Thread: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I am a potential new user of sshguard. It looks appealing. However, I 
wonder if I can mix sshguard with other non ssh pf rules ?

Look at "fail2ban" which has plugins for many different logfiles.

On Apr 17, 2013, at 8:52 AM, Laurent Alebarde <l.a...@fr...> wrote:
> I am a potential new user of sshguard. It looks appealing. However, I wonder if I can mix sshguard with other non ssh pf rules ?
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter_______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.

Author of Instant Puppet 3 Starter: http://www.netconsonance.com/instant-puppet-3-starter-book-homepage/

On Wed, Apr 17, 2013 at 05:52:58PM +0200, Laurent Alebarde wrote:
> Hi,
> 
> I am a potential new user of sshguard. It looks appealing. However, I 
> wonder if I can mix sshguard with other non ssh pf rules ?

But of course.

Here's one line from near the start of my approximately 300 line pf.conf:

   block drop in log quick proto tcp from <sshguard> to any \
   	label "ssh bruteforce"

Richard

Thanks Richard. Could you elaborate a bit more please for the pf & 
networking newbbie I am ?

Le 17/04/2013 23:12, Richard Johnson a écrit :
> On Wed, Apr 17, 2013 at 05:52:58PM +0200, Laurent Alebarde wrote:
>> Hi,
>>
>> I am a potential new user of sshguard. It looks appealing. However, I
>> wonder if I can mix sshguard with other non ssh pf rules ?
> But of course.
>
> Here's one line from near the start of my approximately 300 line pf.conf:
>
>     block drop in log quick proto tcp from<sshguard>  to any \
>     	label "ssh bruteforce"
>
>
> Richard
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis&  visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

On Wed, Apr 17, 2013 at 11:59:06PM +0200, Laurent Alebarde wrote:
> Thanks Richard. Could you elaborate a bit more please for the pf & 
> networking newbbie I am ?

A typical basic pf.conf will say:

  block
  pass out

That blocks with ICMP or TCP RST reply all inbound traffic, except traffic
which matches a state table entry created by the 'pass out' rule (in other
words, replies to connections you make outbound from your system).

Add anywhere in that rule set:

  block drop in log quick proto tcp from <sshguard> to any

sshguard will use the <sshguard> table when it finds an IP doing something
it considers unfriendly.

That rule will silently block all inbound TCP from a bad IP, except for
replies to connections you make outbound from your system.

For more, see the sshguard.net web site, which refers to the pf
man pages and instructions.

Good luck!

Richard

Thank you very much Richard.

Cheers,

Laurent.

Le 18/04/2013 00:36, Richard Johnson a écrit :
> On Wed, Apr 17, 2013 at 11:59:06PM +0200, Laurent Alebarde wrote:
>> Thanks Richard. Could you elaborate a bit more please for the pf&
>> networking newbbie I am ?
> A typical basic pf.conf will say:
>
>    block
>    pass out
>
> That blocks with ICMP or TCP RST reply all inbound traffic, except traffic
> which matches a state table entry created by the 'pass out' rule (in other
> words, replies to connections you make outbound from your system).
>
> Add anywhere in that rule set:
>
>    block drop in log quick proto tcp from<sshguard>  to any
>
> sshguard will use the<sshguard>  table when it finds an IP doing something
> it considers unfriendly.
>
> That rule will silently block all inbound TCP from a bad IP, except for
> replies to connections you make outbound from your system.
>
> For more, see the sshguard.net web site, which refers to the pf
> man pages and instructions.
>
> Good luck!
>
>
> Richard
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis&  visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users

Thread: [Sshguard-users] mix of sshguard with other non ssh pf rules ?

Intelligently block brute-force attacks by aggregating system logs

sshguard-users