From owner-freebsd-questions@freebsd.org Tue Sep 29 14:27:55 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D9772A0A546 for ; Tue, 29 Sep 2015 14:27:55 +0000 (UTC) (envelope-from axelbsd@ymail.com) Received: from nm44-vm6.bullet.mail.gq1.yahoo.com (nm44-vm6.bullet.mail.gq1.yahoo.com [67.195.87.29]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AB0351C86 for ; Tue, 29 Sep 2015 14:27:55 +0000 (UTC) (envelope-from axelbsd@ymail.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ymail.com; s=s2048; t=1443536874; bh=0bJ0IOergrNG0Hk1nT2TQpu1jqLukAIOfZm/svy6J64=; h=From:To:Subject:Date:In-Reply-To:References:From:Subject; b=ncA4VybYEIhHL78OW1F5YErM6R21zDh6tu4Zir5ogWmEopqS7Un/k/vRqhfnJuBHW+7Ts8lXG0phrI9dzORCYEXHbpxPMZg3kIANNfR0MJoHWsVRB4scWaIa+BOh/Z7xioeC8RUe+nPH9TlSKfIkF/Kz3is/4KWLUlx0H2nWlf+CO6TVwLpQtOnCSX2S4SrpinCOafDhMfRItAKmaHBWDDTzV1ig4OC+flXgubSShWU715fQa0Gc4OY82DRSaQCi826xGRdeWO7tM61wNrg3m/Fuhc4qDdEJ5Y65s2VDdZWny8BZmU2YlG3CuruOD7q45+dnna0eYdJjHgSlo1dfkw== Received: from [127.0.0.1] by nm44.bullet.mail.gq1.yahoo.com with NNFMP; 29 Sep 2015 14:27:54 -0000 Received: from [98.137.12.56] by nm44.bullet.mail.gq1.yahoo.com with NNFMP; 29 Sep 2015 14:24:58 -0000 Received: from [212.82.98.50] by tm1.bullet.mail.gq1.yahoo.com with NNFMP; 29 Sep 2015 14:24:57 -0000 Received: from [46.228.39.94] by tm3.bullet.mail.ir2.yahoo.com with NNFMP; 29 Sep 2015 14:24:57 -0000 Received: from [127.0.0.1] by smtp131.mail.ir2.yahoo.com with NNFMP; 29 Sep 2015 14:24:57 -0000 X-Yahoo-Newman-Id: 567437.18174.bm@smtp131.mail.ir2.yahoo.com X-Yahoo-Newman-Property: ymail-4 X-YMail-OSG: 5txbJxUVM1kZIyVzOkCqEKmeDsfjZ5ayzTtMO4QSEdy_Bea CzUEyTcouvoglNul3btBs5cCvrd9RPDU8uECdql4mBTu32Rc6zKhBpIumho_ NtvasvVVh6_tkcmQ0eYBHsKoxDZKhNlAoKo5Oq9zrlmw9JYu.o8576Q55IvP V2AYo6jK4UL_QFLsAs_79QyYPYE_IMoqvVo0v0g.YA0r5c33kTbTJubG7fyi i3Oxe6J8k.lcUAalOa_96hFm2UzkKV0k8ELtsS1o6ZLma_q7ftn_Dgqv7mvc CYz14He5nqbAkAJnIF_xGvwVmsFoWxqHVjIafK5x91Xh5ldF9gAlbGqzuPXY RDEs41snBdLP_71d_KLUEEVjaWDqJICg.t6Enz96GtwsSIsZ1xcAg29sIsBb gB3q7AMYs0dB.kogcGW3Qrb8PL8N3iCp7Hc5xhWTSD2ANmGaGoOqmUrAbbrr Y5IBcTFFvpUW29NCUcEnRcoQW9c6m.Ta3.y4e7cEUwksgLhT4uSQyJxsat34 uGG2kX6._iHtMzUPnzEl7kWaSDMVYKhwqo.lHbdVI269hcBA1BdcTMiso5YC 28g-- X-Yahoo-SMTP: S65s63SswBDjU54Gjqw2GSWlZmfgiEU_X3tN1_9u Received: from DUB118-W32 ([157.56.194.39]) by DUB004-WSS1S1.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Tue, 29 Sep 2015 07:24:57 -0700 X-TMN: [/Q84zp7AqKtTPWmg1tQVF/x1R+W/XoIe] Message-ID: From: Alexandre To: "Michael B. Eichorn" , "freebsd-questions@freebsd.org" Subject: RE: SSHguard & IPFW Date: Tue, 29 Sep 2015 16:24:56 +0200 Importance: Normal In-Reply-To: <1443531575.1236.13.camel@michaeleichorn.com> References: , <1443531575.1236.13.camel@michaeleichorn.com> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 29 Sep 2015 14:24:57.0096 (UTC) FILETIME=[9DC02880:01D0FAC2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Sep 2015 14:27:55 -0000 =0A= =0A= ----------------------------------------=0A= > Subject: Re: SSHguard & IPFW=0A= > From: ike@michaeleichorn.com=0A= > To: axelbsd@ymail.com=3B freebsd-questions@freebsd.org=0A= > Date: Tue=2C 29 Sep 2015 08:59:35 -0400=0A= >=0A= > On Tue=2C 2015-09-29 at 14:04 +0200=2C Alexandre wrote:=0A= >> Hi=2C=0A= >>=0A= >> I installed and configured IPFW on my box. I installed=0A= >> security/sshguard-ipfw to block unwanted SSH connections.