On 27-5-2015 00:32, Kevin Zheng wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi there,
>
> In light of the recent `ipfw` issues I've decided to re-implement the
> `ipfw` backend using the command framework that is used for nearly all
> of the other backends. Since I don't run `ipfw` on my machine, I'm
> unable to test this patch.
>
> If you are running `ipfw` and are willing to test-drive this new and
> more than likely broken backend, apply the attached patch, compile,
> and take it for a whirl. In particular, I'm not sure if the "add
> multiple addresses" part works, so if you have a large blacklist that
> crashed the original ipfw backend try it on the new one.
>
> The new backend operates on ipfw tables. You'll need to set up your
> firewall with a tabled named 'sshguard'. SSHGuard (should) add
> attackers to this table; you'll need to set up the rules yourself.
>
> Please don't test this in a production environment, and if you test it
> at all, be aware that bad things can happen. Please take a look at the
> patch before you try to run this code.
What I do is use the new backend called none.
The commandline looks like:
/usr/local/sbin/sshguard \
-e /usr/local/sbin/sshguard-ipfwtable \
-b 40:/var/db/sshguard/blacklist.db \
-l /var/log/auth.log -l /var/log/maillog -l /var/log/messages \
-a 40 -p 420 -s 1200 \
-w /usr/local/etc/sshguard.whitelist \
-i /var/run/sshguard.pid
and thus have sshguard call a script:
/usr/local/sbin/sshguard-ipfwrable
Which contains the actual ipfw code to do FW managment.
Easier to maintain, easier to debug the ipfw stuff. And compared to the
old ways, I get to put the rules in a table, which is more efficient in
ipfw. And then in the firewall use the table in blocking rules...
Advantage of that is with an ipfw flush or service ipfw restart, .... it
doesn't destroy the blacklist set. So I can tinker with the firewall
without disrupting anything sshguard has added.
Not sure if the none backend also sufferes from the long-list problem
that Kevin fixed.
One advantage at least here was that it would process all of the items
in the list, except for the (possibly) corrupted last one.
--WjW
====
#!/bin/sh
IPFW=/sbin/ipfw
# for debugging
# IPFW=/bin/echo
IPFWTABLE=22
# echo $*
# printenv | grep SSH
case $SSHG_ACTION in
init)
# echo init
;;
flush)
# echo flush
${IPFW} table ${IPFWTABLE} flush
;;
block)
# echo block
${IPFW} table ${IPFWTABLE} add $SSHG_ADDR
;;
block_list)
# echo block_list
for a in `echo $SSHG_ADDR | sed 's/,/ /g'` ; do
${IPFW} table ${IPFWTABLE} add $a
done
;;
fin)
# echo finish
# ignore, and leave the blacklist as is
;;
*)
echo not implemented:
echo $SSHG_ACTION
;;
esac
exit 0
====
|
