Menu
▾
▴
sshguard-users
|
From: <81...@2r...> - 2021-03-16 03:54:09
|
How does the blacklist work exactly? From the manpage on Debian 9 I assumed (wrongly?) that sshguard writes to a blacklist file only to reload it on start or restart. But from the list archives it appears that on some distros the blacklist file is permanent, and that it aggregates all blacklisted ip addresses without releasing them. I have this in /etc/default/sshguard: # See man page sshguard(8) for documentation of the command line options ENABLE_FIREWALL=1 # By default all units are monitored in SystemD # list of log files to scan delimited by space (Kfreebsd only) LOGFILES="/var/log/auth.log" # Whitelist configuration file WHITELIST="/etc/sshguard/whitelist" # Other options ARGS="-a 30 -b 100:/etc/sshguard/blacklist -p 420 -s 3600" When I'm able to install sshguard from source and set hosts as the backend, I think (but I'm not sure) that it does eventually remove blocked ip addresses. But with a firewall, do blocked ip's remain in the blacklist file? Thanks! |
|
From: Jos C. <ssh...@cl...> - 2021-03-16 15:12:03
|
Op 16-3-21 om 4:53 schreef 8187--- via sshguard-users: > When I'm able to install sshguard from source and set hosts as the > backend, I think (but I'm not sure) that it does eventually remove > blocked ip addresses. But with a firewall, do blocked ip's remain in > the blacklist file? I work with ipfw firewall. The blacklist is named as a table in its configuration When I do maintenance I empty the blacklist by a simple echo > blacklist.db and restart (i) sshguard after with 'sshguart restart' and (ii) a ipfw firewall restart best, jos -- With both feed on the ground you will never make a step forward |
|
From: Christos C. <ch...@cr...> - 2021-03-16 16:57:03
|
> I work with ipfw firewall. The blacklist is named as a table in its configuration > When I do maintenance I empty the blacklist by a simple echo > blacklist.db and restart (i) sshguard after with 'sshguart restart' and (ii) a ipfw firewall restart ipfw restart is not needed. What I do is "rm /var/db/sshguard/blacklist.db" and "service sshguard restart". |
|
From: Kevin Z. <kev...@gm...> - 2021-03-16 18:09:01
|
Hi there, On 3/15/21 8:53 PM, 8187--- via sshguard-users wrote: > How does the blacklist work exactly? From the manpage on Debian 9 I > assumed (wrongly?) that sshguard writes to a blacklist file only to > reload it on start or restart. But from the list archives it appears > that on some distros the blacklist file is permanent, and that it > aggregates all blacklisted ip addresses without releasing them. Just to clarify the answer to this question: When blacklisting is enabled, attackers who exceed the blacklist threshold (100 in your configuration, or ~10 attacks) are blocked permanently. SSHGuard remembers the addresses that are blocked permanently by adding them to the blacklist file, which is written to when an address is blacklisted and loaded every time SSHGuard stops. I'll clear up the man page a bit. Regards, Kevin |
|
From: Kevin B. <kev...@gm...> - 2021-03-17 03:17:58
|
On 2021/03/17 02:08, Kevin Zheng wrote: > > SSHGuard remembers the addresses that are blocked permanently by adding > them to the blacklist file, which is written to when an address is > blacklisted and loaded every time SSHGuard stops. > > I'll clear up the man page a bit. Surely "loaded every time SSHGuard starts": not stops ? Actually writing to point out that one of the "nice" things about that behaviour is that it affords one the opportunity to combine entries from multiple blacklist files ahead of a restart on any given host running SSHGuard. HTH, Kevin |
|
From: Kevin Z. <kev...@gm...> - 2021-03-19 18:44:54
|
On 3/16/21 8:17 PM, Kevin Buckley wrote: >> SSHGuard remembers the addresses that are blocked permanently by adding >> them to the blacklist file, which is written to when an address is >> blacklisted and loaded every time SSHGuard stops. >> >> I'll clear up the man page a bit. > > Surely "loaded every time SSHGuard starts": not stops ? Yes, that's a typo on my part. I've pushed a revised man page to Git. You can also read it online here: https://bitbucket.org/sshguard/sshguard/src/master/doc/sshguard.8.rst Does this help clear things up a bit? Regards, Kevin |
|
From: Kevin B. <kev...@gm...> - 2021-03-17 08:02:47
|
On 2021/03/17 11:58, 81...@2r... wrote:
>
> Mar 16, 2021, 22:17 by kev...@gm...:
>
>> On 2021/03/17 02:08, Kevin Zheng wrote:
>>
>>>
>>> SSHGuard remembers the addresses that are blocked permanently by adding
>>> them to the blacklist file, which is written to when an address is
>>> blacklisted and loaded every time SSHGuard stops.
>>>
>>> I'll clear up the man page a bit.
>>>
>>
>> Surely "loaded every time SSHGuard starts": not stops ?
