IPFW + SSHGuard

Sigfrido · Nov 7, 2011

Hi!

I've got a problem with security/sshguard-ipfw.

Assumption: I'm running a GENERIC kernel on 8.2, (so I suppose that I don't have the option IPFIREWALL_FORWARD in) and I'm not interested to compile a custom kernel.

I'm using a custom ruleset in /etc/ipfw.rules:

Code:

#!/bin/sh

ipfw -q -f flush
cmd="ipfw -q add"
pif="em0"

$cmd xxxxx allow all from any to any via lo0
$cmd xxxxx deny all from any to 127.0.0.0/8
$cmd xxxxx deny all from 127.0.0.0/8 to any
$cmd xxxxx deny tcp from any to any frag

[I]cut[/I]

After the installation, I've decommented the line in /etc/syslog.conf:

Code:

auth.info;authpriv.info     |exec /usr/local/sbin/sshguard

but it seems that SSHGuard doesn't add any blocking rule from ID 55000 to 55050, as expected.

When I restart ipfw it says:

Code:

ipfw: getsockopt(IP_FW_ADD): Invalid argument

SSHGuard process seems up and running.

I think that sshguard tried to add its blocking rule without results: doese it require the kernel version of ipfw?

Suggestions are really appreciated.

Thanks in advance

SirDice · Nov 7, 2011

I haven't used sshguard with IPFW yet but it works fine with PF.

Sigfrido · Nov 7, 2011

follow-ups, if needed:

Code:

myserver# kldstat
Id Refs Address            Size     Name
 1   13 0xffffffff80100000 c9fe20   kernel
 2    1 0xffffffff80da0000 918      accf_data.ko
 3    1 0xffffffff80da1000 15e0     accf_http.ko
 4    1 0xffffffff80e22000 ca6e     ipfw.ko
 5    1 0xffffffff80e2f000 b1da     libalias.ko
 6    1 0xffffffff80e3b000 27f8     logo_saver.ko

process seems up&running:

Code:

sshguard[1468]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.

It recognizes threats:

Code:

Nov  8 02:14:38 myserver sshguard[3127]: Blocking aaaa.ss.zzz.xxx:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).

but effectively it doesn't block, I suppose beacause sshguard has not added any rule to IPFW due to the highlighted problem.

RusDyr · Mar 26, 2012

+1, it also doesn't work at my servers with 8.2 and 9.0 releases. Didn't see code yet.

manilaboy1vic · Jul 16, 2013

Has this been resolved? I have sshguard working with ipfw. I do use a custom kernel though:

Code:

options    IPFIREWALL
options    IPFIREWALL_VERBOSE
options    IPFIREWALL_VERBOSE_LIMIT=5
options    IPFIREWALL_DEFAULT_TO_ACCEPT
options    IPDIVERT

I attempt to ssh and leave an empty password and a rule shows up in ipfw.

Just an FYI guys.

IPFW + SSHGuard

Sigfrido

SirDice

Administrator

Sigfrido

RusDyr

manilaboy1vic