SSHguard & IPFW
axelbsd at ymail.com
Tue Sep 29 14:27:55 UTC 2015
> Subject: Re: SSHguard & IPFW
> From: ike at michaeleichorn.com
> To: axelbsd at ymail.com; freebsd-questions at freebsd.org
> Date: Tue, 29 Sep 2015 08:59:35 -0400
> On Tue, 2015-09-29 at 14:04 +0200, Alexandre wrote:
>> I installed and configured IPFW on my box. I installed
>> security/sshguard-ipfw to block unwanted SSH connections.
>> I did not added the line sshguard_enable="YES" in /etc/rc.conf.
>> Without this line in /etc/rc.conf, Bots IP addresses seems to be
>> blocked as expected (/var/log/messages):
>> Sep 25 18:39:27 BoxName sshguard: Blocking 22.214.171.124:4
>> for>945secs: 40 danger in 4 attacks over 514 seconds (all: 80d in 2
>> abuses over 2059s).
>> With the command $ sudo ipfw list I can see the blocked IP adresse in
>> the deny list :
>> 55031 deny ip from 126.96.36.199 to me
>> Anyone can confirm (or not if I am wrong) that the line
>> sshguard_enable="YES" is requested only if I install security/sshguard
> Nope, sshguard_enable applies to all of them the sshguard-* ports are
> just sshguard with different configure options.
> From /usr/local/etc/rc.d/sshguard (sshguard-pf, but should be the same
> with -ipfw):
> # Add the following lines to /etc/rc.conf to enable sshguard:
> # sshguard_enable (bool): Set to "NO" by default.
> # Set it to "YES" to enable sshguard
> At a guess something happened to kick off sshguard without the rc script,
> but for most setups the rc script is the proper way to start sshguard.
> Is there any chance that you might have followed an old guide? In
> sshguard < 1.5 a valid configuration option was to use syslog to kickoff
> sshguard and not use sshguard enable, but this is now depreciated in
> favor of the new 'Log Sucker' introduced in v1.5.
>> About the blocking rules reservation in IPFW (from rule 55000 to
>> 55050), anyone experienced yet full use of these rules?
>> By default, fifteen addresses can be blocked together. But how SSHGUARD
>> works in this case for the newest one (51th)?
>> Thank you in advance for your clarifications.
Thank you Michael for your reply.
I just installed security/sshguard-ipfw using portmaster
# portmaster security/sshguard-ipfw
After reading the SSHGuard Documentation website once again, it seems I effectively followed an old setup (for version 1.5 with /etc/syslod.conf modification): my bad
Now I added the line sshguard_enable="YES" in /etc/rc.conf and keep modified my ruleset /etc/ipfw-rules for SSHGuard
$cmd 56000 allow ip from any to me 22 in via $pif keep-state
The process is launched with these default options, and Log Sucker seems to be used with -l parameter
/usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid
Thank you again for your help.
More information about the freebsd-questions