Date: Tue, 16 Oct 2018 10:43:34 +0200 From: Per olof Ljungmark <peo@nethead.se> To: Dimitry Andric <dim@FreeBSD.org> Cc: ports@freebsd.org, dan.mcgregor@usask.ca Subject: Re: sshguard - rc and blacklisting Message-ID: <06f1b0d6-1d56-1df7-3e15-0fdcc563e2e4@nethead.se> In-Reply-To: <B6CDAB74-F6FF-486B-A85A-BF82FA2E4C81@FreeBSD.org> References: <feeb25e5-4685-bd34-c677-c45dc49ff41b@nethead.se> <B6CDAB74-F6FF-486B-A85A-BF82FA2E4C81@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2018-10-16 07:52, Dimitry Andric wrote: > On 15 Oct 2018, at 17:16, Per olof Ljungmark <peo@nethead.se> wrote: >> >> Either I am doing it wrong or sshguard is not properly implemented. >> >> 1. In the config file /usr/local/etc/sshguard.conf there is a parameter >> >> # Colon-separated blacklist threshold and full path to blacklist file. >> # (optional, no default) >> #BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db >> >> however, the threshold setting does not seem to have any effect. If I >> change the setting in rc.d/sshguard, it does take effect. > > Yes, this is a problem in /usr/local/etc/rc.d/sshguard. It sets the > default sshguard_blacklist setting to 120:/var/db/sshguard/blacklist. > To work around it, I have put: > > sshguard_blacklist="" > > in my rc.conf. Then only the settings in sshguard.conf are used. Ok, thanks, did not think of that. >> 2. Looking at /var/db/sshguard/blacklist.db, each row looks like >> 1539615075|220|4|143.0.65.92 >> >> There is another setting in the config, >> # Size of IPv4 subnet to block. Defaults to a single address, CIDR >> notation. (optional, default to 32) >> IPV4_SUBNET=32 >> >> I have tried to alter this setting to /24 and /29, auth.log says >> Blocking "143.0.65.92/29" forever >> but blacklist.db does not indiciate any different CDIR than /32. > > I have no experience with this setting, and it seems to be pretty new. > It was not in my sample config file until quite recently, maybe it is > an upstream problem? Have you looked at their bug tracker? It seems that this setting is used to control the firewall. pfctl -t sshguartd -T show will return the correct CDIR value, so my assumption that it would show in the blacklist file was wrong. The IP registered in the blacklist db will always be a /32. Thank you for your input. //per
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?06f1b0d6-1d56-1df7-3e15-0fdcc563e2e4>