PDA

View Full Version : pf + sshguard

folivora
November 9th, 2010, 08:53
Hi,

I've installed security/sshguard-pf.

I followed instructions. I removed comment from syslog.conf, so now the line looks like this:

auth.info;authpriv.info |exec /usr/local/sbin/sshguard

After this I edited pf.conf by adding these lines.

table <sshguard> persist

block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"

After this I restarted syslogd and loaded new pf-rules with pfctl -f /etc/pf.conf.

After 3 days of running pf-sshguard. Sshguard-table is still empty.

pfctl -Tshow -t sshguard

provides nothing...

Should I change some other settings or where i should start looking the error ?

Best Regards

Folivora
SirDice
November 9th, 2010, 08:59
Have a look in /var/log/auth.log. You should see lines similar to these:

Nov 8 05:18:47 maelcum sshd[23638]: error: PAM: authentication error for root from 190.1.159.185
Nov 8 05:24:50 maelcum sshd[23688]: error: PAM: authentication error for root from 190.144.1.98
Nov 8 05:32:27 maelcum sshd[23744]: error: PAM: authentication error for root from 213.16.101.5
Nov 8 05:39:38 maelcum sshd[23803]: error: PAM: authentication error for root from 212.174.45.37
Nov 8 05:48:13 maelcum sshd[23873]: error: PAM: authentication error for root from 190.1.159.185
Nov 8 05:48:13 maelcum sshguard[20559]: Blocking 190.1.159.185:4 for >420secs: 4 failures over 1766 seconds.
Nov 8 05:54:26 maelcum sshd[23915]: error: PAM: authentication error for root from 190.253.223.162
Nov 8 05:55:36 maelcum sshguard[20559]: Releasing 190.1.159.185 after 443 seconds.


Did you also restart syslog?
folivora
November 9th, 2010, 09:14
Hey,

Yes i see that blocking line. So it is working, my bad.

And it seems that due flush-time, table will be mostly empty.

Is there any option to adjust ban time, or give permanent bans ?

- Folivora
graudeejs
November 9th, 2010, 10:12
Yes, sshguard
francisloco
March 7th, 2011, 01:44
And what about
table <ssh-bruteforce> persist

#SSH Bruteforce
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
flags S/SA keep state \
(max-src-conn-rate 2/15, overload <ssh-bruteforce> flush global)
# Bloqueo de ssh-bruteforce
block drop in quick on $ext_if from <ssh-bruteforce>