>>
>> Actually writing to point out that one of the "nice" things about
>> that behaviour is that it affords one the opportunity to combine
>> entries from multiple blacklist files ahead of a restart on any
>> given host running SSHGuard.
>>
>> HTH,
>> Kevin
>>
> I read the manpage incorrectly, so that's my error. On debian 9 it's clear that blacklist is permanent ("never automatically unblocked") and should be occasionally pruned of stale entries ("but it is good practice to periodically clean out stale blacklist entries.")
>
> <<-b thresh:file
> Blacklist an attacker when its dangerousness exceeds thresh. Blacklisted addresses are added to file so they can be read at the next startup. Blacklisted addresses are never automatically unblocked, but it is good practice to periodically clean out stale blacklist entries.
>>>
> Excellent idea to add other blacklists to the blacklist db. I suppose the snytax could just copy what's already there:
>
> |unixtime|threshold|failures|ip:
>
> <<1615817411|100|4|154.209.5.25
> 1615817489|100|4|187.170.234.27
>>>
>
> Gordon
Not sure I hear the "stale" in
"... periodically clean out stale blacklist entries ..."
suggestion, on the assumption that once you have been "attacked",
then unless there has been a justification for the access, or a
process whereby you move the blocking closer to the source of the
attack, you would continue to block locally.
As for the melding together of blacklist files, I just cat them and
then run the following AWK script over the concatenated list, with
the idea that you keep a record of the "first/earliest" time you
saw an attack from a given IP.
# munge_blacklists.awk
#
# Takes a list of SSHGuard blacklists
# and keeps the earliest occurence of duplicated IPs
#
# cat blacklist.*-{1,2} | awk -f munge_blacklists.awk | \
# sort -n > blacklist.prod_cray
{
split($0, a, "|")
if( j[a[4]] > 0)
{
#DEBUG print "Dup ", j[a[4]], a[4], a[1]
# Use the lowest
if( a[1] > j[a[4]])
{
a[1] = j[a[4]]
}
}
j[a[4]] = a[1]
}
END{
for( b in j)
{
printf "%s|100|4|%s\n", j[b], b
}
}
That might be useful for you: though there will be other ways,
and other languages, that will achieve the same thing.
|
|
From: <81...@2r...> - 2021-03-21 01:20:30
|
Hello, Jack, list,
Did you install both nftables and sshguard using command line apt install on Debian 10? If so, that could mean the .deb files from Debian 10 automatically install sshguard with ntables as the backend. Debian 9 (I think) tries to keep iptables when it installs nftables, and I'm guessing 9 won't pick up the nftables backend in sshguard config. I might try to download the .deb files from Debian 10 for both onto the Debian 9 server, and then install them with gdebi or dpkg.
Again, many thanks,
Gordon
Mar 16, 2021, 14:49 by cm...@li...:
> Hello
>
> I use nftables + sshguard 2.4.1 on Debian 10
> ________________________________________
> >De : 8187--- via sshguard-users <ssh...@li...>
> >Envoyé : mardi 16 mars 2021 04:53
> >À : Sshguard Users
> >Objet : [SSHGuard-users] Is blacklist permanent? If so move ip addresses to /etc/hosts.deny?
>
>>
>>
> >How does the blacklist work exactly? From the manpage on Debian 9 I assumed (wrongly?) that sshguard writes to a blacklist file only to >reload it on start or restart.
>
> Whe an IP adress is blocked forever, sshguard add this Ip address on the blacklist (/usr/local/etc/blacklist for me) with a unix timestamp *and*
> add this IP address on the 'table ip sshguard' of nftables. This way, the whole blacklist is reloaded on nftables whenever you restart sshguard.
> Notice that in the example below, the whole /24 subnet is blaccklisted, which is my own choice. YMMV
>
> --------8<-- nft list ruleset ---------
> ...
> table ip sshguard {
> set attackers {
> type ipv4_addr
> flags interval
> elements = { 1.212.145.0/24, 31.210.20.0/24,
> 31.210.22.0/24, 40.123.248.0/24,
> 43.246.139.0/24, 45.95.169.0/24,
> 45.133.1.0/24, 45.141.84.0/24,
> 46.101.73.0/24, 74.201.28.0/24,
> 77.108.96.0/24, 81.161.63.0/24 }
> ....
> -----ENDOF ---8<-- nft list ruleset ---------
>
> --
> cmic, retired sysadmin 8-))
>
>
>
>
>
> But from the list archives it appears that on some distros the blacklist file is permanent, and that it aggregates all blacklisted ip addresses without releasing them.
>
> I have this in /etc/default/sshguard:
>
> # See man page sshguard(8) for documentation of the command line options
> ENABLE_FIREWALL=1
>
> # By default all units are monitored in SystemD
> # list of log files to scan delimited by space (Kfreebsd only)
> LOGFILES="/var/log/auth.log"
>
> # Whitelist configuration file
> WHITELIST="/etc/sshguard/whitelist"
>
> # Other options
> ARGS="-a 30 -b 100:/etc/sshguard/blacklist -p 420 -s 3600"
>
> When I'm able to install sshguard from source and set hosts as the backend, I think (but I'm not sure) that it does eventually remove blocked ip addresses. But with a firewall, do blocked ip's remain in the blacklist file?