=0A= >> I did not added the line sshguard_enable=3D"YES" in /etc/rc.conf.=0A= >> Without this line in /etc/rc.conf=2C Bots IP addresses seems to be=0A= >> blocked as expected (/var/log/messages):=0A= >>=0A= >> Sep 25 18:39:27 BoxName sshguard[7243]: Blocking 62.212.230.2:4=0A= >> for>945secs: 40 danger in 4 attacks over 514 seconds (all: 80d in 2=0A= >> abuses over 2059s).=0A= >>=0A= >> With the command $ sudo ipfw list I can see the blocked IP adresse in=0A= >> the deny list :=0A= >> 55031 deny ip from 62.212.230.2 to me=0A= >>=0A= >> Anyone can confirm (or not if I am wrong) that the line=0A= >> sshguard_enable=3D"YES" is requested only if I install security/sshguard= =0A= >> port?=0A= >=0A= > Nope=2C sshguard_enable applies to all of them the sshguard-* ports are= =0A= > just sshguard with different configure options.=0A= >=0A= > From /usr/local/etc/rc.d/sshguard (sshguard-pf=2C but should be the same= =0A= > with -ipfw):=0A= >=0A= > # Add the following lines to /etc/rc.conf to enable sshguard:=0A= > # sshguard_enable (bool): Set to "NO" by default.=0A= > # Set it to "YES" to enable sshguard=0A= >=0A= > At a guess something happened to kick off sshguard without the rc script= =2C=0A= > but for most setups the rc script is the proper way to start sshguard.=0A= >=0A= > Is there any chance that you might have followed an old guide? In=0A= > sshguard < 1.5 a valid configuration option was to use syslog to kickoff= =0A= > sshguard and not use sshguard enable=2C but this is now depreciated in=0A= > favor of the new 'Log Sucker' introduced in v1.5.=0A= >=0A= >=0A= >=0A= >>>=0A= >> About the blocking rules reservation in IPFW (from rule 55000 to=0A= >> 55050)=2C anyone experienced yet full use of these rules?=0A= >> By default=2C fifteen addresses can be blocked together. But how SSHGUAR= D=0A= >> works in this case for the newest one (51th)?=0A= >>=0A= >> Thank you in advance for your clarifications.=0A= >> Alexandre=0A= =0A= Thank you Michael for your reply.=0A= =0A= I just installed security/sshguard-ipfw using portmaster=0A= # portmaster security/sshguard-ipfw=0A= After reading the SSHGuard Documentation website once again=2C it seems I e= ffectively followed an old setup (for version 1.5 with /etc/syslod.conf mod= ification): my bad=0A= =0A= Now I added the line sshguard_enable=3D"YES" in /etc/rc.conf and keep modif= ied my ruleset /etc/ipfw-rules for SSHGuard=0A= $cmd 56000 allow ip from any to me 22 in via $pif keep-state=0A= =0A= The process is launched with these default options=2C and Log Sucker seems = to be used with -l parameter=0A= /usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/au= th.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.= whitelist -i /var/run/sshguard.pid=0A= =0A= Thank you again for your help.=0A= =0A= Regards.=0A= Alexandre=0A= =0A= =0A= =0A= =