Date: Tue, 29 Sep 2015 16:24:56 +0200 From: Alexandre <axelbsd@ymail.com> To: "Michael B. Eichorn" <ike@michaeleichorn.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: RE: SSHguard & IPFW Message-ID: <DUB118-W32603EFCC32F67913C02BEB44E0@phx.gbl> In-Reply-To: <1443531575.1236.13.camel@michaeleichorn.com> References: <DUB118-W2564316B09E855F03F7D11B44E0@phx.gbl>, <1443531575.1236.13.camel@michaeleichorn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
=0A= =0A= ----------------------------------------=0A= > Subject: Re: SSHguard & IPFW=0A= > From: ike@michaeleichorn.com=0A= > To: axelbsd@ymail.com=3B freebsd-questions@freebsd.org=0A= > Date: Tue=2C 29 Sep 2015 08:59:35 -0400=0A= >=0A= > On Tue=2C 2015-09-29 at 14:04 +0200=2C Alexandre wrote:=0A= >> Hi=2C=0A= >>=0A= >> I installed and configured IPFW on my box. I installed=0A= >> security/sshguard-ipfw to block unwanted SSH connections.=0A= >> I did not added the line sshguard_enable=3D"YES" in /etc/rc.conf.=0A= >> Without this line in /etc/rc.conf=2C Bots IP addresses seems to be=0A= >> blocked as expected (/var/log/messages):=0A= >>=0A= >> Sep 25 18:39:27 BoxName sshguard[7243]: Blocking 62.212.230.2:4=0A= >> for>945secs: 40 danger in 4 attacks over 514 seconds (all: 80d in 2=0A= >> abuses over 2059s).=0A= >>=0A= >> With the command $ sudo ipfw list I can see the blocked IP adresse in=0A= >> the deny list :=0A= >> 55031 deny ip from 62.212.230.2 to me=0A= >>=0A= >> Anyone can confirm (or not if I am wrong) that the line=0A= >> sshguard_enable=3D"YES" is requested only if I install security/sshguard= =0A= >> port?=0A= >=0A= > Nope=2C sshguard_enable applies to all of them the sshguard-* ports are= =0A= > just sshguard with different configure options.=0A= >=0A= > From /usr/local/etc/rc.d/sshguard (sshguard-pf=2C but should be the same= =0A= > with -ipfw):=0A= >=0A= > # Add the following lines to /etc/rc.conf to enable sshguard:=0A= > # sshguard_enable (bool): Set to "NO" by default.=0A= > # Set it to "YES" to enable sshguard=0A= >=0A= > At a guess something happened to kick off sshguard without the rc script= =2C=0A= > but for most setups the rc script is the proper way to start sshguard.=0A= >=0A= > Is there any chance that you might have followed an old guide? In=0A= > sshguard < 1.5 a valid configuration option was to use syslog to kickoff= =0A= > sshguard and not use sshguard enable=2C but this is now depreciated in=0A= > favor of the new 'Log Sucker' introduced in v1.5.=0A= >=0A= >=0A= >=0A= >>>=0A= >> About the blocking rules reservation in IPFW (from rule 55000 to=0A= >> 55050)=2C anyone experienced yet full use of these rules?=0A= >> By default=2C fifteen addresses can be blocked together. But how SSHGUAR= D=0A= >> works in this case for the newest one (51th)?=0A= >>=0A= >> Thank you in advance for your clarifications.=0A= >> Alexandre=0A= =0A= Thank you Michael for your reply.=0A= =0A= I just installed security/sshguard-ipfw using portmaster=0A= # portmaster security/sshguard-ipfw=0A= After reading the SSHGuard Documentation website once again=2C it seems I e= ffectively followed an old setup (for version 1.5 with /etc/syslod.conf mod= ification): my bad=0A= =0A= Now I added the line sshguard_enable=3D"YES" in /etc/rc.conf and keep modif= ied my ruleset /etc/ipfw-rules for SSHGuard=0A= $cmd 56000 allow ip from any to me 22 in via $pif keep-state=0A= =0A= The process is launched with these default options=2C and Log Sucker seems = to be used with -l parameter=0A= /usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/au= th.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.= whitelist -i /var/run/sshguard.pid=0A= =0A= Thank you again for your help.=0A= =0A= Regards.=0A= Alexandre=0A= =0A= =0A= =0A= =
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DUB118-W32603EFCC32F67913C02BEB44E0>