Is SSHGuard/Iptables really working?

tornadof3 · 2014-11-07 17:26:49

So, I have SSHGuard set up and IP tables on an archlinux system. journalctl lists all the login/connection attempts, but there are way more than four failed attempts for several IPs... but SSHGuard conf is set up to block after 4:

[user@blacktower system]$ cat sshguard.service 
[Unit]
Description=Block hacking attempts
After=iptables.service ip6tables.service network.target
Wants=iptables.service ip6tables.service

[Service]
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-p 6000 -b 40:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

[Install]
WantedBy=multi-user.target

IPTables appears to report that it is blocking several naughty IPs:

[user@blacktower ~]$ sudo iptables -L sshguard
Chain sshguard (1 references)
target     prot opt source               destination         
DROP       all  --  117.27.158.71        anywhere            
DROP       all  --  mx6.fund123.cn       anywhere            
DROP       all  --  205.51.174.61.dial.wz.zj.dynamic.163data.com.cn  anywhere            
DROP       all  --  117.27.158.72        anywhere            
DROP       all  --  122.225.109.218      anywhere            
DROP       all  --  122.225.109.205      anywhere            
DROP       all  --  117.27.158.88        anywhere

but there are way more than four failed login attempts from 'naughty' IPs, eg the 117.27.158.71 entries:

[user@blacktower ~]$ journalctl -l -u sshd.service -n 100
-- Logs begin at Fri 2014-09-19 20:36:39 BST, end at Fri 2014-11-07 17:11:48 GMT. --
Nov 07 14:32:02 blacktower sshd[11797]: Failed password for root from 117.27.158.71 port 1065 ssh2
Nov 07 14:32:02 blacktower sshd[11800]: Failed password for root from 117.27.158.71 port 1874 ssh2
Nov 07 14:32:04 blacktower sshd[11799]: Failed password for root from 117.27.158.71 port 1075 ssh2
Nov 07 14:32:05 blacktower sshd[11797]: Failed password for root from 117.27.158.71 port 1065 ssh2
Nov 07 14:32:05 blacktower sshd[11797]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 1065 ssh2 [preauth]
Nov 07 14:32:05 blacktower sshd[11797]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:05 blacktower sshd[11800]: Failed password for root from 117.27.158.71 port 1874 ssh2
Nov 07 14:32:06 blacktower sshd[11799]: Failed password for root from 117.27.158.71 port 1075 ssh2
Nov 07 14:32:06 blacktower sshd[11803]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:07 blacktower sshd[11803]: Connection from 117.27.158.71 port 5517 on 192.168.0.3 port 22
Nov 07 14:32:07 blacktower sshd[11800]: Failed password for root from 117.27.158.71 port 1874 ssh2
Nov 07 14:32:07 blacktower sshd[11800]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 1874 ssh2 [preauth]
Nov 07 14:32:07 blacktower sshd[11800]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:08 blacktower sshd[11805]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:08 blacktower sshd[11805]: Connection from 117.27.158.71 port 6012 on 192.168.0.3 port 22
Nov 07 14:32:08 blacktower sshd[11799]: Failed password for root from 117.27.158.71 port 1075 ssh2
Nov 07 14:32:08 blacktower sshd[11799]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 1075 ssh2 [preauth]
Nov 07 14:32:08 blacktower sshd[11799]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:09 blacktower sshd[11807]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:09 blacktower sshd[11807]: Connection from 117.27.158.71 port 6256 on 192.168.0.3 port 22
Nov 07 14:32:10 blacktower sshd[11805]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:11 blacktower sshd[11807]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:12 blacktower sshd[11805]: Failed password for root from 117.27.158.71 port 6012 ssh2
Nov 07 14:32:14 blacktower sshd[11807]: Failed password for root from 117.27.158.71 port 6256 ssh2
Nov 07 14:32:14 blacktower sshd[11805]: Failed password for root from 117.27.158.71 port 6012 ssh2
Nov 07 14:32:16 blacktower sshd[11805]: Failed password for root from 117.27.158.71 port 6012 ssh2
Nov 07 14:32:16 blacktower sshd[11807]: Failed password for root from 117.27.158.71 port 6256 ssh2
Nov 07 14:32:19 blacktower sshd[11805]: Failed password for root from 117.27.158.71 port 6012 ssh2
Nov 07 14:32:19 blacktower sshd[11807]: Failed password for root from 117.27.158.71 port 6256 ssh2
Nov 07 14:32:20 blacktower sshd[11805]: Failed password for root from 117.27.158.71 port 6012 ssh2
Nov 07 14:32:20 blacktower sshd[11807]: Failed password for root from 117.27.158.71 port 6256 ssh2
Nov 07 14:32:22 blacktower sshd[11803]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:23 blacktower sshd[11805]: Failed password for root from 117.27.158.71 port 6012 ssh2
Nov 07 14:32:23 blacktower sshd[11805]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 6012 ssh2 [preauth]
Nov 07 14:32:23 blacktower sshd[11805]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:23 blacktower sshd[11807]: Failed password for root from 117.27.158.71 port 6256 ssh2
Nov 07 14:32:23 blacktower sshd[11809]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:23 blacktower sshd[11809]: Connection from 117.27.158.71 port 9583 on 192.168.0.3 port 22
Nov 07 14:32:24 blacktower sshd[11803]: Failed password for root from 117.27.158.71 port 5517 ssh2
Nov 07 14:32:25 blacktower sshd[11809]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:26 blacktower sshd[11807]: Failed password for root from 117.27.158.71 port 6256 ssh2
Nov 07 14:32:26 blacktower sshd[11807]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 6256 ssh2 [preauth]
Nov 07 14:32:26 blacktower sshd[11807]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:27 blacktower sshd[11803]: Failed password for root from 117.27.158.71 port 5517 ssh2
Nov 07 14:32:27 blacktower sshd[11809]: Failed password for root from 117.27.158.71 port 9583 ssh2
Nov 07 14:32:29 blacktower sshd[11803]: Failed password for root from 117.27.158.71 port 5517 ssh2
Nov 07 14:32:29 blacktower sshd[11811]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:29 blacktower sshd[11811]: Connection from 117.27.158.71 port 10366 on 192.168.0.3 port 22
Nov 07 14:32:29 blacktower sshd[11809]: Failed password for root from 117.27.158.71 port 9583 ssh2
Nov 07 14:32:31 blacktower sshd[11811]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:31 blacktower sshd[11809]: Failed password for root from 117.27.158.71 port 9583 ssh2
Nov 07 14:32:32 blacktower sshd[11803]: Failed password for root from 117.27.158.71 port 5517 ssh2
Nov 07 14:32:33 blacktower sshd[11811]: Failed password for root from 117.27.158.71 port 10366 ssh2
Nov 07 14:32:34 blacktower sshd[11809]: Failed password for root from 117.27.158.71 port 9583 ssh2
Nov 07 14:32:34 blacktower sshd[11803]: Failed password for root from 117.27.158.71 port 5517 ssh2
Nov 07 14:32:36 blacktower sshd[11811]: Failed password for root from 117.27.158.71 port 10366 ssh2
Nov 07 14:32:36 blacktower sshd[11809]: Failed password for root from 117.27.158.71 port 9583 ssh2
Nov 07 14:32:37 blacktower sshd[11803]: Failed password for root from 117.27.158.71 port 5517 ssh2
Nov 07 14:32:37 blacktower sshd[11803]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 5517 ssh2 [preauth]
Nov 07 14:32:37 blacktower sshd[11803]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:37 blacktower sshd[11813]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:37 blacktower sshd[11813]: Connection from 117.27.158.71 port 13196 on 192.168.0.3 port 22
Nov 07 14:32:38 blacktower sshd[11811]: Failed password for root from 117.27.158.71 port 10366 ssh2
Nov 07 14:32:39 blacktower sshd[11809]: Failed password for root from 117.27.158.71 port 9583 ssh2
Nov 07 14:32:39 blacktower sshd[11809]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 9583 ssh2 [preauth]
Nov 07 14:32:39 blacktower sshd[11809]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:39 blacktower sshd[11815]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:39 blacktower sshd[11815]: Connection from 117.27.158.71 port 13645 on 192.168.0.3 port 22
Nov 07 14:32:40 blacktower sshd[11813]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:40 blacktower sshd[11811]: Failed password for root from 117.27.158.71 port 10366 ssh2
Nov 07 14:32:41 blacktower sshd[11815]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:41 blacktower sshd[11813]: Failed password for root from 117.27.158.71 port 13196 ssh2
Nov 07 14:32:43 blacktower sshd[11811]: Failed password for root from 117.27.158.71 port 10366 ssh2
Nov 07 14:32:43 blacktower sshd[11815]: Failed password for root from 117.27.158.71 port 13645 ssh2
Nov 07 14:32:43 blacktower sshd[11813]: Failed password for root from 117.27.158.71 port 13196 ssh2
Nov 07 14:32:44 blacktower sshd[11811]: Failed password for root from 117.27.158.71 port 10366 ssh2
Nov 07 14:32:44 blacktower sshd[11811]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 10366 ssh2 [preauth]
Nov 07 14:32:44 blacktower sshd[11811]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:45 blacktower sshd[11815]: Failed password for root from 117.27.158.71 port 13645 ssh2
Nov 07 14:32:45 blacktower sshd[11813]: Failed password for root from 117.27.158.71 port 13196 ssh2
Nov 07 14:32:46 blacktower sshd[11818]: Set /proc/self/oom_score_adj to 0
Nov 07 14:32:46 blacktower sshd[11818]: Connection from 117.27.158.71 port 14980 on 192.168.0.3 port 22
Nov 07 14:32:48 blacktower sshd[11818]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:48 blacktower sshd[11815]: Failed password for root from 117.27.158.71 port 13645 ssh2
Nov 07 14:32:48 blacktower sshd[11813]: Failed password for root from 117.27.158.71 port 13196 ssh2
Nov 07 14:32:50 blacktower sshd[11818]: Failed password for root from 117.27.158.71 port 14980 ssh2
Nov 07 14:32:50 blacktower sshd[11815]: Failed password for root from 117.27.158.71 port 13645 ssh2
Nov 07 14:32:50 blacktower sshd[11813]: Failed password for root from 117.27.158.71 port 13196 ssh2
Nov 07 14:32:52 blacktower sshd[11818]: Failed password for root from 117.27.158.71 port 14980 ssh2
Nov 07 14:32:52 blacktower sshd[11818]: fatal: Read from socket failed: Connection reset by peer [preauth]
Nov 07 14:32:52 blacktower sshd[11818]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:53 blacktower sshd[11815]: Failed password for root from 117.27.158.71 port 13645 ssh2
Nov 07 14:32:53 blacktower sshd[11815]: fatal: Write failed: Connection reset by peer [preauth]
Nov 07 14:32:53 blacktower sshd[11815]: PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=117.27.158.71  user=root
Nov 07 14:32:53 blacktower sshd[11813]: Failed password for root from 117.27.158.71 port 13196 ssh2
Nov 07 14:32:53 blacktower sshd[11813]: Disconnecting: Too many authentication failures for root from 117.27.158.71 port 13196 ssh2 [preauth]
Nov 07 14:32:53 blacktower sshd[11813]: fatal: Write failed: Connection reset by peer [preauth]
Nov 07 16:50:21 blacktower sshd[12364]: Set /proc/self/oom_score_adj to 0
Nov 07 16:50:21 blacktower sshd[12364]: Connection from 194.150.11.201 port 46027 on 192.168.0.3 port 22
Nov 07 16:50:22 blacktower sshd[12364]: Received disconnect from 194.150.11.201: 11: Bye Bye [preauth]

