Date: Tue, 29 Sep 2015 16:24:56 +0200 From: Alexandre <axelbsd@ymail.com> To: "Michael B. Eichorn" <ike@michaeleichorn.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: RE: SSHguard & IPFW Message-ID: <DUB118-W32603EFCC32F67913C02BEB44E0@phx.gbl> In-Reply-To: <1443531575.1236.13.camel@michaeleichorn.com> References: <DUB118-W2564316B09E855F03F7D11B44E0@phx.gbl>, <1443531575.1236.13.camel@michaeleichorn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
---------------------------------------- > Subject: Re: SSHguard & IPFW > From: ike@michaeleichorn.com > To: axelbsd@ymail.com; freebsd-questions@freebsd.org > Date: Tue, 29 Sep 2015 08:59:35 -0400 > > On Tue, 2015-09-29 at 14:04 +0200, Alexandre wrote: >> Hi, >> >> I installed and configured IPFW on my box. I installed >> security/sshguard-ipfw to block unwanted SSH connections. >> I did not added the line sshguard_enable="YES" in /etc/rc.conf. >> Without this line in /etc/rc.conf, Bots IP addresses seems to be >> blocked as expected (/var/log/messages): >> >> Sep 25 18:39:27 BoxName sshguard[7243]: Blocking 62.212.230.2:4 >> for>945secs: 40 danger in 4 attacks over 514 seconds (all: 80d in 2 >> abuses over 2059s). >> >> With the command $ sudo ipfw list I can see the blocked IP adresse in >> the deny list : >> 55031 deny ip from 62.212.230.2 to me >> >> Anyone can confirm (or not if I am wrong) that the line >> sshguard_enable="YES" is requested only if I install security/sshguard >> port? > > Nope, sshguard_enable applies to all of them the sshguard-* ports are > just sshguard with different configure options. > > From /usr/local/etc/rc.d/sshguard (sshguard-pf, but should be the same > with -ipfw): > > # Add the following lines to /etc/rc.conf to enable sshguard: > # sshguard_enable (bool): Set to "NO" by default. > # Set it to "YES" to enable sshguard > > At a guess something happened to kick off sshguard without the rc script, > but for most setups the rc script is the proper way to start sshguard. > > Is there any chance that you might have followed an old guide? In > sshguard < 1.5 a valid configuration option was to use syslog to kickoff > sshguard and not use sshguard enable, but this is now depreciated in > favor of the new 'Log Sucker' introduced in v1.5. > > > >>> >> About the blocking rules reservation in IPFW (from rule 55000 to >> 55050), anyone experienced yet full use of these rules? >> By default, fifteen addresses can be blocked together. But how SSHGUARD >> works in this case for the newest one (51th)? >> >> Thank you in advance for your clarifications. >> Alexandre Thank you Michael for your reply. I just installed security/sshguard-ipfw using portmaster # portmaster security/sshguard-ipfw After reading the SSHGuard Documentation website once again, it seems I effectively followed an old setup (for version 1.5 with /etc/syslod.conf modification): my bad Now I added the line sshguard_enable="YES" in /etc/rc.conf and keep modified my ruleset /etc/ipfw-rules for SSHGuard $cmd 56000 allow ip from any to me 22 in via $pif keep-state The process is launched with these default options, and Log Sucker seems to be used with -l parameter /usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid Thank you again for your help. Regards. Alexandre
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DUB118-W32603EFCC32F67913C02BEB44E0>