Menu
▾
▴
sshguard-users
|
From: Amit D. <ami...@gm...> - 2021-11-30 19:51:21
|
Hi, I have used sshguard on ubuntu 16 without any issues. Recently i installed on ubuntu 18 and ubuntu 20 servers which is not working as expected. Went through few threads like https://askubuntu.com/questions/1245543/how-do-i-configure-sshguard-in-ubuntu-20-04 which didn't help much. In my auth logs i can see closed sessions for unauthorized users sshd sessions but not blocking me even after multiple attempts. Also *backends *i dont see few packages /usr/lib/sshguard/sshd-fw or netfiler or iptables path. I am using ufw rules. There is a bug stating ip tables links broken. https://bugs.launchpad.net/ubuntu/+source/sshguard/+bug/1884848 Is this what i am missing here ? I have installed sshguard on 100s vms without testing on latest OS. Is there any simple way like may be apt commands to install latest version without compiling from source code. Please let me know simple solution. Thanks, amit |
|
From: Kevin Z. <kev...@gm...> - 2021-11-30 20:32:56
|
Hi Amit, On 11/30/21 11:51 AM, Amit Das wrote: > I have used sshguard on ubuntu 16 without any issues. Recently i > installed on ubuntu 18 and ubuntu 20 servers which is not working as > expected. Went through few threads like > https://askubuntu.com/questions/1245543/how-do-i-configure-sshguard-in-ubuntu-20-04 > <https://askubuntu.com/questions/1245543/how-do-i-configure-sshguard-in-ubuntu-20-04> > which didn't help much. In my auth logs i can see closed sessions for > unauthorized users sshd sessions but not blocking me even after > multiple attempts. Could you please describe exactly what troubleshooting steps you tried? Can you give more details about your setup and configuration? We can't help you if you don't. Have you looked at the troubleshooting section of the sshguard-setup man page? Which troubleshooting steps have you tried, if any? Regards, Kevin |
|
From: Amit D. <ami...@gm...> - 2021-12-01 19:41:57
|
Hi Kevin, Thanks for the response. Could you please describe exactly what troubleshooting steps you tried? On ubuntu 16.04 apt install sshguard. Sucessfully works no issues on tests also. On ubuntu 18 and ubuntu 20 did "apt install sshguard". Version installed 1.7.3. sshguard status running. Did multiple attempts (more than 30) to ssh from different ip address but in auth logs i see sessions closing everytime Expected auth logs should be sshgurad to block the unauthrized attempts. As i have already install on more than 50 vms without testing on ubuntu 18 and 20 its difficult to build from source code and run on all machines. For example if i want to install sshguard on 50 vms (ubuntu 20) do i need compile build from source code on all VMs. " apt get install sshguard" will not work? Can you give more details about your setup and configuration? We can't help you if you don't. In sshguard troubleshooting it says: Check the paths first: where is iptables, or pfctl, or ipfw? You may need to specify their path explicitly from ./configure if they are not in standard paths nor in system's PATH.. I have ufw enabled and added the backend as # Full path to backend executable (required, no default) BACKEND="/usr/lib/sshguard/sshg-fw-iptables" # Log reader command (optional, no default) LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t vsftpd -o cat" # How many problematic attempts trigger a block THRESHOLD=20 # Blocks last at least 180 seconds BLOCK_TIME=180 # The attackers are remembered for up to 3600 seconds DETECTION_TIME=3600 # Blacklist threshold and file name BLACKLIST_FILE=100:/var/db/sshguard/blacklist.db # IPv6 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 128) IPV6_SUBNET=64 # IPv4 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 32) IPV4_SUBNET=24 Restarted sshguard and ufw. Followed this document also which didnt work. Finally installed iptables. and updated the backend. This are the steps i followed. Please suggest me what i have missed here. Thanks amit On Wed, Dec 1, 2021 at 2:02 AM Kevin Zheng <kev...