pf + sshguard

F

folivora

Hi,

I've installed security/sshguard-pf.

I followed instructions. I removed comment from syslog.conf, so now the line looks like this:

Code: 
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard

After this I edited pf.conf by adding these lines.

Code: 
table <sshguard> persist

Code: 
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"

After this I restarted syslogd and loaded new pf-rules with [CMD=]pfctl -f /etc/pf.conf[/CMD].

After 3 days of running pf-sshguard. Sshguard-table is still empty.

[CMD=]pfctl -Tshow -t sshguard[/CMD]

provides nothing...

Should I change some other settings or where i should start looking the error ?

Best Regards

Folivora
 
Have a look in /var/log/auth.log. You should see lines similar to these:
Code: 
Nov  8 05:18:47 maelcum sshd[23638]: error: PAM: authentication error for root from 190.1.159.185
Nov  8 05:24:50 maelcum sshd[23688]: error: PAM: authentication error for root from 190.144.1.98
Nov  8 05:32:27 maelcum sshd[23744]: error: PAM: authentication error for root from 213.16.101.5
Nov  8 05:39:38 maelcum sshd[23803]: error: PAM: authentication error for root from 212.174.45.37
Nov  8 05:48:13 maelcum sshd[23873]: error: PAM: authentication error for root from 190.1.159.185
Nov  8 05:48:13 maelcum sshguard[20559]: Blocking 190.1.159.185:4 for >420secs: 4 failures over 1766 seconds.
Nov  8 05:54:26 maelcum sshd[23915]: error: PAM: authentication error for root from 190.253.223.162
Nov  8 05:55:36 maelcum sshguard[20559]: Releasing 190.1.159.185 after 443 seconds.

Did you also restart syslog?
 
Hey,

Yes i see that blocking line. So it is working, my bad.

And it seems that due flush-time, table will be mostly empty.

Is there any option to adjust ban time, or give permanent bans ?

- Folivora
 
And what about
Code: 
table <ssh-bruteforce> persist

Code: 
#SSH Bruteforce
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
        flags S/SA keep state \
        (max-src-conn-rate 2/15, overload <ssh-bruteforce> flush global)
# Bloqueo de ssh-bruteforce
block drop in quick on $ext_if from <ssh-bruteforce>
 
Hi everyone :)

I have a question about the sshguard log. I have installed sshguard with PF support, protecting sshd in a jail, and configured like below:
/etc/rc.conf.local
Code: 
sshguard_enable="YES"
sshguard_watch_logs="/var/jail/sshd/log/auth.log"
sshguard_safety_thresh="4"
sshguard_pardon_min_interval="10800" 
#sshguard_pardon_min_interval="1250" 
sshguard_prescribe_interval="7200"

/etc/syslog.conf
Code: 
#auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log

Note: Because it doesn't monitor the system's auth, 'exec sshguard' is commented out.

sshguard works fine (add block/release IP in PF's table <sshguard>) and logs like:
Code: 
Nov  8 05:48:13 maelcum sshguard[20559]: Blocking 190.1.159.185:4 for >420secs: 4 failures over 1766 seconds.

But releasing never appears in the log like:
Code: 
Nov  8 05:55:36 maelcum sshguard[20559]: Releasing 190.1.159.185 after 443 seconds.
even with
Code: 
*.notice... /var/log/messages modified to *.info... /var/log/messages
in /etc/syslog.conf

I have been checking the source code in sshguard-1.5/src/sshguard.c
Code: 
static void *pardonBlocked(void *par) {
   sshguard_log(LOG_INFO, "Releasing %s after %lld seconds.\n", tmpel->attack.address.value, (long long int)(now - tmpel->whenlast));
I think pardonBlocked() works fine, but haven't seen any message about releasing printed.

Thanks a lot.
Neko
 
You must log in or register to reply here.
Back
Top