So: is there a problem with my config? If IPtables was blocking the ones it lists, surely there would be no failed logins because they would never get that far??
Thanks

brebs · 2014-11-07 17:43:42

Your iptables rules are useless if an ACCEPT rule is hit *before* the DROP rule

Show the output of:

iptables-save

tornadof3 · 2014-11-07 17:45:39

Thank you for responding. Here is the output of iptables-save and ip6tables-save (both produce no output...)

[user@blacktower etc]$ iptables-save
[user@blacktower etc]$ ip6tables-save

brebs · 2014-11-07 18:06:48

Run it as *root*. Or use sudo.

tornadof3 · 2014-11-07 18:09:01

Thanks for replying again. Sorry not using sudo; here it is:

[user@blacktower iptables]$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Fri Nov  7 18:07:17 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A sshguard -s 61.174.51.210/32 -j DROP
-A sshguard -s 117.27.158.71/32 -j DROP
-A sshguard -s 122.225.97.103/32 -j DROP
-A sshguard -s 61.174.51.205/32 -j DROP
-A sshguard -s 117.27.158.72/32 -j DROP
-A sshguard -s 122.225.109.218/32 -j DROP
-A sshguard -s 122.225.109.205/32 -j DROP
-A sshguard -s 117.27.158.88/32 -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-logging-forward -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-input -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-logging-output -m state --state NEW -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT] "
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW AUDIT INVALID] "
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 631 -j ACCEPT
-A ufw-user-input -p udp -m udp --dport 631 -j ACCEPT
-A ufw-user-input -p udp -m multiport --dports 137,138 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 139,445 -j ACCEPT
-A ufw-user-input -p tcp -m multiport --dports 80,443 -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 631 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 631 -j ACCEPT
-A ufw-user-output -p udp -m multiport --dports 137,138 -j ACCEPT
-A ufw-user-output -p tcp -m multiport --dports 139,445 -j ACCEPT
-A ufw-user-output -p tcp -m multiport --dports 80,443 -j ACCEPT
COMMIT
# Completed on Fri Nov  7 18:07:17 2014

Last edited by tornadof3 (2014-11-07 18:09:14)

ewaller · 2014-11-07 18:16:03

But, the problems with iptables not withstanding, it does not look like sshguard is even creating the rules. Do any attacks get blocked? Here is the current history on my system:

