Menu
▾
▴
sshguard-users
|
From: <li...@la...> - 2016-12-03 07:19:59
|
Houston...do we have a problem? Using sshguard with ipfw. Details follow. uname -a FreeBSD theranch 10.3-RELEASE-p11 FreeBSD 10.3-RELEASE-p11 #0: Mon Oct 24 18:49:24 UTC 2016 ro...@am...:/usr/obj/usr/src/sys/GENERIC amd64 # sshguard -v sshguard 1.7.0 Cliff notes version: ----------------- auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist: added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2 secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: 186.125.190.156: should already have been blocked ---------------- Here is what I could grep out of the auth.logs that were saved: http://pastebin.com/yhcHCV4r Here are the 186.125ers in the ipfw table: # ipfw table 22 list | grep "186.125*" 186.125.190.156/32 0 So yeah, it is blocked, but then why the message? Just for yucks: # ipfw table 22 list| wc -l 2050 |
|
From: Petri R. <pet...@me...> - 2016-12-03 09:56:13
|
> Cliff notes version: > ----------------- > auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist: added 186.125.190.156 > auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2 secs, after 1 abuses over 2 secs) > auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: 186.125.190.156: should already have been blocked > ---------------- Have you run ipfw "add 55000 deny ip from table(22) to me” It should be in your startup scripts someplace. Without it SSHGuard works, but the collected IPs aren’t used anywhere. This baffled me first when I started using SSHGuard. The FreeBSD port doesn’t add that automatically, because it doesn’t want to mess your firewall setup. The rule number depends on your existing rules. -- Cheers Petri GSM +358 400 505 939 |
|
From: Jim S. <jse...@Li...> - 2016-12-03 15:32:57
|
I'm getting the same thing on my Linux hosts. $ cat /etc/issue Ubuntu 14.04.5 LTS $ sshguard -v sshguard 1.7.0 Example from /var/log/auth.log: Dec 2 01:35:31 mail sshguard[1222]: 1.55.63.241: blocking for 840 secs (4 attacks in 0 secs, after 1 abuses over 0 secs) Dec 2 01:35:31 mail sshguard[1222]: 1.55.63.241: should already have been blocked Dec 2 01:50:59 mail sshguard[1222]: 1.55.63.241: unblocking after 928 secs Dec 2 02:00:50 mail sshguard[1222]: 1.55.63.241: blocking for 1680 secs (4 attacks in 0 secs, after 2 abuses over 1519 secs) Dec 2 02:00:50 mail sshguard[1222]: 1.55.63.241: should already have been blocked Dec 2 02:28:51 mail sshguard[1222]: 1.55.63.241: unblocking after 1681 secs Dec 2 02:50:39 mail sshguard[1222]: 1.55.63.241: blocking for 3360 secs (4 attacks in 0 secs, after 3 abuses over 4508 secs) Dec 2 02:50:39 mail sshguard[1222]: 1.55.63.241: should already have been blocked Dec 2 03:46:48 mail sshguard[1222]: 1.55.63.241: unblocking after 3369 secs Dec 2 07:56:07 mail sshguard[1222]: 1.55.63.241: blocking for 6720 secs (4 attacks in 0 secs, after 4 abuses over 22836 secs) Dec 2 07:56:07 mail sshguard[1222]: 1.55.63.241: should already have been blocked Dec 2 07:56:07 mail sshguard[1222]: message repeated 2 times: [ 1.55.63.241: should already have been blocked] Dec 2 09:50:03 mail sshguard[1222]: 1.55.63.241: unblocking after 6836 secs That was from yesterday. Here's the current iptables state: $ sudo iptables -L [sudo] password for <elided>: Chain INPUT (policy ACCEPT) target prot opt source destination sshguard all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain sshguard (1 references) target prot opt source destination DROP all -- 187-92-160-77.customer.tdatabrasil.net.br anywhere Never used to see this until I replaced the repo version with one I built from a tarball to get proper Postfix parsing. Regards, Jim -- Note: My mail server employs *very* aggressive anti-spam filtering. If you reply to this email and your email is rejected, please accept my apologies and let me know via my web form at <http://jimsun.LinxNet.com/contact/scform.php>. |
|
From: <li...@la...> - 2016-12-03 20:05:56
|
I block 22 pretty early in the rc.firewall
${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
A quick check to see if sshguard is working:
# bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP 116.31.116.4:25559 redacted:22 in via vtnet0
and
# ipfw table 22 list | grep "116.31.116.4"
116.31.116.4/32 0
116.31.116.41/32 0
116.31.116.43/32 0
116.31.116.47/32 0
On Sat, 3 Dec 2016 11:38:57 +0200
Petri Riihikallio <pet...@me...> wrote:
> > Cliff notes version:
> > -----------------
> > auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
> > added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
> > sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
> > secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
> > theranch sshguard[803]: 186.125.190.156: should already have been
> > blocked ----------------
>
> Have you run
> ipfw "add 55000 deny ip from table(22) to me”
> It should be in your startup scripts someplace. Without it SSHGuard
> works, but the collected IPs aren’t used anywhere.
