2d43 sshguard with TCP wrappers / hosts.allow not work [Archive] - The FreeBSD Forums
PDA

View Full Version : sshguard with TCP wrappers / hosts.allow not work

f5b
December 25th, 2010, 10:37
FreeBSD 8.1-RELEASE

cd /usr/ports/security/sshguard
make install clean

pkg_info | grep sshg
sshguard-1.4 Protect hosts from brute force attacks against ssh and othe

vi /etc/syslog.conf
something ...

auth.info;authpriv.info |exec /usr/local/sbin/sshguard
*.err;kern.warning;auth.notice;mail.crit /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.cr it;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log

/etc/rc.d/syslogd reload

less /etc/hosts.allow
something like this:

###sshguard###
###sshguard###
#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.23.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
# NOTE: The hosts.deny file is deprecated.
# Place both 'allow' and 'deny' rules in the hosts.allow file.
# See hosts_options(5) for the format of this file.
# hosts_access(5) no longer fully applies.

# _____ _ _
# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | |
# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | |
# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_|
# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_)
# |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

tail /var/log/auth.log
something like this

Dec 25 17:28:19 b sshguard[15013]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Dec 25 17:28:20 b sshd[15002]: Invalid user bill from 123.111.128.211
Dec 25 17:28:22 b sshd[15015]: Invalid user maggie from 123.111.128.211
Dec 25 17:28:24 b sshd[15017]: Invalid user info from 123.111.128.211
Dec 25 17:28:26 b sshd[15019]: Invalid user ftp from 123.111.128.211
Dec 25 17:28:27 b sshd[15021]: Invalid user httpd from 123.111.128.211
Dec 25 17:28:29 b sshd[15023]: Invalid user dany from 123.111.128.211
Dec 25 17:28:31 b sshd[15025]: Invalid user susan from 123.111.128.211
Dec 25 17:28:33 b sshd[15027]: Invalid user oracle from 123.111.128.211
Dec 25 17:28:35 b sshd[15029]: Invalid user tomcat from 123.111.128.211
Dec 25 17:28:37 b sshd[15032]: Invalid user backup from 123.111.128.211
Dec 25 17:28:39 b sshd[15034]: Invalid user id from 123.111.128.211
Dec 25 17:28:40 b sshd[15036]: Invalid user sgi from 123.111.128.211
Dec 25 17:28:42 b sshd[15038]: Invalid user postgres from 123.111.128.211
Dec 25 17:28:44 b sshd[15040]: Invalid user flowers from 123.111.128.211
Dec 25 17:28:46 b sshd[15042]: Invalid user linux from 123.111.128.211
Dec 25 17:28:48 b sshd[15044]: Invalid user internet from 123.111.128.211
Dec 25 17:28:50 b sshd[15046]: Invalid user server from 123.111.128.211
Dec 25 17:28:52 b sshd[15048]: Invalid user nokia from 123.111.128.211
Dec 25 17:28:53 b sshd[15050]: Invalid user bash from 123.111.128.211
Dec 25 17:28:55 b sshd[15052]: Invalid user work from 123.111.128.211
Dec 25 17:28:59 b sshd[15056]: Invalid user gateway from 123.111.128.211
Dec 25 17:29:01 b sshd[15058]: Invalid user michael from 123.111.128.211
Dec 25 17:29:03 b sshd[15060]: Invalid user michael from 123.111.128.211
Dec 25 17:29:05 b sshd[15062]: Invalid user rk from 123.111.128.211
Dec 25 17:29:06 b sshd[15064]: Invalid user internet from 123.111.128.211
Dec 25 17:29:08 b sshd[15066]: Invalid user kathi from 123.111.128.211
Dec 25 17:29:10 b sshd[15068]: Invalid user squid from 123.111.128.211
Dec 25 17:29:12 b sshd[15070]: Invalid user darwin from 123.111.128.211
Dec 25 17:29:14 b sshd[15072]: Invalid user info from 123.111.128.211
Dec 25 17:29:16 b sshd[15074]: Invalid user job from 123.111.128.211
Dec 25 17:29:18 b sshd[15076]: Invalid user pamela from 123.111.128.211
Dec 25 17:29:19 b sshd[15078]: Invalid user jack from 123.111.128.211
Dec 25 17:29:21 b sshd[15080]: Invalid user webmaster from 123.111.128.211
Dec 25 17:29:25 b sshd[15084]: Invalid user shaun from 123.111.128.211
Dec 25 17:29:27 b sshd[15086]: Invalid user sven from 123.111.128.211
Dec 25 17:29:29 b sshd[15088]: Invalid user steve from 123.111.128.211
Dec 25 17:29:31 b sshd[15090]: Invalid user steven from 123.111.128.211
Dec 25 17:29:32 b sshd[15092]: Invalid user temp from 123.111.128.211
Dec 25 17:29:34 b sshd[15094]: Invalid user tim from 123.111.128.211


It seems that sshguard not work in tcp wrapper mode with hosts.allow.
SirDice
December 25th, 2010, 16:04
Use sshguard with PF, it's much easier. Just add something like this to /etc/pf.conf:

block in on $ext_if proto tcp from <sshguard>

And you're good to go.
DutchDaemon
December 25th, 2010, 19:39
Format your posts (http://forums.freebsd.org/showthread.php?t=8816), f5b!
f5b
December 26th, 2010, 02:58
Use sshguard with PF, it's much easier. Just add something like this to /etc/pf.conf:

block in on $ext_if proto tcp from <sshguard>

And you're good to go.


now I install sshguard-pf
/etc/pf.conf


table <sshguard> persist

set skip on lo

scrub in

block in quick on egress proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out



am i ok?
SirDice
December 26th, 2010, 10:53
egress? Make sure you block incoming ssh connections on your external interface.
f5b
December 26th, 2010, 12:40
egress? Make sure you block incoming ssh connections on your external interface.

yes. the pf firewall works fine.
when change pf.conf to "block in on $ext_if proto tcp from <sshguard> "
sshguard not work either.

egress from pf-faq41.pdf

interface
The name or group of the network interface that the packet is moving through. Interfaces can be added to arbitrary groups using the ifconfig(8) command. Several groups are also automatically created by the kernel:

The egress group, which contains the interface(s) that holds the default route(s).

Interface family group for cloned interfaces. For example: ppp or carp
kpa
December 27th, 2010, 05:17
Egress is an OpenBSDism that does not exist in FreeBSD by default, either use the real name of the interface in pf rules or create the egress interface group yourself with ifconfig.
f5b
December 27th, 2010, 08:53
Egress is an OpenBSDism that does not exist in FreeBSD by default, either use the real name of the interface in pf rules or create the egress interface group yourself with ifconfig.

yes, now /etc/pf.conf and
pfctl -f /etc/pf.conf

ext_if="bce1"

table <sshguard> persist

set skip on lo


block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out


but sshguard-pf not work either.
DutchDaemon
December 27th, 2010, 23:32
Why do you need to block on anything other than the pf table? Why is the label statement in there? Does it even match anything?
f5b
December 28th, 2010, 02:09
Why do you need to block on anything other than the pf table? Why is the label statement in there? Does it even match anything?

the label keyword if from the example http://www.sshguard.net/docs/setup/firewall/pf/


now the pf.conf change to
ext_if="bce1"

table <sshguard> persist

set skip on lo

block in quick on $ext_if proto tcp from <sshguard>
pass in
pass out

pfctl -f /etc/pf.conf
/etc/rc.d/syslogd reload

test the brute force login, not work
0