• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SSHGuard not Blocking Connections

Lego

Well-Known Member

Thanks: 1
Messages: 404

#1
Ok, This should be here or in ports installation and maintenance, wasn't sure so I started here.

So The original Thread I had was here: http://forums.freebsd.org/showthread.php?t=8047

Um so, I had not had another hack in attempt since getting sshguard talking properly to everything, so I just checked my security report and well....
Code:
Nov 12 01:58:59 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:00 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:13 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:13 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:26 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:39 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:40 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:52 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:53 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:00 blurr-ink sshguard[10051]: Got exit signal, flushing blocked addresses and exiting...
Nov 12 02:00:00 blurr-ink sshguard[11208]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
Nov 12 02:00:05 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:06 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:19 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:19 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:32 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:45 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:58 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:59 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
No time gap between the logging attempts, and obviously not blocking the ip, PLUS I have it set for 5 attempts if you look at my config in the thread link up top. Any Ideas?

Also, There is alot more then just posted but I didn't want to flood the page 'that' bad
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#2
What firewall do you use? If you use PF did you add the rules?

Something like:
Code:
block in on $ext_if proto tcp from <sshguard>
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#3
yes I did my pf.conf looks like this:
Code:
#       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.4.1 2008/11/25 02:59:29 kensmith Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#ext_if="ext0"
#int_if="int0"

#table <spamd-white> persist
table <sshguard> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
block in quick on fxp0 from <sshguard> label "ssh bruteforce"
My ethernet card is fxp0:
Code:
blurr-ink# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:11:11:52:01:13
        inet 192.168.0.194 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
This page http://sshguard.sourceforge.net/doc/setup/blockingpf.html said to change the $ext_if to your WAN interface name, so thats why i put fxp0 is that wrong??

Ironic As I was posting this, it seems the person has stopped trying to get in.... hmmm.. maybe someone on the forum that has seen losts of my posts and figures they can get in easy??
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,508
Messages: 25,692

#4
Lego said:
This page http://sshguard.sourceforge.net/doc/setup/blockingpf.html said to change the $ext_if to your WAN interface name, so thats why i put fxp0 is that wrong??
No, it's not wrong. I prefer to use variables. If my interface changes I don't have to edit all my rules, just change the variable.

Did you reload your new pf.conf?
# pfctl -f /etc/pf.conf
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#5
I also removed the 'to any port 22' because I want them completely blocked if you try and hack one, why should i let you try to hack another... my thoughts anyway


ADDED: yes I have reloaded the rules twice and even tried a restart

I did a 'pfctl -F all -f /etc/pf.conf' because it said it flushes all rules before reloading them, figured it was a good idea
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#7
Actually, I did re-add that trick, and restarted syslogd, Those Failed attempts listed up top are pulled from the sshguard.log file; how do I verify the PID file is present/correct??

when I 'ee /var/run/proftpd.pid' it opens a document that says 932 thats it! not supposed to do that am I? lol
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#9
Yes, they do match, weird I thought I was wrong opening the file like that; 932 in the /var/run/proftpd.pid, and 932 for the pgrep:
Code:
blurr-ink# pgrep proftpd
932
blurr-ink#
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#11
yes that was changed when you had given me the link to the service codes page, this is the current /etc/syslog.conf line:
Code:
auth.info;authpriv.info;ftp.info;mail.info     |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot/master.pid -w 127.0.0.1 -a 5
auth.info;authpriv.info;ftp.info;mail.info       /var/log/sshguard.log
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#13
hmm.... Not sure, I guess I could try and ban myself, but I haven't had any attacks on sshd since I changed the Port and I've never had an attack to my mail server, I'll do 5 failed attempts to ssh now, and see if it works...
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#14
Ok, LOL yes it is blocking sshd attempts.... Now I'm Locked out of my server LOL
Code:
Nov 13 18:25:29 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:32 blurr-ink last message repeated 2 times
Nov 13 18:25:32 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:25:34 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:34 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:25:35 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:35 blurr-ink sshguard[37486]: Blocking 216.8.133.228: 5 failures over 6 seconds.
Nov 13 18:25:35 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:27:27 blurr-ink sshd[49446]: Accepted keyboard-interactive/pam for lego from 192.168.0.196 port 58108 ssh2
Nov 13 18:27:27 blurr-ink sshd[49443]: error: ssh_msg_send: write
Nov 13 18:27:35 blurr-ink su: lego to root on /dev/ttyp1
after the 5 it just crashed my putty, well wouldn't even let me connect, so it is blocking for ssh..... it then let me locally ssh in, so I can remove the blocked address

ADDED: how do I remove the address, or do I just have to wait?? default time is what 2-7 minutes??
 

dennylin93

Aspiring Daemon

Thanks: 106
Messages: 784

#15
The default is 420 seconds. You get unblocked after 420 ~ 630 seconds.

It's also possible to use # pfctl -t sshguard -T d ip.add.re.ss to delete IPs. -T s to show them and -T f to flush the table.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#16
and Imap seems to be working aswell:
Code:
Nov 13 18:40:00 blurr-ink imapd[49729]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:12 blurr-ink last message repeated 2 times
Nov 13 18:40:17 blurr-ink imapd[49729]: Login excessive login failures user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:22 blurr-ink imapd[49729]: Login excessive login failures user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:28 blurr-ink imapd[49729]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:28 blurr-ink imapd[49733]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:34 blurr-ink imapd[49733]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:34 blurr-ink imapd[49734]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:37 blurr-ink imapd[49734]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:37 blurr-ink imapd[49735]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:37 blurr-ink sshguard[37486]: Blocking 216.8.133.228: 5 failures over 902 seconds.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#17
dennylin93 said:
The default is 420 seconds. You get unblocked after 420 ~ 630 seconds.

It's also possible to use # pfctl -t sshguard -T d ip.add.re.ss to delete IPs. -T s to show them and -T f to flush the table.
Thanks, Yea I'm unblocked already.
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#18
Um I think I either don't understand your syntax or its wrong....
this Worked but yours didn't
Code:
blurr-ink# pfctl -Tshow -t sshguard
No ALTQ support in kernel
ALTQ related functions disabled
the -T f didn't flush them either, what am I don't wrong.... http://sshguard.sourceforge.net/doc/setup/blockingpf.html thats where I got the command I used. Oh and I did re-ban myself before trying to flush them... time ran out before I got it to work
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator

Thanks: 2,493
Messages: 11,095

#19
These are all the same:
Code:
-t table -T s
-t table -T show
-t table -Ts
-t table -Tshow
-T s -t table
-T show -t table
-Ts -t table
-Tshow -t table
-ttable -T .... etc.
-Td -Tdelete -Tflush -T f -T delete -T flush etc. etc
 

Lego

Well-Known Member

Thanks: 1
Messages: 404

#25
Ok, Um I think I did the right thing, Im supposed to submit an email to the mailing list?? so I did, and gave the link to this thread, hopefully thats what I was supposed to do, and someone will be able to help me :)