>
> This baffled me first when I started using SSHGuard. The FreeBSD port
> doesn’t add that automatically, because it doesn’t want to mess your
> firewall setup. The rule number depends on your existing rules.
>
|
|
From: Willem J. W. <wj...@di...> - 2016-12-03 20:32:56
|
On 3-12-2016 21:05, li...@la... wrote:
> I block 22 pretty early in the rc.firewall
> ${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
>
> A quick check to see if sshguard is working:
> # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
> security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP 116.31.116.4:25559 redacted:22 in via vtnet0
>
> and
>
> # ipfw table 22 list | grep "116.31.116.4"
> 116.31.116.4/32 0
> 116.31.116.41/32 0
> 116.31.116.43/32 0
> 116.31.116.47/32 0
'ipfw show' should tell you if the rule is really working.
Like:
03500 371 22260 deny ip from table(22) to any
If the first numbers are zero, then it does not get hit.
--WjW
>
>
>
> On Sat, 3 Dec 2016 11:38:57 +0200
> Petri Riihikallio <pet...@me...> wrote:
>
>>> Cliff notes version:
>>> -----------------
>>> auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
>>> added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
>>> sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
>>> secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
>>> theranch sshguard[803]: 186.125.190.156: should already have been
>>> blocked ----------------
>>
>> Have you run
>> ipfw "add 55000 deny ip from table(22) to me”
>> It should be in your startup scripts someplace. Without it SSHGuard
>> works, but the collected IPs aren’t used anywhere.
>>
>> This baffled me first when I started using SSHGuard. The FreeBSD port
>> doesn’t add that automatically, because it doesn’t want to mess your
>> firewall setup. The rule number depends on your existing rules.
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sshguard-users mailing list
> ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
|
From: <li...@la...> - 2016-12-03 20:23:55
|
I just shut down that PC, but will double check later. However, the security log does show the rule blocking some IP, which I then verified is in the table 22.
Original Message
From: Willem Jan Withagen
Sent: Saturday, December 3, 2016 12:15 PM
To: li...@la...; Petri Riihikallio
Cc: ssh...@li...
Subject: Re: [SSHGuard-users] "should have already been blocked"
On 3-12-2016 21:05, li...@la... wrote:
> I block 22 pretty early in the rc.firewall
> ${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
>
> A quick check to see if sshguard is working:
> # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
> security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP 116.31.116.4:25559 redacted:22 in via vtnet0
>
> and
>
> # ipfw table 22 list | grep "116.31.116.4"
> 116.31.116.4/32 0
> 116.31.116.41/32 0
> 116.31.116.43/32 0
> 116.31.116.47/32 0
'ipfw show' should tell you if the rule is really working.
Like:
03500 371 22260 deny ip from table(22) to any
If the first numbers are zero, then it does not get hit.
--WjW
>
>
>
> On Sat, 3 Dec 2016 11:38:57 +0200
> Petri Riihikallio <pet...@me...> wrote:
>
>>> Cliff notes version:
>>> -----------------
>>> auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
>>> added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
>>> sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
>>> secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
>>> theranch sshguard[803]: 186.125.190.156: should already have been
>>> blocked ----------------
>>
>> Have you run
>> ipfw "add 55000 deny ip from table(22) to me”
>> It should be in your startup scripts someplace. Without it SSHGuard
>> works, but the collected IPs aren’t used anywhere.
>>
>> This baffled me first when I started using SSHGuard. The FreeBSD port
>> doesn’t add that automatically, because it doesn’t want to mess your
>> firewall setup. The rule number depends on your existing rules.
