush is in finisher() which is called at the end of the program via atexit().
>
> IF it is called,
>
> static void finishup(void) {
> sshguard_log(LOG_INFO, "Exiting on %s",
> exit_sig == SIGHUP ? "SIGHUP" : "signal");
>
> if (fw_flush() != FWALL_OK) {
> sshguard_log(LOG_ERR, "fw: failed to flush blocked addresses");
> }
>
> So you would see the log message and then if the flush failed the 2nd
> message. I'm not seeing it. Next step would be to instrument the
> called code and log the call to the script and the chain at the end.
Here's my guess without looking at history and code:
If I remember correctly on 1.7.1 fw_flush() always returns FWALL_OK.
fw_flush() sends "flush" over a pipe to sshg-fw.
If the pipe gets broken first, then flush will never happen.
2.0 fixes this by issuing "flushonexit" to sshg-fw, so that whenever
sshg-fw exits flush is issued no matter if the pipe goes down first.
Fix is to upgrade to 2.0 or backport this.
Best,
Kevin
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
|
|
From: <li...@la...> - 2017-01-20 03:11:19
|
I will upgrade to 2.0 tonight.
My question was more like why do MY ipfw tables get flushed upon booting while table 22 doesn't.
A different question and not exactly on sshguard target. ;-)
Original Message
From: Kevin Zheng
Sent: Thursday, January 19, 2017 6:10 PM
To: ssh...@li...
Subject: Re: [SSHGuard-users] Issue restarting sshguard
On 01/18/17 15:27, Burton Strauss wrote:
> fw_flush is in finisher() which is called at the end of the program via atexit().
>
> IF it is called,
>
> static void finishup(void) {
> sshguard_log(LOG_INFO, "Exiting on %s",
> exit_sig == SIGHUP ? "SIGHUP" : "signal");
>
> if (fw_flush() != FWALL_OK) {
> sshguard_log(LOG_ERR, "fw: failed to flush blocked addresses");
> }
>
> So you would see the log message and then if the flush failed the 2nd
> message. I'm not seeing it. Next step would be to instrument the
> called code and log the call to the script and the chain at the end.
Here's my guess without looking at history and code:
If I remember correctly on 1.7.1 fw_flush() always returns FWALL_OK.
fw_flush() sends "flush" over a pipe to sshg-fw.
If the pipe gets broken first, then flush will never happen.
2.0 fixes this by issuing "flushonexit" to sshg-fw, so that whenever
sshg-fw exits flush is issued no matter if the pipe goes down first.
Fix is to upgrade to 2.0 or backport this.
Best,
Kevin
--
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
sshguard-users mailing list
ssh...@li...
https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X