ewaller$@$odin ~ 1021 %journalctl $(which sshguard)
-- Logs begin at Mon 2014-10-27 18:51:13 PDT, end at Fri 2014-11-07 10:14:06 PST. --
Oct 28 15:08:47 odin sshguard[580]: Blocking 122.225.109.109:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 276408s).
Oct 28 19:17:38 odin sshguard[580]: Blocking 60.173.14.146:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s).
Oct 29 00:25:43 odin sshguard[580]: Blocking 122.225.109.218:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 02:18:31 odin sshguard[580]: Blocking 61.174.50.245:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 287059s).
Oct 29 03:32:35 odin sshguard[580]: Blocking 122.225.109.115:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 04:40:26 odin sshguard[580]: Blocking 122.225.97.76:4 for >945secs: 40 danger in 4 attacks over 37 seconds (all: 80d in 2 abuses over 152854s).
Oct 29 05:42:11 odin sshguard[580]: Blocking 61.174.51.223:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 182165s).
Oct 29 06:38:31 odin sshguard[580]: Blocking 61.174.51.225:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 07:12:37 odin sshguard[580]: Blocking 122.225.97.108:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 95388s).
Oct 29 07:44:33 odin sshguard[580]: Blocking 122.225.97.110:4 for >945secs: 40 danger in 4 attacks over 9 seconds (all: 80d in 2 abuses over 386931s).
Oct 29 09:16:42 odin sshguard[580]: Blocking 122.225.97.81:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 11:06:50 odin sshguard[580]: Blocking 122.225.97.98:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s).
Oct 29 11:59:56 odin sshguard[580]: Blocking 122.225.97.80:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 194177s).
Oct 29 12:50:22 odin sshguard[580]: Blocking 61.174.50.134:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 15:01:17 odin sshguard[580]: Blocking 122.225.109.118:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 263249s).
Oct 29 15:58:33 odin sshguard[580]: Blocking 122.225.97.75:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Oct 29 18:04:00 odin sshguard[580]: Blocking 218.2.0.135:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 415735s).
Oct 29 19:30:19 odin sshguard[580]: Offender '61.174.51.220:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 29 19:30:19 odin sshguard[580]: Blocking 61.174.51.220:4 for >0secs: 40 danger in 4 attacks over 6 seconds (all: 120d in 3 abuses over 189118s).
Oct 29 20:36:14 odin sshguard[580]: Blocking 122.225.97.123:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 22:06:54 odin sshguard[580]: Blocking 122.225.97.87:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 22:16:21 odin sshguard[580]: Blocking 122.225.97.121:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 06:55:32 odin sshguard[580]: Blocking 117.27.158.78:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s).
Oct 30 08:56:50 odin sshguard[580]: Blocking 122.225.97.90:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Oct 30 09:00:27 odin sshguard[580]: Blocking 122.225.97.79:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 10:11:05 odin sshguard[580]: Blocking 122.225.97.67:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 408025s).
Oct 30 14:10:05 odin sshguard[580]: Blocking 122.225.109.201:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Oct 30 14:34:57 odin sshguard[580]: Blocking 122.225.109.197:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 498061s).
Oct 30 15:09:35 odin sshguard[580]: Blocking 122.225.97.124:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 15:25:28 odin sshguard[580]: Blocking 165.225.138.52:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 17:42:13 odin sshguard[580]: Blocking 122.225.109.204:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 18:19:24 odin sshguard[580]: Blocking 111.74.238.101:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 18:31:46 odin sshguard[580]: Blocking 111.74.238.101:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 749s).
Oct 30 18:49:46 odin sshguard[580]: Offender '111.74.238.101:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 30 18:49:46 odin sshguard[580]: Blocking 111.74.238.101:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 1828s).
Oct 30 19:16:11 odin sshguard[580]: Blocking 117.27.158.76:4 for >945secs: 40 danger in 4 attacks over 8 seconds (all: 80d in 2 abuses over 226069s).
Oct 30 20:39:24 odin sshguard[580]: Blocking 218.2.0.125:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Oct 30 22:49:28 odin sshguard[580]: Blocking 122.225.97.113:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 00:41:08 odin sshguard[580]: Blocking 61.174.51.214:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 31 01:19:40 odin sshguard[580]: Blocking 122.225.97.121:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 97406s).
Oct 31 01:25:15 odin sshguard[580]: Blocking 122.225.109.107:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 231314s).
Oct 31 05:03:42 odin sshguard[580]: Offender '61.174.51.223:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 31 05:03:42 odin sshguard[580]: Blocking 61.174.51.223:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 352656s).
Oct 31 06:44:28 odin sshguard[580]: Blocking 122.225.97.104:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
Oct 31 10:25:11 odin sshguard[580]: Blocking 122.225.97.123:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 136144s).
Oct 31 10:50:38 odin sshguard[580]: Offender '218.2.0.135:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 31 10:50:38 odin sshguard[580]: Blocking 218.2.0.135:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 562533s).
Oct 31 12:06:41 odin sshguard[580]: Blocking 122.225.97.74:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 31 14:42:18 odin sshguard[580]: Blocking 122.225.97.100:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 15:10:31 odin sshguard[580]: Blocking 122.225.109.215:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Oct 31 16:20:55 odin sshguard[580]: Blocking 122.225.109.105:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 17:37:59 odin sshguard[580]: Blocking 122.225.109.116:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 19:20:01 odin sshguard[580]: Blocking 122.225.97.68:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
-- Reboot --
Oct 31 21:55:14 odin sshguard[600]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
-- Reboot --
Nov 02 15:32:41 odin sshguard[581]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 02 16:06:55 odin sshguard[581]: Blocking 122.225.109.98:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 02 17:46:24 odin sshguard[581]: Blocking 122.225.97.109:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 02 18:09:48 odin sshguard[581]: Blocking 122.225.97.113:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
ewaller$@$odin ~ 1022 %journalctl $(which sshguard) --no-pager
-- Logs begin at Mon 2014-10-27 18:51:13 PDT, end at Fri 2014-11-07 10:14:06 PST. --
Oct 28 15:08:47 odin sshguard[580]: Blocking 122.225.109.109:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 276408s).
Oct 28 19:17:38 odin sshguard[580]: Blocking 60.173.14.146:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s).
Oct 29 00:25:43 odin sshguard[580]: Blocking 122.225.109.218:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 02:18:31 odin sshguard[580]: Blocking 61.174.50.245:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 287059s).
Oct 29 03:32:35 odin sshguard[580]: Blocking 122.225.109.115:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 04:40:26 odin sshguard[580]: Blocking 122.225.97.76:4 for >945secs: 40 danger in 4 attacks over 37 seconds (all: 80d in 2 abuses over 152854s).
Oct 29 05:42:11 odin sshguard[580]: Blocking 61.174.51.223:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 182165s).
Oct 29 06:38:31 odin sshguard[580]: Blocking 61.174.51.225:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 07:12:37 odin sshguard[580]: Blocking 122.225.97.108:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 95388s).
Oct 29 07:44:33 odin sshguard[580]: Blocking 122.225.97.110:4 for >945secs: 40 danger in 4 attacks over 9 seconds (all: 80d in 2 abuses over 386931s).
Oct 29 09:16:42 odin sshguard[580]: Blocking 122.225.97.81:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 11:06:50 odin sshguard[580]: Blocking 122.225.97.98:4 for >630secs: 40 danger in 4 attacks over 5 seconds (all: 40d in 1 abuses over 5s).
Oct 29 11:59:56 odin sshguard[580]: Blocking 122.225.97.80:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 194177s).
Oct 29 12:50:22 odin sshguard[580]: Blocking 61.174.50.134:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 15:01:17 odin sshguard[580]: Blocking 122.225.109.118:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 263249s).
Oct 29 15:58:33 odin sshguard[580]: Blocking 122.225.97.75:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Oct 29 18:04:00 odin sshguard[580]: Blocking 218.2.0.135:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 415735s).
Oct 29 19:30:19 odin sshguard[580]: Offender '61.174.51.220:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 29 19:30:19 odin sshguard[580]: Blocking 61.174.51.220:4 for >0secs: 40 danger in 4 attacks over 6 seconds (all: 120d in 3 abuses over 189118s).
Oct 29 20:36:14 odin sshguard[580]: Blocking 122.225.97.123:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 22:06:54 odin sshguard[580]: Blocking 122.225.97.87:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 22:16:21 odin sshguard[580]: Blocking 122.225.97.121:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 06:55:32 odin sshguard[580]: Blocking 117.27.158.78:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all: 40d in 1 abuses over 12s).
Oct 30 08:56:50 odin sshguard[580]: Blocking 122.225.97.90:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Oct 30 09:00:27 odin sshguard[580]: Blocking 122.225.97.79:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 10:11:05 odin sshguard[580]: Blocking 122.225.97.67:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 408025s).
