Hello Kacper,
if you see the blocking/releasing messages, then the problem to debug
is restricted
to how the blocking goes. You can always use the -d flag to inspect
this in detail. In
your case, do:
1) temporarily disable sshguard from the system: killall -STP sshguard
2) run a debugging sshguard instance: sshguard -d
3) paste a "suspicious" entry line in its standard input (+ enter) 4
times
sshguard shows a "Matched IP address 101.102.103.104" message after
each paste,
and concludes something like:
"Blocking 101.102.103.104: 4 failures over 5 seconds.
Setting environment: SSHG_ADDR=
101.102.103.104;SSHG_ADDRKIND=4;SSHG_SERVICE=100.
<MESSAGE>
Blocking command failed. Exited: -1"
If you get a failure, <MESSAGE> should point out what's wrong. If you
can't solve on your own, or
you think that is a bug, please report the whole blocking message so
we can find out.
On 9 Sep 2008, at 05:59, Kacper Wysocki wrote:
> Hello all,
> I've setup sshguard-pf 1.1 to run through syslog as recommended:
>
> # pkg_info | grep sshguard
> sshguard-pf-1.1_1 Protect hosts from brute force attacks against
> ssh and othe
>
> # cat /etc/syslog.conf | grep sshguard
> auth.info;authpriv.info |exec /usr/local/sbin/sshguard
>
> and it reports that it runs fine:
> # cat /var/log/auth.log | grep sshguard
> Sep 8 12:00:00 interzone sshguard[35281]: Started successfully
> [(a,p,s)=(4, 420, 1200)], now ready to scan.
> x
> Sep 8 12:20:36 interzone sshguard[35281]: Blocking XX.XX.XX.XX: 4
> failures over 6 seconds.
> Sep 8 12:38:36 interzone sshguard[35281]: Releasing XX.XX.XX.XX after
> 445 seconds.
> (..output cropped for brevity..)
>
> my pf.conf is set up to work with sshguard:
> # cat /etc/pf.conf | grep sshguard
> table <sshguard> persist
> block in quick on $ext_if proto tcp from <sshguard> to any port 22
> label "ssh bruteforce"
>
> yet when I look at what pf is doing, I see no addresses added to the
> sshguard table, nor do I see any incoming packets blocked through
> pflog:
> # pfctl -t sshguard -vTshow
> No ALTQ support in kernel
> ALTQ related functions disabled
> # tcpdump -n -e -ttt -i pflog0
> listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture
> size 96 bytes
> (nothing)
>
> Now, I'm sure I've fumbled something - why aren't sshguard blocked IPs
> being added to the pf table?
>
> TIA,
> Kacper Wysocki
> --
> http://kacper.doesntexist.org
> Employ no technique to gain supreme enlightment.
> - Mar pa Chos kyi blos gros
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|