SSH attacks blocked forever

Create issue
Issue #86 closed
Christos Chatzaras created an issue

Issue:

SSH attacks blocked forever. Any idea why sshguard doesn't remove IPs after some time from ipfw table 22?

Configuration:

  • SSHGuard 2.1.0
  • FreeBSD 11.1
  • IPFW

Settings:

72115  -  Is         0:00.00 /bin/sh /usr/local/sbin/sshguard -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
72118  -  S          0:00.15 /usr/local/libexec/sshg-blocker -a 30 -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid -p 120 -s 1800 -w /usr/local/etc/sshguard.whitelist
72119  -  I          0:00.00 /bin/sh /usr/local/sbin/sshguard -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid

Logs:

Feb  6 18:03:00 server1 sshguard[72118]: Blocking "58.218.198.167/32" forever (3 attacks in 2 secs, after 1 abuses over 2 secs.)
Feb  6 18:03:28 server1 sshguard[72118]: Blocking "189.122.84.25/32" forever (3 attacks in 6 secs, after 1 abuses over 6 secs.)
Feb  6 18:05:23 server1 sshguard[72118]: Blocking "216.107.145.10/32" forever (3 attacks in 3 secs, after 1 abuses over 3 secs.)
Feb  6 18:06:21 server1 sshguard[72118]: Blocking "54.37.74.219/32" forever (3 attacks in 132 secs, after 1 abuses over 132 secs.)

Comments (7)

  1. Kevin Zheng
    • changed status to open

    Could you include the relevant sections of your rc.conf and sshguard.conf?

    I believe you're seeing the blacklist feature, which is enabled by default on FreeBSD in the rc.d script. After 3 attacks, attackers are added to a blacklist.

  2. Christos Chatzaras reporter

    rc.conf only contains:

    sshguard_enable="YES"
    

    and here is my sshguard.conf :

    #!/bin/sh
    # sshguard.conf -- SSHGuard configuration
    
    # Options that are uncommented in this example are set to their default
    # values. Options without defaults are commented out.
    
    #### REQUIRED CONFIGURATION ####
    # Full path to backend executable (required, no default)
    #BACKEND="/usr/local/libexec/sshg-fw-null"
    BACKEND="/usr/local/libexec/sshg-fw-ipfw"
    #BACKEND="/usr/local/libexec/sshg-fw-pf"
    
    # Space-separated list of log files to monitor. Ignored if LOGREADER is set.
    # (optional, no default)
    FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog"
    
    # Shell command that provides logs on standard output. Takes precedence over
    # FILES. (optional, no default)
    # Example 1: ssh and sendmail from systemd journal:
    #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
    # Example 2: ssh from os_log (macOS 10.12+)
    #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
    
    #### OPTIONS ####
    
    
    root@server1:/usr/local/etc # cat sshguard.conf
    #!/bin/sh
    # sshguard.conf -- SSHGuard configuration
    
    # Options that are uncommented in this example are set to their default
    # values. Options without defaults are commented out.
    
    #### REQUIRED CONFIGURATION ####
    # Full path to backend executable (required, no default)
    #BACKEND="/usr/local/libexec/sshg-fw-null"
    BACKEND="/usr/local/libexec/sshg-fw-ipfw"
    #BACKEND="/usr/local/libexec/sshg-fw-pf"
    
    # Space-separated list of log files to monitor. Ignored if LOGREADER is set.
    # (optional, no default)
    FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog"
    
    # Shell command that provides logs on standard output. Takes precedence over
    # FILES. (optional, no default)
    # Example 1: ssh and sendmail from systemd journal:
    #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
    # Example 2: ssh from os_log (macOS 10.12+)
    #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
    
    #### OPTIONS ####
    # Block attackers when their cumulative attack score exceeds THRESHOLD.
    # Most attacks have a score of 10. (optional, default 30)
    THRESHOLD=30
    
    # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
    # Subsequent blocks increase by a factor of 1.5. (optional, default 120)
    BLOCK_TIME=120
    
    # Remember potential attackers for up to DETECTION_TIME seconds before
    # resetting their score. (optional, default 1800)
    DETECTION_TIME=1800
    
    #### EXTRAS ####
    # !! Warning: These features may not work correctly with sandboxing. !!
    
    # Full path to PID file (optional, no default)
    PID_FILE=/var/run/sshguard.pid
    
    # Colon-separated blacklist threshold and full path to blacklist file.
    # (optional, no default)
    #BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db
    
    # IP addresses listed in the WHITELIST_FILE are considered to be
    # friendlies and will never be blocked.
    WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
    
  3. Kevin Zheng

    Set sshguard_blacklist="" in /etc/rc.conf and remove /var/db/sshguard/blacklist.db to disable blacklisting and remove your current blacklist.

    Or, increase the blacklisting threshold: sshguard_blacklist="120:/var/db/sshguard/blacklist.db"

  4. Kevin Zheng

    No. Blacklisted attackers are blocked permanently. If you don't want this to happen, turn blacklisting off.

  5. Log in to comment