Menu
▾
▴
sshguard-users
|
From: Christopher C. <chr...@gm...> - 2010-04-02 17:19:23
|
Hi! I've got sshguard up and running, but it's not really blocking connection attempts to ssh. To test it , I logged into a remote machine, and from that remote machine, using bogus passwords, tried logging into my machine which is running sshguard. From auth.log, I can see that sshguard logged the attacks and "said" that the attacking ip was being blocked. However after multiple failed login attempts, I was still able to login. Below, from the output of iptables -L, it seems that the ip address is being dropped, and thus, should be blocked. One caveat, I was using my username, which is the only username allowed in sshd_config. I don't know if this will override sshguard's blocking. >> From auth.log << Apr 1 22:44:18 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:20 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:22 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:24 sherpa sshguard[4058]: Matched address 121.138.219.132:4attacking service 100 Apr 1 22:44:24 sherpa sshguard[4058]: Looking for address '121.138.219.132:4'... Apr 1 22:44:24 sherpa sshguard[4058]: Found! Apr 1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for >0secs: 4 failures over 6 seconds. Apr 1 22:44:24 sherpa sshguard[4058]: Setting environment: SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100. Apr 1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in 4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- >> From iptables -L << DROP icmp -- anywhere anywhere icmp echo-request LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' DROP all -- anywhere anywhere Chain LSO (0 references) target prot opt source destination LOG_FILTER all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTBOUND (1 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere Chain sshguard (2 references) target prot opt source destination DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- 121.138.219.132 anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere DROP all -- london.ctis.foothill.fhda.edu anywhere [root@sherpa log]# |
|
From: Mij <mi...@ss...> - 2010-04-02 22:35:48
|
Your iptables -L output appears partial (don't see the header Chain INPUT), but it seems that you did not hook the sshguard chain into INPUT. See http://www.sshguard.net/docs/setup/firewall/netfilter-iptables/ beware of the notes on default allow/deny. On Apr 2, 2010, at 19:18 , Christopher Campbell wrote: > Hi! I've got sshguard up and running, but it's not really blocking connection attempts > to ssh. > > To test it , I logged into a remote machine, and from that remote machine, using bogus passwords, tried logging into > my machine which is running sshguard. From auth.log, I can see that sshguard logged the attacks and "said" that > the attacking ip was being blocked. However after multiple failed login attempts, I was still able to login. > Below, from the output of iptables -L, it seems that the ip address is being dropped, and thus, should be blocked. > > One caveat, I was using my username, which is the only username allowed in sshd_config. I don't know if this will override > sshguard's blocking. > > >> From auth.log << > > Apr 1 22:44:18 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:20 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:22 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:24 sherpa sshguard[4058]: Matched address 121.138.219.132:4 attacking service 100 > Apr 1 22:44:24 sherpa sshguard[4058]: Looking for address '121.138.219.132:4'... > Apr 1 22:44:24 sherpa sshguard[4058]: Found! > Apr 1 22:44:24 sherpa sshguard[4058]: Blocking 121.138.219.132:4 for >0secs: 4 failures over 6 seconds. > Apr 1 22:44:24 sherpa sshguard[4058]: Setting environment: SSHG_ADDR=121.138.219.132;SSHG_ADDRKIND=4;SSHG_SERVICE=100. > Apr 1 22:44:24 sherpa sshguard[4058]: Run command "case $SSHG_ADDRKIND in 4) exec /usr/sbin/iptables -I sshguard -s $SSHG_ADDR -j DROP ;; 6) exec /usr/sbin/ip6tables -I sshguard -s $SSHG_ADDR -j DROP ;; *) exit -2 ;; esac": exited 0. > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > >> From iptables -L << > > DROP icmp -- anywhere anywhere icmp echo-request > LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' > DROP all -- anywhere anywhere > > Chain LSO (0 references) > target prot opt source destination > LOG_FILTER all -- anywhere anywhere > LOG all -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' > REJECT all -- anywhere anywhere reject-with icmp-port-unreachable > > Chain OUTBOUND (1 references) > target prot opt source destination > ACCEPT icmp -- anywhere anywhere > ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED > ACCEPT all -- anywhere anywhere > > Chain sshguard (2 references) > target prot opt source destination > > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- 121.138.219.132 anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > DROP all -- london.ctis.foothill.fhda.edu anywhere > [root@sherpa log]# > > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev_______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X