Oct 30 14:10:05 odin sshguard[580]: Blocking 122.225.109.201:4 for >630secs: 40 danger in 4 attacks over 11 seconds (all: 40d in 1 abuses over 11s).
Oct 30 14:34:57 odin sshguard[580]: Blocking 122.225.109.197:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 498061s).
Oct 30 15:09:35 odin sshguard[580]: Blocking 122.225.97.124:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 15:25:28 odin sshguard[580]: Blocking 165.225.138.52:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 17:42:13 odin sshguard[580]: Blocking 122.225.109.204:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 18:19:24 odin sshguard[580]: Blocking 111.74.238.101:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 18:31:46 odin sshguard[580]: Blocking 111.74.238.101:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 749s).
Oct 30 18:49:46 odin sshguard[580]: Offender '111.74.238.101:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 30 18:49:46 odin sshguard[580]: Blocking 111.74.238.101:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 1828s).
Oct 30 19:16:11 odin sshguard[580]: Blocking 117.27.158.76:4 for >945secs: 40 danger in 4 attacks over 8 seconds (all: 80d in 2 abuses over 226069s).
Oct 30 20:39:24 odin sshguard[580]: Blocking 218.2.0.125:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Oct 30 22:49:28 odin sshguard[580]: Blocking 122.225.97.113:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 00:41:08 odin sshguard[580]: Blocking 61.174.51.214:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 31 01:19:40 odin sshguard[580]: Blocking 122.225.97.121:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 97406s).
Oct 31 01:25:15 odin sshguard[580]: Blocking 122.225.109.107:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 231314s).
Oct 31 05:03:42 odin sshguard[580]: Offender '61.174.51.223:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 31 05:03:42 odin sshguard[580]: Blocking 61.174.51.223:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 352656s).
Oct 31 06:44:28 odin sshguard[580]: Blocking 122.225.97.104:4 for >630secs: 40 danger in 4 attacks over 10 seconds (all: 40d in 1 abuses over 10s).
Oct 31 10:25:11 odin sshguard[580]: Blocking 122.225.97.123:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 136144s).
Oct 31 10:50:38 odin sshguard[580]: Offender '218.2.0.135:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Oct 31 10:50:38 odin sshguard[580]: Blocking 218.2.0.135:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 562533s).
Oct 31 12:06:41 odin sshguard[580]: Blocking 122.225.97.74:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 31 14:42:18 odin sshguard[580]: Blocking 122.225.97.100:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 15:10:31 odin sshguard[580]: Blocking 122.225.109.215:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Oct 31 16:20:55 odin sshguard[580]: Blocking 122.225.109.105:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 17:37:59 odin sshguard[580]: Blocking 122.225.109.116:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 31 19:20:01 odin sshguard[580]: Blocking 122.225.97.68:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
-- Reboot --
Oct 31 21:55:14 odin sshguard[600]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
-- Reboot --
Nov 02 15:32:41 odin sshguard[581]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 02 16:06:55 odin sshguard[581]: Blocking 122.225.109.98:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 02 17:46:24 odin sshguard[581]: Blocking 122.225.97.109:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 02 18:09:48 odin sshguard[581]: Blocking 122.225.97.113:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 02 21:42:11 odin sshguard[581]: Blocking 117.27.158.104:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 00:15:15 odin sshguard[581]: Blocking 192.126.120.83:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 03 01:46:40 odin sshguard[581]: Blocking 61.174.51.225:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 02:33:29 odin sshguard[581]: Blocking 122.225.97.100:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Nov 03 02:51:52 odin sshguard[581]: Blocking 122.225.97.105:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Nov 03 03:28:16 odin sshguard[581]: Blocking 122.225.97.121:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 04:39:50 odin sshguard[581]: Blocking 122.225.109.108:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 07:56:11 odin sshguard[581]: Blocking 218.2.0.123:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 11:42:58 odin sshguard[581]: Blocking 122.225.109.196:4 for >630secs: 40 danger in 4 attacks over 17 seconds (all: 40d in 1 abuses over 17s).
Nov 03 12:25:59 odin sshguard[581]: Blocking 122.225.97.104:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 15:18:15 odin sshguard[581]: Blocking 122.225.109.107:4 for >630secs: 40 danger in 4 attacks over 45 seconds (all: 40d in 1 abuses over 45s).
Nov 03 15:33:59 odin sshguard[581]: Blocking 122.225.109.119:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 18:53:58 odin sshguard[581]: Blocking 122.225.109.117:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 03 21:36:42 odin sshguard[581]: Blocking 122.225.97.75:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 03 21:42:52 odin sshguard[581]: Blocking 122.225.97.111:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
-- Reboot --
Nov 03 22:51:00 odin sshguard[612]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 03 22:58:52 odin sshguard[612]: Blocking 222.186.34.142:4 for >630secs: 40 danger in 4 attacks over 4 seconds (all: 40d in 1 abuses over 4s).
Nov 04 03:27:03 odin sshguard[612]: Blocking 122.225.109.110:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 04 03:54:45 odin sshguard[612]: Blocking 122.225.97.125:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 04 04:15:20 odin sshguard[612]: Blocking 122.225.97.89:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 08:43:38 odin sshguard[612]: Blocking 122.225.109.111:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 04 09:12:47 odin sshguard[612]: Blocking 122.225.109.117:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 10:01:43 odin sshguard[612]: Blocking 122.225.97.76:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 11:01:03 odin sshguard[612]: Blocking 192.126.120.53:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 13:41:31 odin sshguard[612]: Blocking 122.225.97.125:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 35214s).
Nov 04 13:55:03 odin sshguard[612]: Blocking 192.126.120.89:4 for >630secs: 40 danger in 4 attacks over 22 seconds (all: 40d in 1 abuses over 22s).
Nov 04 14:41:39 odin sshguard[612]: Blocking 117.27.158.88:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 04 15:30:21 odin sshguard[612]: Blocking 122.225.109.196:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 20:01:59 odin sshguard[612]: Blocking 122.225.109.221:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 20:16:21 odin sshguard[612]: Blocking 122.225.97.98:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 21:43:51 odin sshguard[612]: Blocking 122.225.97.96:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 04 22:14:26 odin sshguard[612]: Blocking 122.225.109.200:4 for >630secs: 40 danger in 4 attacks over 33 seconds (all: 40d in 1 abuses over 33s).
Nov 04 22:43:19 odin sshguard[612]: Blocking 122.225.97.67:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 05 02:10:26 odin sshguard[612]: Blocking 122.225.109.198:4 for >630secs: 40 danger in 4 attacks over 35 seconds (all: 40d in 1 abuses over 35s).
Nov 05 10:17:07 odin sshguard[612]: Offender '122.225.97.125:4' scored 120 danger in 3 abuses (threshold 120) -> blacklisted.
Nov 05 10:17:07 odin sshguard[612]: Blocking 122.225.97.125:4 for >0secs: 40 danger in 4 attacks over 8 seconds (all: 120d in 3 abuses over 109350s).
Nov 05 11:13:31 odin sshguard[612]: Blocking 122.225.109.203:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 05 13:44:33 odin sshguard[612]: Blocking 218.2.0.132:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 05 13:55:23 odin sshguard[612]: Blocking 122.225.97.89:4 for >945secs: 40 danger in 4 attacks over 6 seconds (all: 80d in 2 abuses over 121210s).
Nov 05 15:29:47 odin sshguard[612]: Blocking 122.225.97.104:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 05 17:36:44 odin sshguard[612]: Blocking 117.27.158.69:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 05 22:35:14 odin sshguard[612]: Blocking 192.126.120.71:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 06 01:00:02 odin sshguard[612]: Blocking 122.225.97.103:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 06 05:55:03 odin sshguard[612]: Blocking 117.27.158.88:4 for >945secs: 40 danger in 4 attacks over 7 seconds (all: 80d in 2 abuses over 141210s).
Nov 06 09:35:53 odin sshguard[612]: Blocking 122.225.97.112:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 06 10:20:59 odin sshguard[612]: Blocking 192.126.120.96:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 06 10:25:45 odin sshguard[612]: Blocking 192.126.120.16:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 06 10:32:22 odin sshguard[612]: Blocking 192.126.120.43:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 06 12:19:39 odin sshguard[612]: Blocking 122.225.109.194:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 06 18:45:53 odin sshguard[612]: Blocking 122.225.97.124:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 06 19:12:25 odin sshguard[612]: Blocking 61.174.51.222:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Nov 06 19:57:38 odin sshguard[612]: Blocking 144.0.0.71:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 06 21:31:37 odin sshguard[612]: Blocking 122.225.97.90:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 06 22:54:50 odin sshguard[612]: Blocking 122.225.109.100:4 for >630secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Nov 07 05:22:26 odin sshguard[612]: Blocking 144.0.0.52:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
ewaller$@$odin ~ 1023 %

