SSHguard & IPFW

Alexandre axelbsd at ymail.com
Tue Sep 29 14:27:55 UTC 2015 


----------------------------------------
> Subject: Re: SSHguard & IPFW
> From: ike at michaeleichorn.com
> To: axelbsd at ymail.com; freebsd-questions at freebsd.org
> Date: Tue, 29 Sep 2015 08:59:35 -0400
>
> On Tue, 2015-09-29 at 14:04 +0200, Alexandre wrote:
>> Hi,
>>
>> I installed and configured IPFW on my box. I installed
>> security/sshguard-ipfw to block unwanted SSH connections.
>> I did not added the line sshguard_enable="YES" in /etc/rc.conf.
>> Without this line in /etc/rc.conf, Bots IP addresses seems to be
>> blocked as expected (/var/log/messages):
>>
>> Sep 25 18:39:27 BoxName sshguard[7243]: Blocking 62.212.230.2:4
>> for>945secs: 40 danger in 4 attacks over 514 seconds (all: 80d in 2
>> abuses over 2059s).
>>
>> With the command $ sudo ipfw list I can see the blocked IP adresse in
>> the deny list :
>> 55031 deny ip from 62.212.230.2 to me
>>
>> Anyone can confirm (or not if I am wrong) that the line
>> sshguard_enable="YES" is requested only if I install security/sshguard
>> port?
>
> Nope, sshguard_enable applies to all of them the sshguard-* ports are
> just sshguard with different configure options.
>
> From /usr/local/etc/rc.d/sshguard (sshguard-pf, but should be the same
> with -ipfw):
>
> # Add the following lines to /etc/rc.conf to enable sshguard:
> # sshguard_enable (bool): Set to "NO" by default.
> # Set it to "YES" to enable sshguard
>
> At a guess something happened to kick off sshguard without the rc script,
> but for most setups the rc script is the proper way to start sshguard.
>
> Is there any chance that you might have followed an old guide? In
> sshguard < 1.5 a valid configuration option was to use syslog to kickoff
> sshguard and not use sshguard enable, but this is now depreciated in
> favor of the new 'Log Sucker' introduced in v1.5.
>
>
>
>>>
>> About the blocking rules reservation in IPFW (from rule 55000 to
>> 55050), anyone experienced yet full use of these rules?
>> By default, fifteen addresses can be blocked together. But how SSHGUARD
>> works in this case for the newest one (51th)?
>>
>> Thank you in advance for your clarifications.
>> Alexandre

Thank you Michael for your reply.

I just installed security/sshguard-ipfw using portmaster
# portmaster security/sshguard-ipfw
After reading the SSHGuard Documentation website once again, it seems I effectively followed an old setup (for version 1.5 with /etc/syslod.conf modification): my bad

Now I added the line sshguard_enable="YES" in /etc/rc.conf and keep modified my ruleset /etc/ipfw-rules for SSHGuard
$cmd 56000 allow ip from any to me 22 in via $pif keep-state

The process is launched with these default options, and Log Sucker seems to be used with -l parameter
/usr/local/sbin/sshguard -b 40:/var/db/sshguard/blacklist.db -l /var/log/auth.log -l /var/log/maillog -a 40 -p 420 -s 1200 -w /usr/local/etc/sshguard.whitelist -i /var/run/sshguard.pid

Thank you again for your help.

Regards.
Alexandre

More information about the freebsd-questions mailing list