>>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> sshguard-users mailing list
> ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|
|
From: <li...@la...> - 2016-12-04 07:12:08
|
On Sat, 3 Dec 2016 21:14:59 +0100
Willem Jan Withagen <wj...@di...> wrote:
> On 3-12-2016 21:05, li...@la... wrote:
> > I block 22 pretty early in the rc.firewall
> > ${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
> >
> > A quick check to see if sshguard is working:
> > # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
> > security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP
> > 116.31.116.4:25559 redacted:22 in via vtnet0
> >
> > and
> >
> > # ipfw table 22 list | grep "116.31.116.4"
> > 116.31.116.4/32 0
> > 116.31.116.41/32 0
> > 116.31.116.43/32 0
> > 116.31.116.47/32 0
>
> 'ipfw show' should tell you if the rule is really working.
> Like:
>
> 03500 371 22260 deny ip from table(22) to any
>
> If the first numbers are zero, then it does not get hit.
>
> --WjW
I'm not sure I understand your comment, but here is the relevant line
from ipfw list:
00550 deny log ip from table(22) to any dst-port 22
Now I don't block all ports because possible the hacker is on a
hosting company with an email server. I suppose I could add blocks for
the browser, 587, and 143.
>
>
> >
> >
> >
> > On Sat, 3 Dec 2016 11:38:57 +0200
> > Petri Riihikallio <pet...@me...> wrote:
> >
> >>> Cliff notes version:
> >>> -----------------
> >>> auth.log.2.bz2:Nov 19 23:07:13 theranch sshguard[803]: blacklist:
> >>> added 186.125.190.156 auth.log.2.bz2:Nov 19 23:07:13 theranch
> >>> sshguard[803]: 186.125.190.156: blocking forever (3 attacks in 2
> >>> secs, after 1 abuses over 2 secs) auth.log.2.bz2:Nov 19 23:07:13
> >>> theranch sshguard[803]: 186.125.190.156: should already have been
> >>> blocked ----------------
> >>
> >> Have you run
> >> ipfw "add 55000 deny ip from table(22) to me”
> >> It should be in your startup scripts someplace. Without it SSHGuard
> >> works, but the collected IPs aren’t used anywhere.
> >>
> >> This baffled me first when I started using SSHGuard. The FreeBSD
> >> port doesn’t add that automatically, because it doesn’t want to
> >> mess your firewall setup. The rule number depends on your existing
> >> rules.
> >
> >
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > sshguard-users mailing list
> > ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
> >
>
|
|
From: Willem J. W. <wj...@di...> - 2016-12-04 11:30:24
|
On 4-12-2016 08:11, li...@la... wrote:
> On Sat, 3 Dec 2016 21:14:59 +0100
> Willem Jan Withagen <wj...@di...> wrote:
>
>> On 3-12-2016 21:05, li...@la... wrote:
>>> I block 22 pretty early in the rc.firewall
>>> ${fwcmd} add 550 deny log all from 'table(22)' to any dst-port 22
>>>
>>> A quick check to see if sshguard is working:
>>> # bzgrep -e "ipfw: 550 Deny TCP " security* | head -n 1
>>> security:Dec 3 20:00:01 theranch kernel: ipfw: 550 Deny TCP
>>> 116.31.116.4:25559 redacted:22 in via vtnet0
>>>
>>> and
>>>
>>> # ipfw table 22 list | grep "116.31.116.4"
>>> 116.31.116.4/32 0
>>> 116.31.116.41/32 0
>>> 116.31.116.43/32 0
>>> 116.31.116.47/32 0
>>
>> 'ipfw show' should tell you if the rule is really working.
>> Like:
>>
>> 03500 371 22260 deny ip from table(22) to any
>>
>> If the first numbers are zero, then it does not get hit.
>>
>> --WjW
>
> I'm not sure I understand your comment, but here is the relevant line
> from ipfw list:
> 00550 deny log ip from table(22) to any dst-port 22
>
> Now I don't block all ports because possible the hacker is on a
> hosting company with an email server. I suppose I could add blocks for
> the browser, 587, and 143.
The difference was to use 'ipfw show' which gives you a first indication
if you firewall is ever being hit.
if the counters are 0, then one way or another you would have an error
in your firewall.
My firewall got hit 371 times.
--WjW
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X