>
> Thanks!
>
|
|
From: <81...@2r...> - 2021-03-22 23:54:29
|
Jack,
Good, thank you for letting me know. I am also very new to nftables, but I like it so far. It has some things that remind me of the packet filter firewall in BSD distro's (pf, pfsense, etc.). My next step is to get a Debian 10 VPS, and try to install sshguard from source, and see if I can set the BACKEND correctly as you did. Compiling sshguard on Debian 9 did not work for me, so instead of patching that, let me see if Debian 10 compiles.
Kevin, if it compiles on Debian 10 and the backend sets, I'm in good shape. As I mentioned, nftables on Debian 9 may not have enough users to patch that tarball for nftables.
Gordon
>>
>>
>> Hello, Jack, list,
>>
>> Did you install both nftables and sshguard using command line apt install on Debian 10? If so, that could mean the .deb files from Debian 10 automatically install sshguard with ntables as the backend.
>>
>>
>>> When buster (Debian 10.0) was first installed (upgrading from Debian 9), I had the surprise to discover the Nftables. By the way, the old version of sshguard didn't worked anymore.
>>> So I downloaded and compiled Ssshg-ard-2.4.1, installed the correct linked files for nftables, learned nftables with their wiki, etc.
>>> Now everything works OK.
>>> Hope it helps...
>>> regards
>>> --
>>> Michel (aka cmic , aka Jack Keradec...)
>>>
>>>
>> Debian 9 (I think) tries to keep iptables when it installs nftables, and I'm guessing 9 won't pick up the nftables backend in sshguard config. I might try to download the .deb files from Debian 10 for both onto the Debian 9 server, and then install them with gdebi or dpkg.
>>
>> Again, many thanks,
>>
>> Gordon
>>
>> Mar 16, 2021, 14:49 by cm...@li...:
>>
>>> Hello
>>>
>>> I use nftables + sshguard 2.4.1 on Debian 10
>>> ________________________________________
>>> >De : 8187--- via sshguard-users <ssh...@li...>
>>> >Envoyé : mardi 16 mars 2021 04:53
>>> >À : Sshguard Users
>>> >Objet : [SSHGuard-users] Is blacklist permanent? If so move ip addresses to /etc/hosts.deny?
>>>
>>>>
>>>>
>>> >How does the blacklist work exactly? From the manpage on Debian 9 I assumed (wrongly?) that sshguard writes to a blacklist file only to >reload it on start or restart.
>>>
>>> Whe an IP adress is blocked forever, sshguard add this Ip address on the blacklist (/usr/local/etc/blacklist for me) with a unix timestamp *and*
>>> add this IP address on the 'table ip sshguard' of nftables. This way, the whole blacklist is reloaded on nftables whenever you restart sshguard.
>>> Notice that in the example below, the whole /24 subnet is blaccklisted, which is my own choice. YMMV
>>>
>>> --------8<-- nft list ruleset ---------
>>> ...
>>> table ip sshguard {
>>> set attackers {
>>> type ipv4_addr
>>> flags interval
>>> elements = { 1.212.145.0/24, 31.210.20.0/24,
>>> 31.210.22.0/24, 40.123.248.0/24,
>>> 43.246.139.0/24, 45.95.169.0/24,
>>> 45.133.1.0/24, 45.141.84.0/24,
>>> 46.101.73.0/24, 74.201.28.0/24,
>>> 77.108.96.0/24, 81.161.63.0/24 }
>>> ....
>>> -----ENDOF ---8<-- nft list ruleset ---------
>>>
>>> --
>>> cmic, retired sysadmin 8-))
>>>
>>>
>>>
>>>
>>>
>>> But from the list archives it appears that on some distros the blacklist file is permanent, and that it aggregates all blacklisted ip addresses without releasing them.
>>>
>>> I have this in /etc/default/sshguard:
>>>
>>> # See man page sshguard(8) for documentation of the command line options
>>> ENABLE_FIREWALL=1
>>>
>>> # By default all units are monitored in SystemD
>>> # list of log files to scan delimited by space (Kfreebsd only)
>>> LOGFILES="/var/log/auth.log"
>>>
>>> # Whitelist configuration file
>>> WHITELIST="/etc/sshguard/whitelist"
>>>
>>> # Other options
>>> ARGS="-a 30 -b 100:/etc/sshguard/blacklist -p 420 -s 3600"
>>>
>>> When I'm able to install sshguard from source and set hosts as the backend, I think (but I'm not sure) that it does eventually remove blocked ip addresses. But with a firewall, do blocked ip's remain in the blacklist file?
>>>
>>> Thanks!
>>>
>>
>>
>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X