tornadof3 · 2014-11-07 18:22:53

Thanks... I ran that command and it showed some interesting results; what is the blocking for >0 secs all about? Is that just what it says when blacklisting?

[user@blacktower iptables]$ sudo journalctl $(which sshguard)
-- Logs begin at Fri 2014-09-19 20:36:39 BST, end at Fri 2014-11-07 18:19:02 GMT. --
Oct 29 07:51:30 blacktower sshguard[1691]: Blacklist file '/var/db/sshguard/blacklist.db' doesn't exist, I'll create it for you.
Oct 29 07:51:30 blacktower sshguard[1691]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Oct 29 08:27:53 blacktower sshguard[1691]: Got CONTINUE signal, resuming activity.
Oct 29 08:27:53 blacktower sshguard[1691]: Got exit signal, flushing blocked addresses and exiting...
-- Reboot --
Oct 29 08:49:01 blacktower sshguard[500]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Oct 29 08:49:45 blacktower sshguard[500]: Got CONTINUE signal, resuming activity.
Oct 29 08:49:45 blacktower sshguard[500]: Got exit signal, flushing blocked addresses and exiting...
-- Reboot --
Oct 29 08:59:29 blacktower sshguard[550]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Oct 29 09:50:17 blacktower sshguard[550]: Blocking 122.225.109.99:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 10:22:13 blacktower sshguard[550]: Blocking 122.225.97.117:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 29 14:54:33 blacktower sshguard[550]: Blocking 122.225.109.104:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 29 19:02:44 blacktower sshguard[550]: Got CONTINUE signal, resuming activity.
Oct 29 19:02:44 blacktower sshguard[550]: Got exit signal, flushing blocked addresses and exiting...
-- Reboot --
Oct 30 08:15:54 blacktower sshguard[2268]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
-- Reboot --
Oct 30 16:34:39 blacktower sshguard[539]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Oct 30 17:32:41 blacktower sshguard[539]: Blocking 122.225.97.125:4 for >630secs: 40 danger in 4 attacks over 6 seconds (all: 40d in 1 abuses over 6s).
Oct 30 19:19:45 blacktower sshguard[539]: Blocking 117.27.158.89:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 20:02:09 blacktower sshguard[539]: Blocking 61.174.51.221:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Oct 30 20:59:33 blacktower sshguard[539]: Got CONTINUE signal, resuming activity.
Oct 30 20:59:33 blacktower sshguard[539]: Got exit signal, flushing blocked addresses and exiting...
-- Reboot --
Nov 01 09:16:21 blacktower sshguard[666]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
-- Reboot --
Nov 01 14:39:47 blacktower sshguard[539]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 01 15:16:54 blacktower sshguard[539]: Blocking 122.225.109.200:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 01 16:02:00 blacktower sshguard[539]: Blocking 122.225.97.97:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 01 16:13:15 blacktower sshguard[539]: Blocking 122.225.97.71:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 01 16:33:19 blacktower sshguard[539]: Blocking 61.174.51.212:4 for >630secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
-- Reboot --
Nov 02 18:36:26 blacktower sshguard[1825]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 02 19:17:31 blacktower sshguard[1825]: Got CONTINUE signal, resuming activity.
Nov 02 19:26:56 blacktower sshguard[4533]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 02 19:27:11 blacktower sshguard[4533]: Got exit signal, flushing blocked addresses and exiting...
Nov 02 19:27:11 blacktower sshguard[4554]: Started successfully [(a,p,s)=(40, 6000, 1200)], now ready to scan.
-- Reboot --
Nov 03 17:19:38 blacktower sshguard[557]: Started successfully [(a,p,s)=(40, 6000, 1200)], now ready to scan.
-- Reboot --
Nov 05 18:56:49 blacktower sshguard[553]: Started successfully [(a,p,s)=(40, 6000, 1200)], now ready to scan.
-- Reboot --
Nov 06 16:23:52 blacktower sshguard[711]: Started successfully [(a,p,s)=(40, 6000, 1200)], now ready to scan.
-- Reboot --
Nov 06 18:13:40 blacktower sshguard[520]: Started successfully [(a,p,s)=(40, 6000, 1200)], now ready to scan.
Nov 06 20:47:43 blacktower sshguard[520]: Offender '122.225.109.205:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 06 20:47:43 blacktower sshguard[520]: Blocking 122.225.109.205:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 06 20:54:16 blacktower sshguard[520]: Offender '117.27.158.88:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 06 20:54:16 blacktower sshguard[520]: Blocking 117.27.158.88:4 for >0secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 06 21:39:05 blacktower sshguard[520]: Got CONTINUE signal, resuming activity.
Nov 06 21:39:05 blacktower sshguard[520]: Got exit signal, flushing blocked addresses and exiting...
-- Reboot --
Nov 07 07:00:18 blacktower sshguard[2472]: Started successfully [(a,p,s)=(40, 6000, 1200)], now ready to scan.
Nov 07 07:29:11 blacktower sshguard[2472]: Offender '122.225.109.218:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 07 07:29:11 blacktower sshguard[2472]: Blocking 122.225.109.218:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 07 09:10:09 blacktower sshguard[2472]: Offender '117.27.158.72:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 07 09:10:09 blacktower sshguard[2472]: Blocking 117.27.158.72:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 07 12:55:18 blacktower sshguard[2472]: Offender '61.174.51.205:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 07 12:55:18 blacktower sshguard[2472]: Blocking 61.174.51.205:4 for >0secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
Nov 07 13:51:32 blacktower sshguard[2472]: Offender '122.225.97.103:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 07 13:51:32 blacktower sshguard[2472]: Blocking 122.225.97.103:4 for >0secs: 40 danger in 4 attacks over 9 seconds (all: 40d in 1 abuses over 9s).
Nov 07 14:28:59 blacktower sshguard[2472]: Offender '117.27.158.71:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 07 14:28:59 blacktower sshguard[2472]: Blocking 117.27.158.71:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).
Nov 07 17:15:59 blacktower sshguard[2472]: Offender '61.174.51.210:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 07 17:15:59 blacktower sshguard[2472]: Blocking 61.174.51.210:4 for >0secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).

