1. sshguard Avatar sshguard
  2. sshguard
  3. sshguard
  4. Issues

SSH attacks blocked forever

Issue #86 closed
Christos Chatzaras created an issue

Issue:

SSH attacks blocked forever. Any idea why sshguard doesn't remove IPs after some time from ipfw table 22?

Configuration:

  • SSHGuard 2.1.0
  • FreeBSD 11.1
  • IPFW

Settings:

72115  -  Is         0:00.00 /bin/sh /usr/local/sbin/sshguard -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
72118  -  S          0:00.15 /usr/local/libexec/sshg-blocker -a 30 -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid -p 120 -s 1800 -w /usr/local/etc/sshguard.whitelist
72119  -  I          0:00.00 /bin/sh /usr/local/sbin/sshguard -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid

Logs:

Feb  6 18:03:00 server1 sshguard[72118]: Blocking "58.218.198.167/32" forever (3 attacks in 2 secs, after 1 abuses over 2 secs.)
Feb  6 18:03:28 server1 sshguard[72118]: Blocking "189.122.84.25/32" forever (3 attacks in 6 secs, after 1 abuses over 6 secs.)
Feb  6 18:05:23 server1 sshguard[72118]: Blocking "216.107.145.10/32" forever (3 attacks in 3 secs, after 1 abuses over 3 secs.)
Feb  6 18:06:21 server1 sshguard[72118]: Blocking "54.37.74.219/32" forever (3 attacks in 132 secs, after 1 abuses over 132 secs.)

Comments (7)

  1. Kevin Zheng
    • changed status to open

    Could you include the relevant sections of your rc.conf and sshguard.conf?

    I believe you're seeing the blacklist feature, which is enabled by default on FreeBSD in the rc.d script. After 3 attacks, attackers are added to a blacklist.

  2. Christos Chatzaras reporter

    rc.conf only contains:

    sshguard_enable="YES"

    and here is my sshguard.conf :

    #!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
#BACKEND="/usr/local/libexec/sshg-fw-null"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"

# Space-separated list of log files to monitor. Ignored if LOGREADER is set.
# (optional, no default)
FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog"

# Shell command that provides logs on standard output. Takes precedence over
# FILES. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"

#### OPTIONS ####


root@server1:/usr/local/etc # cat sshguard.conf
#!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
#BACKEND="/usr/local/libexec/sshg-fw-null"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"

# Space-separated list of log files to monitor. Ignored if LOGREADER is set.
# (optional, no default)
FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog"

# Shell command that provides logs on standard output. Takes precedence over
# FILES. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800

#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

# Full path to PID file (optional, no default)
PID_FILE=/var/run/sshguard.pid

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
#BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
  3. Kevin Zheng

    Set sshguard_blacklist="" in /etc/rc.conf and remove /var/db/sshguard/blacklist.db to disable blacklisting and remove your current blacklist.

    Or, increase the blacklisting threshold: sshguard_blacklist="120:/var/db/sshguard/blacklist.db"

  6. Kevin Zheng

    No. Blacklisted attackers are blocked permanently. If you don't want this to happen, turn blacklisting off.

  8. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!