@gm...> wrote: > Hi Amit, > > On 11/30/21 11:51 AM, Amit Das wrote: > > I have used sshguard on ubuntu 16 without any issues. Recently i > > installed on ubuntu 18 and ubuntu 20 servers which is not working as > > expected. Went through few threads like > > > https://askubuntu.com/questions/1245543/how-do-i-configure-sshguard-in-ubuntu-20-04 > > < > https://askubuntu.com/questions/1245543/how-do-i-configure-sshguard-in-ubuntu-20-04> > > > which didn't help much. In my auth logs i can see closed sessions for > > unauthorized users sshd sessions but not blocking me even after > > multiple attempts. > > Could you please describe exactly what troubleshooting steps you tried? > Can you give more details about your setup and configuration? We can't > help you if you don't. > > Have you looked at the troubleshooting section of the sshguard-setup man > page? Which troubleshooting steps have you tried, if any? > > Regards, > Kevin > |
|
From: Kevin Z. <kev...@gm...> - 2021-12-01 19:52:48
|
Hi Amit, It sounds like Ubuntu 18 and 20 broke SSHGuard for many users, not just you. I don't have the resources (an Ubuntu installation and experience using it) to troubleshoot. Do you know who the maintainer for SSHGuard on Ubuntu is and put us in touch, maybe in this thread? Thanks, Kevin |
|
From: Kevin Z. <kev...@gm...> - 2021-12-02 18:57:26
|
Hi Amit, On 12/1/21 11:41 AM, Amit Das wrote: > # Log reader command (optional, no default) > LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t vsftpd > -o cat" Could you check that your LOGREADER command is actually giving you the log output from sshd? That is, run this command at the command line, and see if any failed login messages are coming through: $ /usr/bin/journalctl -afb -p info -n1 -t sshd -t vsftpd -o cat If they are coming through, pipe the output to `sshg-parser -a` and make sure the attacks you expect to be recognized are marked with an asterisk. Regards, Kevin |
|
From: Amit D. <ami...@gm...> - 2021-12-03 18:14:09
|
Hi Kevin, After adding the ufw before rules for sshguard as mentioned in https://wiki.archlinux.org/title/Sshguard#UFW sshguard works as expected blocking unauthorized attempts. This option i have tried before rasing the question here, not sure maybe because of sshguard version 1.7.3 version on ubuntu 20 initially used. For debian 10 , ubuntu 16.04 they are stright fwd with apt commands. Anyway thanks for your help. Thanks, Amit On Fri, Dec 3, 2021 at 4:43 PM Amit Das <ami...@gm...> wrote: > > Hi Kevin, > > I am getting the output as seen in the attachment. Did u mean pipe or > redirect not clear?. > > Also my sshguard version is 1.7.3 (tried on other 2.3.1 , 2.3.4 versions > too). I have tried on multiple vms , aws vms and dedicated servers. First > unauthorized attempt is blocked by sshguard but later on its not blocking > as seen in the auth logs. Not seen in journalctl logs its blocking. Dont > understand why sshguard drops after blocking first time and passed to sshd > in auth logs.eventhough sshguard service is running all time. > > Not sure whats wrong my backend config or from ubuntu maintainer or the > version issues on latest ubuntu 18, ubuntu 20. > > Thanks, > Amit > > > On Fri, Dec 3, 2021 at 12:27 AM Kevin Zheng <kev...@gm...> wrote: > >> Hi Amit, >> >> On 12/1/21 11:41 AM, Amit Das wrote: >> > # Log reader command (optional, no default) >> > LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t >> vsftpd >> > -o cat" >> >> Could you check that your LOGREADER command is actually giving you the >> log output from sshd? >> >> That is, run this command at the command line, and see if any failed >> login messages are coming through: >> >> $ /usr/bin/journalctl -afb -p info -n1 -t sshd -t vsftpd -o cat >> >> If they are coming through, pipe the output to `sshg-parser -a` and make >> sure the attacks you expect to be recognized are marked with an asterisk. >> >> Regards, >> Kevin >> > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X