Last edited by tornadof3 (2014-11-07 18:25:08)

brebs · 2014-11-07 20:22:40

-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT

That rule looks wrong

graysky · 2014-11-08 13:03:27

I too am finding an inability to configure ufw to use sshguard. I found this wherein the author recommends placing the following in /etc/ufw/before.rules just after the loopback bit:

# sshguard rules
# first setup a new chain for sshguard
# then setup a rule for before-input to redirect to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

For me, this doesn't work. When I intentionally attempt failed login attempts from another box on my LAN, I get:

% sudo journalctl -u sshguard
-- Logs begin at Sat 2014-11-08 07:55:04 EST, end at Sat 2014-11-08 08:03:00 EST. --
Nov 08 07:55:06 ease sshguard-journalctl[853]: Chain INPUT (policy ACCEPT)
Nov 08 07:55:06 ease sshguard-journalctl[853]: target     prot opt source               destination
Nov 08 07:55:06 ease sshguard-journalctl[853]: Chain FORWARD (policy ACCEPT)
Nov 08 07:55:06 ease sshguard-journalctl[853]: target     prot opt source               destination
Nov 08 07:55:06 ease sshguard-journalctl[853]: Chain OUTPUT (policy ACCEPT)
Nov 08 07:55:06 ease sshguard-journalctl[853]: target     prot opt source               destination
Nov 08 07:55:06 ease sshguard[855]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
Nov 08 07:55:50 ease sshguard[855]: Blocking 10.1.10.106:4 for >630secs: 40 danger in 4 attacks over 2 seconds (all: 40d in 1 abuses over 2s).
Nov 08 07:55:50 ease sshguard-journalctl[853]: iptables: No chain/target/match by that name.
Nov 08 07:55:50 ease sshguard[855]: Blocking command failed. Exited: -1

Does this explain it to anyone?

% sudo iptables-save
# Generated by iptables-save v1.4.21 on Sat Nov  8 08:04:57 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -p tcp -m tcp --dport 22 -j sshguard
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m state --state NEW -j ACCEPT
-A ufw-track-output -p udp -m state --state NEW -j ACCEPT
-A ufw-user-input -p tcp -m tcp --dport 22 -m comment --comment "\'dapp_SSH\'" -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sat Nov  8 08:04:57 2014

Last edited by graysky (2014-11-08 13:05:19)

tornadof3 · 2014-11-08 13:07:48

I'm glad it's not just me having problems. So as far as I am aware, UFW is just a configuration tool to make using iptables easier to use. Is UFW clashing with SSHGuard?

Is there any reason why UFW couldn't be binned and just open ports directly in iptables?

graysky · 2014-11-08 13:19:45

I emailed the maintainer of ufw and will report back and update the wiki with the solution should he provide me with one.

tornadof3 · 2014-11-08 13:21:51

I have just wiped all of my iptables rules and am learning a little more about it (which is always a good thing) to see if a manual, minimal config with SSHGuard will work as desired.... will report back here.

tornadof3 · 2014-11-08 17:14:20

So, I rebuilt all of my iptables rules:

[root@blacktower iptables]# cat iptables.rules
# Generated by iptables-save v1.4.21 on Sat Nov  8 16:05:36 2014
*nat
:PREROUTING ACCEPT [1:343]
:INPUT ACCEPT [3:188]
:OUTPUT ACCEPT [35:2414]
:POSTROUTING ACCEPT [35:2414]
-A PREROUTING -p tcp -m tcp --dport 8383 -j REDIRECT --to-ports 22
COMMIT
# Completed on Sat Nov  8 16:05:36 2014
# Generated by iptables-save v1.4.21 on Sat Nov  8 16:05:36 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4992:624306]
:TCP - [0:0]
:UDP - [0:0]
:sshguard - [0:0]
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp -j sshguard
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A TCP -p tcp -m tcp --dport 139 -j DROP
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A TCP -p tcp -m tcp --dport 445 -j DROP
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 135 -j ACCEPT
-A UDP -p udp -m udp --dport 135 -j DROP
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A UDP -p udp -m udp --dport 137 -j DROP
-A sshguard -s 122.225.109.194/32 -j DROP
-A sshguard -s 122.225.109.205/32 -j DROP
-A sshguard -s 117.27.158.88/32 -j DROP
-A sshguard -s 122.225.109.218/32 -j DROP
-A sshguard -s 117.27.158.72/32 -j DROP
-A sshguard -s 61.174.51.205/32 -j DROP
-A sshguard -s 122.225.97.103/32 -j DROP
-A sshguard -s 117.27.158.71/32 -j DROP
-A sshguard -s 61.174.51.210/32 -j DROP
COMMIT
# Completed on Sat Nov  8 16:05:36 2014

and SSHGuard reports that it has blacklisted some candidates:

[root@blacktower iptables]# journalctl -u sshguard --since=-2hour
-- Logs begin at Fri 2014-09-19 20:36:39 BST, end at Sat 2014-11-08 17:11:05 GMT. --
Nov 08 16:37:54 blacktower sshguard[3271]: Offender '122.225.97.71:4' scored 40 danger in 1 abuses (threshold 40) -> blacklisted.
Nov 08 16:37:54 blacktower sshguard[3271]: Blocking 122.225.97.71:4 for >0secs: 40 danger in 4 attacks over 7 seconds (all: 40d in 1 abuses over 7s).

but apparently, this offender 122.225.97.71 was able to continue attacking me past 16:37:

