Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2016-05-07 02:56:28
|
Old ipfw line:
${fwcmd} add 550 deny log all from 'table(22)' to any
Suggested line from current docuemntation
# ipfw add 5000 reset ip from table\(22\) to me
-------------------------------------------------------------
I noticed the updated sshguard made it to /usr/ports, so I compiled the
code there and did a reinstall so it would be more like a typical user
installation.
--------------------------------------------------------
This is the error message when starting sshguard:
# service sshguard restart
Stopping sshguard.
Starting sshguard.
#
# ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
ipfw: setsockopt(IP_FW_TABLE_XADD): File exists
-----------------------------------------------------------------
The standard daemon file doesn't include dovecot. I added the dovecot
log, but I don't see it mentioned in the auth.log. Also should I delete
the old block list?
May 7 02:53:13 theranch sshguard[21444]: Exiting on signal
May 7 02:53:13 theranch sshguard[23159]: blacklist: blocking 1644 addresses
May 7 02:53:16 theranch sshguard[23159]: Monitoring attacks from log files
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated file /var/log/auth.log.
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated file /var/log/maillog.
May 7 02:53:16 theranch sshguard[23159]: blacklist: 217.199.161.135 is already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 217.199.161.135: blocking forever (3 attacks in 0 secs, after 1 abuses over
0 secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 185.103.109.70 is already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 185.103.109.70: blocking forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 155.133.82.69 is already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: blocking forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already have been blocked
---------------------------------------------------------
May 7 02:53:13 theranch sshguard[21444]: Exiting on signal
May 7 02:53:13 theranch sshguard[23159]: blacklist: blocking 1644
addresses
May 7 02:53:16 theranch sshguard[23159]: Monitoring attacks from log
files
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated
file /var/log/auth.log.
May 7 02:53:16 theranch sshguard[23159]: Reloading rotated
file /var/log/maillog.
May 7 02:53:16 theranch sshguard[23159]: blacklist: 217.199.161.135 is
already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 217.199.161.135: blocking
forever (3 attacks in 0 secs, after 1 abuses over
0 secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 185.103.109.70 is
already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 185.103.109.70: blocking
forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: blacklist: 155.133.82.69 is
already blacklisted
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: blocking
forever (3 attacks in 0 secs, after 1 abuses over 0
secs)
May 7 02:53:16 theranch sshguard[23159]: fw: failed to block (-1)
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
May 7 02:53:16 theranch sshguard[23159]: 155.133.82.69: should already
have been blocked
-----------------------------------------
My recollection is it was suggested to change the regex in the daemon a
bit. Is this still valid?
-----------------------------------------------
The daemon file /usr/local/etc/rc.d/sshguard (well
truncatred a bit) follows.
