Hey guys,
I don't know why but SSH-Guard has stopped blocked ip. A few weeks days ago was working great. Since some days doesn't work anymore. I can't find solution.
My ipfw config. There is nothin complicated here.
My SSH-Guard config:
Someone can help ?
Thanks )
I don't know why but SSH-Guard has stopped blocked ip. A few weeks days ago was working great. Since some days doesn't work anymore. I can't find solution.
My ipfw config. There is nothin complicated here.
Code:
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.
# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0
ipfw pipe 1 config bw 1Mbit/s
#ipfw pipe 2 config bw 100Kb/s
### Pipes & Priority ###:
#ipfw queue 1 config pipe 1 weight 40
#ipfw queue 2 config pipe 1 weight 30
#ipfw queue 3 config pipe 1 weight 20
#ipfw queue 4 config pipe 1 weight 10
#ipfw queue 5 config pipe 1 weight 1
######################## Bandwidth #############:
### DNS & HTTP Servers ###:
ipfw add pipe 1 ip from any to any uid xyu
#ipfw add pipe 1 ip from any to any uid bryn1u
$cmd 0050 reass all from any to any in
$cmd 0060 check-state
### IRC
#$cmd 00100 allow tcp from any to any dst-port 6667 in via $vif setup keep-state
$cmd 0099 allow tcp from any to any dst-port 6667 out via $vif setup keep-state
### Oidentd
$cmd 00100 allow tcp from any to any dst-port 113 in via $vif setup keep-state
$cmd 00101 allow tcp from any to any dst-port 113 out via $vif setup keep-state
### Murmur
$cmd 00102 allow tcp from any to any dst-port 64738 in via $vif setup limit src-addr 5
$cmd 00103 allow udp from any to any dst-port 64738 in via $vif limit src-addr 5
### OpenVPN
$cmd 00104 allow udp from any to any dst-port 1194 in via $vif keep-state
$cmd 00105 allow udp from any to any dst-port 1194 out via $vif keep-state
### SSH:
$cmd 00106 allow tcp from any to any dst-port 22 in via $vif setup keep-state
$cmd 00107 allow tcp from any to any dst-port 22 out via $vif setup keep-state
### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state
### Webmin:
$cmd 00112 allow tcp from any to any dst-port 50000 in via $vif setup keep-state
$cmd 00113 allow tcp from any to any dst-port 50000 out via $vif setup keep-state
# allow HTTP HTTPS replies
$cmd 00400 allow tcp from any to any dst-port 80 in via $vif setup limit src-addr 10
$cmd 00410 allow tcp from any to any dst-port 443 in via $vif setup limit src-addr 10
$cmd 00200 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 allow tcp from any to any dst-port 443 out via $vif setup keep-state
# allow outbound mail
#$cmd 00230 allow tcp from any to any dst-port 25 out via $vif setup keep-state
#$cmd 00231 allow tcp from any to any dst-port 465 out via $vif setup keep-state
#$cmd 00232 allow tcp from any to any dst-port 587 out via $vif setup keep-state
# allow icmp re: ping, et. al.
# comment this out to disable ping, et.al.
#$cmd 00250 allow icmp from any to any out via $vif keep-state
# alllow timeserver out
#$cmd 00260 allow tcp from any to any dst-port 37 out via $vif setup keep-state
# allow ntp out
#$cmd 00270 allow udp from any to any dst-port 123 out via $vif keep-state
# otherwise deny outbound packets
# outbound catchall.
#$cmd 00299 deny log ip from any to any out via $vif
# inbound rules
# deny inbound traffic to restricted addresses
$cmd 00300 deny ip from 192.168.0.0/16 to any in via $vif
$cmd 00301 deny ip from 172.16.0.0/12 to any in via $vif
$cmd 00302 deny ip from 10.0.0.0/8 to any in via $vif
$cmd 00303 deny ip from 127.0.0.0/8 to any in via $vif
$cmd 00304 deny ip from 0.0.0.0/8 to any in via $vif
$cmd 00305 deny ip from 169.254.0.0/16 to any in via $vif
$cmd 00306 deny ip from 192.0.2.0/24 to any in via $vif
$cmd 00307 deny ip from 204.152.64.0/23 to any in via $vif
$cmd 00308 deny ip from 224.0.0.0/3 to any in via $vif
# deny inbound packets on these ports
# auth 113, netbios (services) 137/138/139, hosts-nameserver 81
$cmd 00315 deny tcp from any to any dst-port 113 in via $vif
$cmd 00320 deny tcp from any to any dst-port 137 in via $vif
$cmd 00321 deny tcp from any to any dst-port 138 in via $vif
$cmd 00322 deny tcp from any to any dst-port 139 in via $vif
$cmd 00323 deny tcp from any to any dst-port 81 in via $vif
#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
# deny partial packets
$cmd 00330 deny ip from any to any frag in via $vif
$cmd 00332 deny tcp from any to any established in via $vif
# deny everything else, and log it
# inbound catchall
#$cmd 55000 deny all from 'table(22)' to any
$cmd 55000 deny ip from table\(22\) to any
$cmd 56599 deny log ip from any to any in via $vif
# ipfw built-in default, don't uncomment
# $cmd 65535 deny ip from any to any
My SSH-Guard config:
Code:
#!/bin/sh
# sshguard.conf -- SSHGuard configuration
# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
BACKEND="/usr/local/libexec/sshg-fw-hosts"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"
# Space-separated list of log files to monitor. (optional, no default)
FILES="/var/log/auth.log /var/log/maillog /var/log/security"
# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=20
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120
# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800
# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
#IPV6_SUBNET=128
# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
#IPV4_SUBNET=32
#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!
# Full path to PID file (optional, no default)
PID_FILE=/var/run/sshguard.pid
# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db
# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
Someone can help ?
Thanks )