[root@blacktower iptables]# journalctl -u sshd --since=-2hour | grep '122.225.97.71'
Nov 08 16:37:40 blacktower sshd[5331]: Connection from 122.225.97.71 port 43209 on 192.168.0.3 port 22
Nov 08 16:37:44 blacktower sshd[5331]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:37:47 blacktower sshd[5331]: Failed password for root from 122.225.97.71 port 43209 ssh2
Nov 08 16:37:50 blacktower sshd[5331]: Failed password for root from 122.225.97.71 port 43209 ssh2
Nov 08 16:37:52 blacktower sshd[5331]: Failed password for root from 122.225.97.71 port 43209 ssh2
Nov 08 16:37:54 blacktower sshd[5331]: Failed password for root from 122.225.97.71 port 43209 ssh2
Nov 08 16:37:57 blacktower sshd[5331]: Failed password for root from 122.225.97.71 port 43209 ssh2
Nov 08 16:37:59 blacktower sshd[5331]: Failed password for root from 122.225.97.71 port 43209 ssh2
Nov 08 16:37:59 blacktower sshd[5331]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 43209 ssh2 [preauth]
Nov 08 16:37:59 blacktower sshd[5331]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:00 blacktower sshd[5335]: Connection from 122.225.97.71 port 45050 on 192.168.0.3 port 22
Nov 08 16:38:02 blacktower sshd[5335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:02 blacktower sshd[5337]: Connection from 122.225.97.71 port 48366 on 192.168.0.3 port 22
Nov 08 16:38:04 blacktower sshd[5335]: Failed password for root from 122.225.97.71 port 45050 ssh2
Nov 08 16:38:06 blacktower sshd[5335]: Failed password for root from 122.225.97.71 port 45050 ssh2
Nov 08 16:38:06 blacktower sshd[5337]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:08 blacktower sshd[5335]: Failed password for root from 122.225.97.71 port 45050 ssh2
Nov 08 16:38:08 blacktower sshd[5337]: Failed password for root from 122.225.97.71 port 48366 ssh2
Nov 08 16:38:10 blacktower sshd[5337]: Failed password for root from 122.225.97.71 port 48366 ssh2
Nov 08 16:38:10 blacktower sshd[5335]: Failed password for root from 122.225.97.71 port 45050 ssh2
Nov 08 16:38:12 blacktower sshd[5337]: Failed password for root from 122.225.97.71 port 48366 ssh2
Nov 08 16:38:15 blacktower sshd[5337]: Failed password for root from 122.225.97.71 port 48366 ssh2
Nov 08 16:38:17 blacktower sshd[5337]: Failed password for root from 122.225.97.71 port 48366 ssh2
Nov 08 16:38:17 blacktower sshd[5335]: Failed password for root from 122.225.97.71 port 45050 ssh2
Nov 08 16:38:19 blacktower sshd[5337]: Failed password for root from 122.225.97.71 port 48366 ssh2
Nov 08 16:38:19 blacktower sshd[5337]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 48366 ssh2 [preauth]
Nov 08 16:38:19 blacktower sshd[5337]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:20 blacktower sshd[5339]: Connection from 122.225.97.71 port 52670 on 192.168.0.3 port 22
Nov 08 16:38:20 blacktower sshd[5335]: Failed password for root from 122.225.97.71 port 45050 ssh2
Nov 08 16:38:20 blacktower sshd[5335]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 45050 ssh2 [preauth]
Nov 08 16:38:20 blacktower sshd[5335]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:21 blacktower sshd[5344]: Connection from 122.225.97.71 port 53184 on 192.168.0.3 port 22
Nov 08 16:38:23 blacktower sshd[5339]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:24 blacktower sshd[5339]: Failed password for root from 122.225.97.71 port 52670 ssh2
Nov 08 16:38:25 blacktower sshd[5344]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:27 blacktower sshd[5344]: Failed password for root from 122.225.97.71 port 53184 ssh2
Nov 08 16:38:28 blacktower sshd[5339]: Failed password for root from 122.225.97.71 port 52670 ssh2
Nov 08 16:38:29 blacktower sshd[5344]: Failed password for root from 122.225.97.71 port 53184 ssh2
Nov 08 16:38:31 blacktower sshd[5339]: Failed password for root from 122.225.97.71 port 52670 ssh2
Nov 08 16:38:32 blacktower sshd[5344]: Failed password for root from 122.225.97.71 port 53184 ssh2
Nov 08 16:38:34 blacktower sshd[5344]: Failed password for root from 122.225.97.71 port 53184 ssh2
Nov 08 16:38:36 blacktower sshd[5339]: Failed password for root from 122.225.97.71 port 52670 ssh2
Nov 08 16:38:36 blacktower sshd[5344]: Failed password for root from 122.225.97.71 port 53184 ssh2
Nov 08 16:38:39 blacktower sshd[5344]: Failed password for root from 122.225.97.71 port 53184 ssh2
Nov 08 16:38:39 blacktower sshd[5344]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 53184 ssh2 [preauth]
Nov 08 16:38:39 blacktower sshd[5344]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:40 blacktower sshd[5339]: Failed password for root from 122.225.97.71 port 52670 ssh2
Nov 08 16:38:41 blacktower sshd[5366]: Connection from 122.225.97.71 port 2978 on 192.168.0.3 port 22
Nov 08 16:38:42 blacktower sshd[5369]: Connection from 122.225.97.71 port 2599 on 192.168.0.3 port 22
Nov 08 16:38:44 blacktower sshd[5339]: Failed password for root from 122.225.97.71 port 52670 ssh2
Nov 08 16:38:44 blacktower sshd[5339]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 52670 ssh2 [preauth]
Nov 08 16:38:44 blacktower sshd[5339]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:44 blacktower sshd[5369]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:44 blacktower sshd[5371]: Connection from 122.225.97.71 port 4445 on 192.168.0.3 port 22
Nov 08 16:38:45 blacktower sshd[5366]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:46 blacktower sshd[5369]: Failed password for root from 122.225.97.71 port 2599 ssh2
Nov 08 16:38:46 blacktower sshd[5371]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:38:46 blacktower sshd[5366]: Failed password for root from 122.225.97.71 port 2978 ssh2
Nov 08 16:38:48 blacktower sshd[5371]: Failed password for root from 122.225.97.71 port 4445 ssh2
Nov 08 16:38:50 blacktower sshd[5366]: Failed password for root from 122.225.97.71 port 2978 ssh2
Nov 08 16:38:51 blacktower sshd[5371]: Failed password for root from 122.225.97.71 port 4445 ssh2
Nov 08 16:38:52 blacktower sshd[5369]: Failed password for root from 122.225.97.71 port 2599 ssh2
Nov 08 16:38:53 blacktower sshd[5366]: Failed password for root from 122.225.97.71 port 2978 ssh2
Nov 08 16:38:54 blacktower sshd[5371]: Failed password for root from 122.225.97.71 port 4445 ssh2
Nov 08 16:38:57 blacktower sshd[5366]: Failed password for root from 122.225.97.71 port 2978 ssh2
Nov 08 16:38:58 blacktower sshd[5371]: Failed password for root from 122.225.97.71 port 4445 ssh2
Nov 08 16:38:59 blacktower sshd[5366]: Failed password for root from 122.225.97.71 port 2978 ssh2
Nov 08 16:38:59 blacktower sshd[5369]: Failed password for root from 122.225.97.71 port 2599 ssh2
Nov 08 16:39:00 blacktower sshd[5371]: Failed password for root from 122.225.97.71 port 4445 ssh2
Nov 08 16:39:02 blacktower sshd[5366]: Failed password for root from 122.225.97.71 port 2978 ssh2
Nov 08 16:39:02 blacktower sshd[5366]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 2978 ssh2 [preauth]
Nov 08 16:39:02 blacktower sshd[5366]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:03 blacktower sshd[5371]: Failed password for root from 122.225.97.71 port 4445 ssh2
Nov 08 16:39:03 blacktower sshd[5371]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 4445 ssh2 [preauth]
Nov 08 16:39:03 blacktower sshd[5371]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:03 blacktower sshd[5413]: Connection from 122.225.97.71 port 8124 on 192.168.0.3 port 22
Nov 08 16:39:04 blacktower sshd[5415]: Connection from 122.225.97.71 port 8674 on 192.168.0.3 port 22
Nov 08 16:39:04 blacktower sshd[5369]: Failed password for root from 122.225.97.71 port 2599 ssh2
Nov 08 16:39:08 blacktower sshd[5415]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:08 blacktower sshd[5413]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:10 blacktower sshd[5415]: Failed password for root from 122.225.97.71 port 8674 ssh2
