- changed status to open
SSH attacks blocked forever
Issue #86
closed
Issue:
SSH attacks blocked forever. Any idea why sshguard doesn't remove IPs after some time from ipfw table 22?
Configuration:
- SSHGuard 2.1.0
- FreeBSD 11.1
- IPFW
Settings:
72115 - Is 0:00.00 /bin/sh /usr/local/sbin/sshguard -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
72118 - S 0:00.15 /usr/local/libexec/sshg-blocker -a 30 -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid -p 120 -s 1800 -w /usr/local/etc/sshguard.whitelist
72119 - I 0:00.00 /bin/sh /usr/local/sbin/sshguard -b 30:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
Logs:
Feb 6 18:03:00 server1 sshguard[72118]: Blocking "58.218.198.167/32" forever (3 attacks in 2 secs, after 1 abuses over 2 secs.)
Feb 6 18:03:28 server1 sshguard[72118]: Blocking "189.122.84.25/32" forever (3 attacks in 6 secs, after 1 abuses over 6 secs.)
Feb 6 18:05:23 server1 sshguard[72118]: Blocking "216.107.145.10/32" forever (3 attacks in 3 secs, after 1 abuses over 3 secs.)
Feb 6 18:06:21 server1 sshguard[72118]: Blocking "54.37.74.219/32" forever (3 attacks in 132 secs, after 1 abuses over 132 secs.)
Comments (7)
-
-
reporter rc.conf only contains:
sshguard_enable="YES"
and here is my sshguard.conf :
#!/bin/sh # sshguard.conf -- SSHGuard configuration # Options that are uncommented in this example are set to their default # values. Options without defaults are commented out. #### REQUIRED CONFIGURATION #### # Full path to backend executable (required, no default) #BACKEND="/usr/local/libexec/sshg-fw-null" BACKEND="/usr/local/libexec/sshg-fw-ipfw" #BACKEND="/usr/local/libexec/sshg-fw-pf" # Space-separated list of log files to monitor. Ignored if LOGREADER is set. # (optional, no default) FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog" # Shell command that provides logs on standard output. Takes precedence over # FILES. (optional, no default) # Example 1: ssh and sendmail from systemd journal: #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat" # Example 2: ssh from os_log (macOS 10.12+) #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'" #### OPTIONS #### root@server1:/usr/local/etc # cat sshguard.conf #!/bin/sh # sshguard.conf -- SSHGuard configuration # Options that are uncommented in this example are set to their default # values. Options without defaults are commented out. #### REQUIRED CONFIGURATION #### # Full path to backend executable (required, no default) #BACKEND="/usr/local/libexec/sshg-fw-null" BACKEND="/usr/local/libexec/sshg-fw-ipfw" #BACKEND="/usr/local/libexec/sshg-fw-pf" # Space-separated list of log files to monitor. Ignored if LOGREADER is set. # (optional, no default) FILES="/var/log/auth.log /var/log/maillog /var/log/xferlog" # Shell command that provides logs on standard output. Takes precedence over # FILES. (optional, no default) # Example 1: ssh and sendmail from systemd journal: #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat" # Example 2: ssh from os_log (macOS 10.12+) #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'" #### OPTIONS #### # Block attackers when their cumulative attack score exceeds THRESHOLD. # Most attacks have a score of 10. (optional, default 30) THRESHOLD=30 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. # Subsequent blocks increase by a factor of 1.5. (optional, default 120) BLOCK_TIME=120 # Remember potential attackers for up to DETECTION_TIME seconds before # resetting their score. (optional, default 1800) DETECTION_TIME=1800 #### EXTRAS #### # !! Warning: These features may not work correctly with sandboxing. !! # Full path to PID file (optional, no default) PID_FILE=/var/run/sshguard.pid # Colon-separated blacklist threshold and full path to blacklist file. # (optional, no default) #BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db # IP addresses listed in the WHITELIST_FILE are considered to be # friendlies and will never be blocked. WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
-
- changed status to resolved
Set
sshguard_blacklist=""
in /etc/rc.conf and remove /var/db/sshguard/blacklist.db to disable blacklisting and remove your current blacklist.Or, increase the blacklisting threshold:
sshguard_blacklist="120:/var/db/sshguard/blacklist.db"
-
- changed status to closed
-
reporter If an IP goes to blacklist.db it doesn't release it again after some time?
-
No. Blacklisted attackers are blocked permanently. If you don't want this to happen, turn blacklisting off.
-
reporter Thank you.
- Log in to comment
Could you include the relevant sections of your rc.conf and sshguard.conf?
I believe you're seeing the blacklist feature, which is enabled by default on FreeBSD in the rc.d script. After 3 attacks, attackers are added to a blacklist.