sshguard-users

Re: [SSHGuard-users] sshguard on trunk with debian

[Daniel A. <co...@da...>]

On Thu, Dec 8, 2016, at 19:12, jungle Boogie wrote:
> Hi All,
> 
> First, I don't know how to determine the version of sshguard I'm
> currently running, but I compiled it from master on the 5th. So it's a
> version from around that time.

You’re running an experimental build from the master branch that hasn’t
been released . So there is no version number to refer to other than the
latest git commit hash of the master branch when you built it. December
5th? Then your version is master/ff69989.

> It looks like this latest version now includes a config file:
> https://bitbucket.org/sshguard/sshguard/src/1fcd467b78ea5a4ddcba6efb3920cea860839e31/examples/sshguard.conf.sample?at=master&fileviewer=file-view-default
> 
> and a service file:
> https://bitbucket.org/sshguard/sshguard/src/1fcd467b78ea5a4ddcba6efb3920cea860839e31/examples/sshguard.service?at=master&fileviewer=file-view-default

You should set your configuration in the config file instead of in the
service file. I’ve removed the switches from the example service file to
encourage people to use the configuration file instead. (Making changes
to the service file shouldn’t be necessary for anyone but distribution
package maintainers.) 
https://bitbucket.org/sshguard/sshguard/pull-requests/17

> I have the service running and it's using that file:
>  1324 ?        Ss     0:00 /bin/sh /usr/local/sbin/sshguard -w
> /etc/sshguard.whitelist -l /var/log/auth.log -b
> 60:/var/db/sshguard/blacklist.db
>  1325 ?        S      0:00 /bin/sh /usr/local/sbin/sshguard -w
> /etc/sshguard.whitelist -l /var/log/auth.log -b
> 60:/var/db/sshguard/blacklist.db
> 
> (don't quite know why I have two running instances)

How did you start it? and under which distro?

> However, it's not actively blocking traffic and the /var/db/sshguard
> directory doesn't exist.

That would be because the -l option doesn’t exist. At least, I’ve never
seen it before and I can’t find it anywhere but in the example service
file. You should add the log files you want to monitor to the FILES
option in the configuration file. Move the other options there too, it
should be easier to maintain that way.

> iptables:
> -P INPUT ACCEPT
> -P FORWARD ACCEPT
> -P OUTPUT ACCEPT
> -N sshguard
> -A INPUT -p tcp -m tcp --dport 22 -j sshguard
> 
> 
> Any suggestions on what I should do to have sshugard read the
> /var/log/auth.log and start blocking?

I do believe the issue is that SSHGuard isn’t monitoring any log files
because of the aforementioned configuration issue.
-- 
Daniel Aleksandersen
https://www.slightfuture.com/

Re: [SSHGuard-users] sshguard on trunk with debian

[jungle B. <jun...@gm...>]

On 8 December 2016 at 16:18, Daniel Aleksandersen <co...@da...> wrote:
> On Thu, Dec 8, 2016, at 19:12, jungle Boogie wrote:
>> Hi All,
>>
>> First, I don't know how to determine the version of sshguard I'm
>> currently running, but I compiled it from master on the 5th. So it's a
>> version from around that time.
>
> You’re running an experimental build from the master branch that hasn’t
> been released . So there is no version number to refer to other than the
> latest git commit hash of the master branch when you built it. December
> 5th? Then your version is master/ff69989.

Gotcha. Thanks for the info.

>
>> It looks like this latest version now includes a config file:
>> https://bitbucket.org/sshguard/sshguard/src/1fcd467b78ea5a4ddcba6efb3920cea860839e31/examples/sshguard.conf.sample?at=master&fileviewer=file-view-default
>>
>> and a service file:
>> https://bitbucket.org/sshguard/sshguard/src/1fcd467b78ea5a4ddcba6efb3920cea860839e31/examples/sshguard.service?at=master&fileviewer=file-view-default
>
> You should set your configuration in the config file instead of in the
> service file. I’ve removed the switches from the example service file to
> encourage people to use the configuration file instead. (Making changes
> to the service file shouldn’t be necessary for anyone but distribution
> package maintainers.)
> https://bitbucket.org/sshguard/sshguard/pull-requests/17

Okay, I modified the file /etc/systemd/system/sshguard.service:

[Service]
ExecStartPre=-/sbin/iptables -N sshguard
ExecStart=/usr/local/sbin/sshguard
Restart=always

>
>> I have the service running and it's using that file:
>>  1324 ?        Ss     0:00 /bin/sh /usr/local/sbin/sshguard -w
>> /etc/sshguard.whitelist -l /var/log/auth.log -b
>> 60:/var/db/sshguard/blacklist.db
>>  1325 ?        S      0:00 /bin/sh /usr/local/sbin/sshguard -w
>> /etc/sshguard.whitelist -l /var/log/auth.log -b
>> 60:/var/db/sshguard/blacklist.db
>>
>> (don't quite know why I have two running instances)
>
> How did you start it? and under which distro?

sudo service sshguard start:
 1902 ?        Ss     0:00 /bin/sh /usr/local/sbin/sshguard
 1903 ?        S      0:00 /bin/sh /usr/local/sbin/sshguard

>
>> However, it's not actively blocking traffic and the /var/db/sshguard
>> directory doesn't exist.
>
> That would be because the -l option doesn’t exist. At least, I’ve never
> seen it before and I can’t find it anywhere but in the example service
> file. You should add the log files you want to monitor to the FILES
> option in the configuration file. Move the other options there too, it
> should be easier to maintain that way.

