Solved sshguard-pf (1.5_5) not working [SOLVED]

P

ph0enix

I built sshguard-pf from ports and then followed this guide:
http://www.sshguard.net/docs/setup/firewall/pf/

My/etc/pf.conf has the following in it:

Code: 
table <sshguard> persist

block in quick on hn0 from <sshguard> to any #label "ssh bruteforce"
block in quick on hn1 from <sshguard> to any #label "ssh bruteforce"

sshguard is enabled in /etc/rc.conf via:

Code: 
sshguard_enable="YES"
...and so is pf:
pf_enable="YES"

When I run pfctl, it shows the following:

Code: 
No ALTQ support in kernel
ALTQ related functions disabled

even though I have the following kernel options built:
Code: 
options         ALTQ
options         ALTQ_CBQ        # Class Bases Queuing (CBQ)
options         ALTQ_RED        # Random Early Detection (RED)
options         ALTQ_RIO        # RED In/Out
options         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)
options         ALTQ_PRIQ       # Priority Queuing (PRIQ)
options         ALTQ_NOPCC      # Required for SMP build

I'm running FreeBSD 10.0-RELEASE-p7 (amd64)

I tried simulating an SSH brute force attack from a remote system but sshguard isn't blocking anythying. PF itself seems to be working. What am I doing wrong?
 
Re: sshguard-pf (1.5_5) not working

For what it's worth, the same configuration works fine on a FreeBSD 9.2-RELEASE-p1 system. Has anyone been successful in making sshguard-pf work on 10.0?
 
Re: sshguard-pf (1.5_5) not working

I see I have the same problem on my 10-STABLE server. IP addresses are correctly added to the sshguard table but PF appears to never block them (I still see login attempts from those IP addresses after they've been blocked). This may have something to do with the changes for PF on 10.x as I do not see this behavior on my 9-STABLE servers. I was just about to update and rebuild the 10-STABLE server, I'll see if I can run some more tests.
 
Re: sshguard-pf (1.5_5) not working

Thank you for looking into it, @SirDice! I'll see if I can figure out who maintains that port and give them a buzz.
 
Last edited by a moderator:
Re: sshguard-pf (1.5_5) not working

ph0enix said:
Thank you for looking into it, @SirDice! I'll see if I can figure out who maintains that port and give them a buzz.
Click to expand...
The issue is probably not with sshguard-pf because the IP addresses are all correctly added to the table. If there is a bug I would suspect it to be in PF.
 
Last edited by a moderator:
Re: sshguard-pf (1.5_5) not working

In my case addresses aren't being added to the table at all. It's as if sshguard isn't doing anything.
 
Re: sshguard-pf (1.5_5) not working

I talked to the maintainer and he helped me resolve the issue. I had syslog verbose logging enabled in rc.conf. Removing syslogd_flags=-v -v made sshguard work.

Apparently the <auth.info> and <auth.err> columns break the regex search.

The table entries still aren't being added to pf.conf but I can live without that since pfctl -T show -t sshguard shows me what's being blocked.
 
