sshguard with TCP wrappers / hosts.allow not work

F

f5b

FreeBSD 8.1-RELEASE

Code: 
cd /usr/ports/security/sshguard
make install clean

Code: 
pkg_info | grep sshg
sshguard-1.4        Protect hosts from brute force attacks against ssh and othe

Code: 
vi /etc/syslog.conf
something ...

auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log

/etc/rc.d/syslogd reload

Code: 
less /etc/hosts.allow
something like this:

###sshguard###
###sshguard###
#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.23.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#       See hosts_options(5) for the format of this file.
#       hosts_access(5) no longer fully applies.

#        _____                                      _          _
#       | ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#       |  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#       | |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#       |_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#                                          |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

Code: 
tail /var/log/auth.log
something like this

Dec 25 17:28:19 b sshguard[15013]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Dec 25 17:28:20 b sshd[15002]: Invalid user bill from 123.111.128.211
Dec 25 17:28:22 b sshd[15015]: Invalid user maggie from 123.111.128.211
Dec 25 17:28:24 b sshd[15017]: Invalid user info from 123.111.128.211
Dec 25 17:28:26 b sshd[15019]: Invalid user ftp from 123.111.128.211
Dec 25 17:28:27 b sshd[15021]: Invalid user httpd from 123.111.128.211
Dec 25 17:28:29 b sshd[15023]: Invalid user dany from 123.111.128.211
Dec 25 17:28:31 b sshd[15025]: Invalid user susan from 123.111.128.211
Dec 25 17:28:33 b sshd[15027]: Invalid user oracle from 123.111.128.211
Dec 25 17:28:35 b sshd[15029]: Invalid user tomcat from 123.111.128.211
Dec 25 17:28:37 b sshd[15032]: Invalid user backup from 123.111.128.211
Dec 25 17:28:39 b sshd[15034]: Invalid user id from 123.111.128.211
Dec 25 17:28:40 b sshd[15036]: Invalid user sgi from 123.111.128.211
Dec 25 17:28:42 b sshd[15038]: Invalid user postgres from 123.111.128.211
Dec 25 17:28:44 b sshd[15040]: Invalid user flowers from 123.111.128.211
Dec 25 17:28:46 b sshd[15042]: Invalid user linux from 123.111.128.211
Dec 25 17:28:48 b sshd[15044]: Invalid user internet from 123.111.128.211
Dec 25 17:28:50 b sshd[15046]: Invalid user server from 123.111.128.211
Dec 25 17:28:52 b sshd[15048]: Invalid user nokia from 123.111.128.211
Dec 25 17:28:53 b sshd[15050]: Invalid user bash from 123.111.128.211
Dec 25 17:28:55 b sshd[15052]: Invalid user work from 123.111.128.211
Dec 25 17:28:59 b sshd[15056]: Invalid user gateway from 123.111.128.211
Dec 25 17:29:01 b sshd[15058]: Invalid user michael from 123.111.128.211
Dec 25 17:29:03 b sshd[15060]: Invalid user michael from 123.111.128.211
Dec 25 17:29:05 b sshd[15062]: Invalid user rk from 123.111.128.211
Dec 25 17:29:06 b sshd[15064]: Invalid user internet from 123.111.128.211
Dec 25 17:29:08 b sshd[15066]: Invalid user kathi from 123.111.128.211
Dec 25 17:29:10 b sshd[15068]: Invalid user squid from 123.111.128.211
Dec 25 17:29:12 b sshd[15070]: Invalid user darwin from 123.111.128.211
Dec 25 17:29:14 b sshd[15072]: Invalid user info from 123.111.128.211
Dec 25 17:29:16 b sshd[15074]: Invalid user job from 123.111.128.211
Dec 25 17:29:18 b sshd[15076]: Invalid user pamela from 123.111.128.211
Dec 25 17:29:19 b sshd[15078]: Invalid user jack from 123.111.128.211
Dec 25 17:29:21 b sshd[15080]: Invalid user webmaster from 123.111.128.211
Dec 25 17:29:25 b sshd[15084]: Invalid user shaun from 123.111.128.211
Dec 25 17:29:27 b sshd[15086]: Invalid user sven from 123.111.128.211
Dec 25 17:29:29 b sshd[15088]: Invalid user steve from 123.111.128.211
Dec 25 17:29:31 b sshd[15090]: Invalid user steven from 123.111.128.211
Dec 25 17:29:32 b sshd[15092]: Invalid user temp from 123.111.128.211
Dec 25 17:29:34 b sshd[15094]: Invalid user tim from 123.111.128.211

It seems that sshguard not work in tcp wrapper mode with hosts.allow.
 
Use sshguard with PF, it's much easier. Just add something like this to /etc/pf.conf:
Code: 
block in on $ext_if proto tcp from <sshguard>
And you're good to go.
 
SirDice said:
Use sshguard with PF, it's much easier. Just add something like this to /etc/pf.conf:
Code: 
block in on $ext_if proto tcp from <sshguard>
And you're good to go.
Click to expand...


now I install sshguard-pf
/etc/pf.conf

Code: 
table <sshguard> persist

set skip on lo

scrub in

block in quick on egress proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out

am i ok?
 
egress? Make sure you block incoming ssh connections on your external interface.
 
SirDice said:
egress? Make sure you block incoming ssh connections on your external interface.
Click to expand...

yes. the pf firewall works fine.
when change pf.conf to "block in on $ext_if proto tcp from <sshguard> "
sshguard not work either.

egress from pf-faq41.pdf

interface
The name or group of the network interface that the packet is moving through. Interfaces can be added to arbitrary groups using the ifconfig(8) command. Several groups are also automatically created by the kernel:

The egress group, which contains the interface(s) that holds the default route(s).

Interface family group for cloned interfaces. For example: ppp or carp
 
Egress is an OpenBSDism that does not exist in FreeBSD by default, either use the real name of the interface in pf rules or create the egress interface group yourself with ifconfig(8).
 
kpa said:
Egress is an OpenBSDism that does not exist in FreeBSD by default, either use the real name of the interface in pf rules or create the egress interface group yourself with ifconfig(8).
Click to expand...

yes, now /etc/pf.conf and
[CMD=]pfctl -f /etc/pf.conf[/CMD]

Code: 
ext_if="bce1"

table <sshguard> persist

set skip on lo


block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out

but sshguard-pf not work either.
 
Why do you need to block on anything other than the pf table? Why is the label statement in there? Does it even match anything?
 
DutchDaemon said:
Why do you need to block on anything other than the pf table? Why is the label statement in there? Does it even match anything?
Click to expand...

the label keyword if from the example http://www.sshguard.net/docs/setup/firewall/pf/


now the pf.conf change to
Code: 
ext_if="bce1"

table <sshguard> persist

set skip on lo

block in quick on $ext_if proto tcp from <sshguard>
pass in
pass out

pfctl -f /etc/pf.conf
/etc/rc.d/syslogd reload

test the brute force login, not work
 
You must log in or register to reply here.
Back
Top