#!/bin/sh
#
# Add the following lines to /etc/rc.conf to enable sshguard:
# sshguard_enable (bool): Set to "NO" by default.
# Set it to "YES" to enable sshguard
# sshguard_pidfile (str): Path to PID file.
# Set to "/var/run/sshguard.pid" by default
# sshguard_watch_logs (str): Colon splitted list of logs to watch.
# Set to "/var/log/auth.log:/var/log/maillog"
# by default.
# The following options directly maps to their command line options,
# please read manual page sshguard(8) for detailed information:
# sshguard_blacklist (str): [thr:]/path/to/blacklist.
# Set to "30:/var/db/sshguard/blacklist.db"
# by default.
# sshguard_danger_thresh (int): Danger threshold. Set to "30" by default.
# sshguard_release_interval (int):
# Minimum interval an address remains
# blocked. Set to "120" by default.
# sshguard_reset_interval (int):
# Interval before a suspected attack is
# forgotten and danger is reset to 0.
# Set to "1800" by default.
# sshguard_whitelistfile (str): Path to the whitelist.
# Set to "/usr/local/etc/sshguard.whitelist"
# by default.
# sshguard_flags (str): Set additional command line arguments.
#
. /etc/rc.subr
name=sshguard
rcvar=sshguard_enable
load_rc_config sshguard
: ${sshguard_enable:=NO}
: ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
: ${sshguard_danger_thresh=30}
: ${sshguard_release_interval=120}
: ${sshguard_reset_interval=1800}
: ${sshguard_whitelistfile="/usr/local/etc/sshguard.whitelist"}
: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}
pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
command=/usr/sbin/daemon
actual_command="/usr/local/sbin/sshguard"
procname="${actual_command}"
start_precmd=sshguard_prestart
command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
sshguard_prestart()
{
# Clear rc_flags so sshguard_flags can be passed to sshguard
# instaed of daemon(8)
rc_flags=""
if [ ! -z ${sshguard_blacklist} ]; then
mkdir -p $(dirname ${sshguard_blacklist##*:})
sshguard_blacklist_params="-b ${sshguard_blacklist}"
fi
[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
}
run_rc_command "$1
|
|
From: Carmel <car...@ou...> - 2016-05-07 13:00:20
|
On Fri, 6 May 2016 19:56:17 -0700, li...@la... stated:
>Old ipfw line:
>${fwcmd} add 550 deny log all from 'table(22)' to any
>
>Suggested line from current docuemntation
># ipfw add 5000 reset ip from table\(22\) to me
I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I
installed the program via the ports system.
I was just wondering where you located this new documentation? I have
been interested in exactly what and where to put entries in my "ipfw"
file, or if I even needed them at all.
Thanks!
--
Carmel
|
|
From: <li...@la...> - 2016-05-07 13:20:00
|
The entry into rc.firewall is on this page: http://www.sshguard.net/docs/setup/ You certainly need the line and there was a thread sometime back regarding where in the file to place it. Sorry for the top posting, but I'm on the "phone." Original Message From: Carmel Sent: Saturday, May 7, 2016 6:00 AM To: ssh...@li... Subject: Re: [SSHGuard-users] Results from running 1.6.4 On Fri, 6 May 2016 19:56:17 -0700, li...@la... stated: >Old ipfw line: >${fwcmd} add 550 deny log all from 'table(22)' to any > >Suggested line from current docuemntation ># ipfw add 5000 reset ip from table\(22\) to me I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I installed the program via the ports system. I was just wondering where you located this new documentation? I have been interested in exactly what and where to put entries in my "ipfw" file, or if I even needed them at all. Thanks! -- Carmel ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
|
From: Kevin Z. <kev...@gm...> - 2016-05-08 06:36:37
|
On 05/07/2016 06:00, Carmel wrote: > I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I > installed the program via the ports system. > > I was just wondering where you located this new documentation? I have > been interested in exactly what and where to put entries in my "ipfw" > file, or if I even needed them at all. As mentioned before, the setup documentation is here: http://www.sshguard.net/docs/setup/ You need to understand your own firewall to set up SSHGuard. Copying and pasting might work if you're lucky. The 'reset' instead of 'deny' was chosen as a more reasonable default to give users better feedback. Dropping the connection will cause the client to wait for a timeout, while resetting the connection will give the user more meaningful feedback (connection reset by peer). The rule number depends entirely on your ruleset. IPFW is a first-rule-wins firewall, so the rule that allows SSH should have a higher rule number than SSHGuard's rule number. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
|
From: <li...@la...> - 2016-05-08 06:48:36
|
Regarding reset or deny, who is the user here? The clown trying to log into the server, or the sysadmin? My first priority would be which uses the least resources of my server. If equal, then I would pick which method wastes the time of the clown trying to break into the network. Original Message From: Kevin Zheng Sent: Saturday, May 7, 2016 11:36 PM To: Carmel; ssh...@li... Subject: Re: [SSHGuard-users] Results from running 1.6.4 On 05/07/2016 06:00, Carmel wrote: > I am running sshguard-ipfw,ver 1.6.4 on a FreeBSD-11 / amd64 machine. I > installed the program via the ports system. > > I was just wondering where you located this new documentation? I have > been interested in exactly what and where to put entries in my "ipfw" > file, or if I even needed them at all. As mentioned before, the setup documentation is here: http://www.sshguard.net/docs/setup/ You need to understand your own firewall to set up SSHGuard. Copying and pasting might work if you're lucky. The 'reset' instead of 'deny' was chosen as a more reasonable default to give users better feedback. Dropping the connection will cause the client to wait for a timeout, while resetting the connection will give the user more meaningful feedback (connection reset by peer). The rule number depends entirely on your ruleset. IPFW is a first-rule-wins firewall, so the rule that allows SSH should have a higher rule number than SSHGuard's rule number. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ sshguard-users mailing list ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
Thanks for helping keep SourceForge clean.
X