/usr/local/etc/sshguard.conf contains these:
BACKEND="/sbin/iptables"
BLACKLIST_FILE=/var/lib/sshguard/enemies
BLACKLIST_THRESHOLD=30
FILES="/var/log/auth.log"

running 3.10.102-2-pine64-longsleep
This is on a pine64 SoC:
https://www.pine64.org/?product=pine-a64-board-2gb


>
>> iptables:
>> -P INPUT ACCEPT
>> -P FORWARD ACCEPT
>> -P OUTPUT ACCEPT
>> -N sshguard
>> -A INPUT -p tcp -m tcp --dport 22 -j sshguard
>>
>>
>> Any suggestions on what I should do to have sshugard read the
>> /var/log/auth.log and start blocking?
>
> I do believe the issue is that SSHGuard isn’t monitoring any log files
> because of the aforementioned configuration issue.

Now knowing the services file is setup correct, what else should I
review to determine why sshguard is not blocking?


> --
> Daniel Aleksandersen
> https://www.slightfuture.com/

Re: [SSHGuard-users] sshguard on trunk with debian

[Kevin Z. <kev...@gm...>]

On 12/09/2016 09:24, jungle Boogie wrote:
> Now knowing the services file is setup correct, what else should I
> review to determine why sshguard is not blocking?

Check /var/log/auth.log and see if there's any relevant information.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] sshguard on trunk with debian

[jungle b. <jun...@gm...>]

Hi Kevin,
On 12/11/2016 08:49 PM, Kevin Zheng wrote:
> On 12/09/2016 09:24, jungle Boogie wrote:
>> Now knowing the services file is setup correct, what else should I
>> review to determine why sshguard is not blocking?
>
> Check /var/log/auth.log and see if there's any relevant information.
>

last few lines:
Dec 12 06:29:13 pine64 sshd[3030]: Failed password for root from 
116.31.116.48 port 49298 ssh2
Dec 12 06:29:13 pine64 sshd[3030]: Failed password for root from 
116.31.116.48 port 49298 ssh2
Dec 12 06:29:13 pine64 sshd[3032]: Failed password for root from 
116.31.116.48 port 51596 ssh2
Dec 12 06:29:13 pine64 sshd[3028]: Failed password for root from 
116.31.116.48 port 44698 ssh2
Dec 12 06:29:13 pine64 sshd[3030]: Failed password for root from 
116.31.116.48 port 49298 ssh2
Dec 12 06:29:13 pine64 sshd[3032]: Failed password for root from 
116.31.116.48 port 51596 ssh2
Dec 12 06:29:13 pine64 sshd[3028]: Failed password for root from 
116.31.116.48 port 44698 ssh2
Dec 12 06:29:13 pine64 sshd[3030]: Received disconnect from 
116.31.116.48 port 49298:11:  [preauth]
Dec 12 06:29:13 pine64 sshd[3030]: Disconnected from 116.31.116.48 port 
49298 [preauth]
Dec 12 06:29:13 pine64 sshd[3032]: Failed password for root from 
116.31.116.48 port 51596 ssh2
Dec 12 06:29:13 pine64 sshd[3028]: Failed password for root from 
116.31.116.48 port 44698 ssh2
Dec 12 06:29:14 pine64 sshd[3032]: Received disconnect from 
116.31.116.48 port 51596:11:  [preauth]
Dec 12 06:29:14 pine64 sshd[3032]: Disconnected from 116.31.116.48 port 
51596 [preauth]
Dec 12 06:29:14 pine64 sshd[3028]: Received disconnect from 
116.31.116.48 port 44698:11:  [preauth]
Dec 12 06:29:14 pine64 sshd[3028]: Disconnected from 116.31.116.48 port 
44698 [preauth]
Dec 12 06:29:14 pine64 sshd[3039]: ssh_dispatch_run_fatal: Connection 
from 116.31.116.48 port 22647: Connection refused [preauth]
Dec 12 06:29:14 pine64 sshd[3034]: ssh_dispatch_run_fatal: Connection 
from 116.31.116.48 port 17455: Connection refused [preauth]


my ssh info:
~$ ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.1t  3 May 2016


> Best,
> Kevin
>

Re: [SSHGuard-users] sshguard on trunk with debian

[Kevin Z. <kev...@gm...>]

On 12/11/2016 22:50, jungle boogie wrote:
> Hi Kevin,
> On 12/11/2016 08:49 PM, Kevin Zheng wrote:
>> On 12/09/2016 09:24, jungle Boogie wrote:
>>> Now knowing the services file is setup correct, what else should I
>>> review to determine why sshguard is not blocking?
>>
>> Check /var/log/auth.log and see if there's any relevant information.

You'll want to grep for 'sshguard'.

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] sshguard on trunk with debian

[jungle B. <jun...@gm...>]

On 12 December 2016 at 10:41, Kevin Zheng <kev...@gm...> wrote:
> On 12/11/2016 22:50, jungle boogie wrote:
>> Hi Kevin,
>> On 12/11/2016 08:49 PM, Kevin Zheng wrote:
>>> On 12/09/2016 09:24, jungle Boogie wrote:
>>>> Now knowing the services file is setup correct, what else should I
>>>> review to determine why sshguard is not blocking?
>>>
>>> Check /var/log/auth.log and see if there's any relevant information.
>
> You'll want to grep for 'sshguard'.
>

No instances found in /var/log/auth.log

> --
> Kevin Zheng
> kev...@gm... | ke...@be... | PGP: 0xC22E1090



-- 
-------
inum: 883510009027723
sip: jun...@si...