Well, this is what I'm seeing:
Code: 
Aug 14 00:58:17 armitage sshd[23346]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:17 armitage sshd[23347]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:18 armitage sshd[23346]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:19 armitage sshd[23346]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:19 armitage sshd[23346]: Postponed keyboard-interactive for root from 144.0.0.30 port 39164 ssh2 [preauth]
Aug 14 00:58:19 armitage sshguard[726]: Offender '144.0.0.30:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Aug 14 00:58:19 armitage sshguard[726]: Blocking 144.0.0.30:4 for >0secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
Aug 14 00:58:19 armitage sshd[23346]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:19 armitage sshd[23346]: Failed keyboard-interactive/pam for root from 144.0.0.30 port 39164 ssh2
Aug 14 00:58:20 armitage sshd[23346]: Postponed keyboard-interactive for root from 144.0.0.30 port 39164 ssh2 [preauth]
Aug 14 00:58:20 armitage sshd[23346]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:20 armitage sshd[23346]: Failed keyboard-interactive/pam for root from 144.0.0.30 port 39164 ssh2
Aug 14 00:58:20 armitage sshd[23346]: Postponed keyboard-interactive for root from 144.0.0.30 port 39164 ssh2 [preauth]
Aug 14 00:58:23 armitage sshd[23347]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:24 armitage sshd[23347]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:24 armitage sshd[23347]: Postponed keyboard-interactive for root from 144.0.0.30 port 39173 ssh2 [preauth]
Aug 14 00:58:25 armitage sshd[23347]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:25 armitage sshd[23347]: Failed keyboard-interactive/pam for root from 144.0.0.30 port 39173 ssh2
Aug 14 00:58:25 armitage sshd[23347]: Postponed keyboard-interactive for root from 144.0.0.30 port 39173 ssh2 [preauth]
Aug 14 00:58:26 armitage sshd[23347]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:26 armitage sshd[23347]: Failed keyboard-interactive/pam for root from 144.0.0.30 port 39173 ssh2
Aug 14 00:58:35 armitage sshd[23347]: Postponed keyboard-interactive for root from 144.0.0.30 port 39173 ssh2 [preauth]
Aug 14 00:58:35 armitage sshd[23347]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:35 armitage sshd[23347]: Failed keyboard-interactive/pam for root from 144.0.0.30 port 39173 ssh2
Aug 14 00:58:35 armitage sshd[23347]: Disconnecting: Too many authentication failures for root [preauth]
Aug 14 00:58:57 armitage sshd[23346]: error: PAM: authentication error for root from 144.0.0.30
Aug 14 00:58:57 armitage sshd[23346]: Failed keyboard-interactive/pam for root from 144.0.0.30 port 39164 ssh2
Aug 14 00:58:57 armitage sshd[23346]: Disconnecting: Too many authentication failures for root [preauth]
On my 9-STABLE machines the attempts immediately stop right after the "Blocking X.X.X.X" message. On 10-STABLE however I still get a bunch of attempts afterwards. The IP address is correctly added to the table:
Code: 
root@armitage:~ # pfctl -T show -t sshguard
No ALTQ support in kernel
ALTQ related functions disabled
   1.93.30.190
   14.63.221.64
   42.51.16.186
   61.153.105.74
   61.153.105.107
   61.174.49.110
   82.99.186.25
   113.107.233.165
   144.0.0.25
   144.0.0.30
   144.0.0.34
   144.0.0.57
   177.139.163.248
   219.138.135.61
   222.163.192.150
   222.163.192.151

My rule in pf.conf looks like this (it's the first rule, all the way at the top):
Code: 
# Drop sshguard flagged IPs as soon as possible
block drop in log quick on $ext_if from <sshguard> label "SSHGuard"

I still don't quite know why though, my other rules all appear to be working just fine.
 
I see what you're saying. I can confirm that I'm seeing the same behavior on my end. There appears to be a 1 sec delay before the actual blocking once the "blocking" message is logged. This isn't specific to 10.0 though. I'm seeing it on my 9.3 system as well:

FreeBSD 10.0-RELEASE-p7:
Code: 
Aug 14 09:08:09 local_hostname sshguard[16806]: Blocking xxx.xxx.xxx.xxx:4 for >630secs: 40 danger in 4 attacks over 3 seconds (all: 40d in 1 abuses over 3s).
Aug 14 09:08:09 local_hostname sshd[16890]: Invalid user matt from xxx.xxx.xxx.xxx
Aug 14 09:08:09 local_hostname sshd[16890]: input_userauth_request: invalid user matt [preauth]
Aug 14 09:08:09 local_hostname sshd[16890]: Postponed keyboard-interactive for invalid user matt from xxx.xxx.xxx.xxx port 7906 ssh2 [preauth]
Aug 14 09:08:10 local_hostname sshd[16890]: error: PAM: authentication error for illegal user matt from remote_hostname
Aug 14 09:08:10 local_hostname sshd[16890]: Failed keyboard-interactive/pam for invalid user matt from xxx.xxx.xxx.xxx port 7906 ssh2
Aug 14 09:08:10 local_hostname sshd[16890]: Postponed keyboard-interactive for invalid user matt from xxx.xxx.xxx.xxx port 7906 ssh2 [preauth]
Aug 14 09:08:10 local_hostname sshd[16890]: error: PAM: authentication error for illegal user matt from remote_hostname
Aug 14 09:08:10 local_hostname sshd[16890]: Failed keyboard-interactive/pam for invalid user matt from xxx.xxx.xxx.xxx port 7906 ssh2
Aug 14 09:08:10 local_hostname sshd[16890]: Postponed keyboard-interactive for invalid user matt from xxx.xxx.xxx.xxx port 7906 ssh2 [preauth]
Aug 14 09:08:10 local_hostname sshd[16890]: error: PAM: authentication error for illegal user matt from remote_hostname
Aug 14 09:08:10 local_hostname sshd[16890]: Failed keyboard-interactive/pam for invalid user matt from xxx.xxx.xxx.xxx port 7906 ssh2
Aug 14 09:08:10 local_hostname sshd[16890]: Connection closed by xxx.xxx.xxx.xxx [preauth]



FreeBSD 9.3-RELEASE:
Code: 
Aug 14 09:10:32 local_hostname sshguard[26323]: Blocking xxx.xxx.xxx.xxx:4 for >630secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
Aug 14 09:10:32 local_hostname sshd[26363]: Failed keyboard-interactive/pam for invalid user john from xxx.xxx.xxx.xxx port 46956 ssh2
Aug 14 09:10:32 local_hostname sshd[26363]: Connection closed by xxx.xxx.xxx.xxx [preauth]
Aug 14 09:10:32 local_hostname sshd[26369]: Invalid user matt from xxx.xxx.xxx.xxx
Aug 14 09:10:32 local_hostname sshd[26369]: input_userauth_request: invalid user matt [preauth]
Aug 14 09:10:32 local_hostname sshd[26369]: Postponed keyboard-interactive for invalid user matt from xxx.xxx.xxx.xxx port 59567 ssh2 [preauth]
Aug 14 09:10:33 local_hostname sshd[26369]: error: PAM: authentication error for illegal user matt from xxx.xxx.xxx.xxx
Aug 14 09:10:33 local_hostname sshd[26369]: Failed keyboard-interactive/pam for invalid user matt from xxx.xxx.xxx.xxx port 59567 ssh2
Aug 14 09:10:33 local_hostname sshd[26369]: Postponed keyboard-interactive for invalid user matt from xxx.xxx.xxx.xxx port 59567 ssh2 [preauth]
Aug 14 09:10:33 local_hostname sshd[26369]: error: PAM: authentication error for illegal user matt from xxx.xxx.xxx.xxx
Aug 14 09:10:33 local_hostname sshd[26369]: Failed keyboard-interactive/pam for invalid user matt from xxx.xxx.xxx.xxx port 59567 ssh2
Aug 14 09:10:33 local_hostname sshd[26369]: Postponed keyboard-interactive for invalid user matt from xxx.xxx.xxx.xxx port 59567 ssh2 [preauth]
Aug 14 09:10:33 local_hostname sshd[26369]: error: PAM: authentication error for illegal user matt from xxx.xxx.xxx.xxx
Aug 14 09:10:33 local_hostname sshd[26369]: Failed keyboard-interactive/pam for invalid user matt from xxx.xxx.xxx.xxx port 59567 ssh2
Aug 14 09:10:33 local_hostname sshd[26369]: Connection closed by xxx.xxx.xxx.xxx [preauth]

To be honest, I'm not sure that sshguard-pf has ever worked differently.
 
You must log in or register to reply here.
Back
Top