Nov 08 16:39:10 blacktower sshd[5413]: Failed password for root from 122.225.97.71 port 8124 ssh2
Nov 08 16:39:11 blacktower sshd[5369]: Failed password for root from 122.225.97.71 port 2599 ssh2
Nov 08 16:39:11 blacktower sshd[5415]: Failed password for root from 122.225.97.71 port 8674 ssh2
Nov 08 16:39:13 blacktower sshd[5413]: Failed password for root from 122.225.97.71 port 8124 ssh2
Nov 08 16:39:14 blacktower sshd[5415]: Failed password for root from 122.225.97.71 port 8674 ssh2
Nov 08 16:39:15 blacktower sshd[5369]: Failed password for root from 122.225.97.71 port 2599 ssh2
Nov 08 16:39:15 blacktower sshd[5369]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 2599 ssh2 [preauth]
Nov 08 16:39:15 blacktower sshd[5369]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:16 blacktower sshd[5413]: Failed password for root from 122.225.97.71 port 8124 ssh2
Nov 08 16:39:16 blacktower sshd[5415]: Failed password for root from 122.225.97.71 port 8674 ssh2
Nov 08 16:39:18 blacktower sshd[5422]: Connection from 122.225.97.71 port 11856 on 192.168.0.3 port 22
Nov 08 16:39:18 blacktower sshd[5413]: Failed password for root from 122.225.97.71 port 8124 ssh2
Nov 08 16:39:18 blacktower sshd[5415]: Failed password for root from 122.225.97.71 port 8674 ssh2
Nov 08 16:39:20 blacktower sshd[5413]: Failed password for root from 122.225.97.71 port 8124 ssh2
Nov 08 16:39:22 blacktower sshd[5415]: Failed password for root from 122.225.97.71 port 8674 ssh2
Nov 08 16:39:22 blacktower sshd[5415]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 8674 ssh2 [preauth]
Nov 08 16:39:22 blacktower sshd[5415]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:22 blacktower sshd[5422]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:23 blacktower sshd[5413]: Failed password for root from 122.225.97.71 port 8124 ssh2
Nov 08 16:39:23 blacktower sshd[5413]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 8124 ssh2 [preauth]
Nov 08 16:39:23 blacktower sshd[5413]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:23 blacktower sshd[5430]: Connection from 122.225.97.71 port 13198 on 192.168.0.3 port 22
Nov 08 16:39:24 blacktower sshd[5432]: Connection from 122.225.97.71 port 13208 on 192.168.0.3 port 22
Nov 08 16:39:24 blacktower sshd[5422]: Failed password for root from 122.225.97.71 port 11856 ssh2
Nov 08 16:39:26 blacktower sshd[5430]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:28 blacktower sshd[5422]: Failed password for root from 122.225.97.71 port 11856 ssh2
Nov 08 16:39:29 blacktower sshd[5430]: Failed password for root from 122.225.97.71 port 13198 ssh2
Nov 08 16:39:29 blacktower sshd[5432]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:30 blacktower sshd[5432]: Failed password for root from 122.225.97.71 port 13208 ssh2
Nov 08 16:39:31 blacktower sshd[5430]: Failed password for root from 122.225.97.71 port 13198 ssh2
Nov 08 16:39:32 blacktower sshd[5432]: Failed password for root from 122.225.97.71 port 13208 ssh2
Nov 08 16:39:34 blacktower sshd[5432]: Failed password for root from 122.225.97.71 port 13208 ssh2
Nov 08 16:39:34 blacktower sshd[5422]: Failed password for root from 122.225.97.71 port 11856 ssh2
Nov 08 16:39:34 blacktower sshd[5430]: Failed password for root from 122.225.97.71 port 13198 ssh2
Nov 08 16:39:36 blacktower sshd[5432]: Failed password for root from 122.225.97.71 port 13208 ssh2
Nov 08 16:39:36 blacktower sshd[5430]: Failed password for root from 122.225.97.71 port 13198 ssh2
Nov 08 16:39:39 blacktower sshd[5430]: Failed password for root from 122.225.97.71 port 13198 ssh2
Nov 08 16:39:39 blacktower sshd[5422]: Failed password for root from 122.225.97.71 port 11856 ssh2
Nov 08 16:39:39 blacktower sshd[5432]: Failed password for root from 122.225.97.71 port 13208 ssh2
Nov 08 16:39:42 blacktower sshd[5430]: Failed password for root from 122.225.97.71 port 13198 ssh2
Nov 08 16:39:42 blacktower sshd[5430]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 13198 ssh2 [preauth]
Nov 08 16:39:42 blacktower sshd[5430]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:42 blacktower sshd[5432]: Failed password for root from 122.225.97.71 port 13208 ssh2
Nov 08 16:39:42 blacktower sshd[5432]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 13208 ssh2 [preauth]
Nov 08 16:39:42 blacktower sshd[5432]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:43 blacktower sshd[5438]: Connection from 122.225.97.71 port 17368 on 192.168.0.3 port 22
Nov 08 16:39:43 blacktower sshd[5440]: Connection from 122.225.97.71 port 17395 on 192.168.0.3 port 22
Nov 08 16:39:45 blacktower sshd[5422]: Failed password for root from 122.225.97.71 port 11856 ssh2
Nov 08 16:39:46 blacktower sshd[5440]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:47 blacktower sshd[5438]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:47 blacktower sshd[5440]: Failed password for root from 122.225.97.71 port 17395 ssh2
Nov 08 16:39:48 blacktower sshd[5438]: Failed password for root from 122.225.97.71 port 17368 ssh2
Nov 08 16:39:50 blacktower sshd[5422]: Failed password for root from 122.225.97.71 port 11856 ssh2
Nov 08 16:39:50 blacktower sshd[5422]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 11856 ssh2 [preauth]
Nov 08 16:39:50 blacktower sshd[5422]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:50 blacktower sshd[5440]: Failed password for root from 122.225.97.71 port 17395 ssh2
Nov 08 16:39:51 blacktower sshd[5458]: Connection from 122.225.97.71 port 19027 on 192.168.0.3 port 22
Nov 08 16:39:51 blacktower sshd[5438]: Failed password for root from 122.225.97.71 port 17368 ssh2
Nov 08 16:39:53 blacktower sshd[5440]: Failed password for root from 122.225.97.71 port 17395 ssh2
Nov 08 16:39:55 blacktower sshd[5438]: Failed password for root from 122.225.97.71 port 17368 ssh2
Nov 08 16:39:56 blacktower sshd[5440]: Failed password for root from 122.225.97.71 port 17395 ssh2
Nov 08 16:39:57 blacktower sshd[5458]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:39:57 blacktower sshd[5438]: Failed password for root from 122.225.97.71 port 17368 ssh2
Nov 08 16:39:58 blacktower sshd[5440]: Failed password for root from 122.225.97.71 port 17395 ssh2
Nov 08 16:39:59 blacktower sshd[5458]: Failed password for root from 122.225.97.71 port 19027 ssh2
Nov 08 16:39:59 blacktower sshd[5438]: Failed password for root from 122.225.97.71 port 17368 ssh2
Nov 08 16:40:02 blacktower sshd[5440]: Failed password for root from 122.225.97.71 port 17395 ssh2
Nov 08 16:40:02 blacktower sshd[5440]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 17395 ssh2 [preauth]
Nov 08 16:40:02 blacktower sshd[5440]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:02 blacktower sshd[5438]: Failed password for root from 122.225.97.71 port 17368 ssh2
Nov 08 16:40:02 blacktower sshd[5438]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 17368 ssh2 [preauth]
Nov 08 16:40:02 blacktower sshd[5438]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:02 blacktower sshd[5471]: Connection from 122.225.97.71 port 21500 on 192.168.0.3 port 22
Nov 08 16:40:03 blacktower sshd[5473]: Connection from 122.225.97.71 port 21475 on 192.168.0.3 port 22
Nov 08 16:40:04 blacktower sshd[5458]: Failed password for root from 122.225.97.71 port 19027 ssh2
Nov 08 16:40:06 blacktower sshd[5473]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:06 blacktower sshd[5471]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:08 blacktower sshd[5473]: Failed password for root from 122.225.97.71 port 21475 ssh2
Nov 08 16:40:09 blacktower sshd[5471]: Failed password for root from 122.225.97.71 port 21500 ssh2
Nov 08 16:40:09 blacktower sshd[5458]: Failed password for root from 122.225.97.71 port 19027 ssh2
Nov 08 16:40:10 blacktower sshd[5473]: Failed password for root from 122.225.97.71 port 21475 ssh2
Nov 08 16:40:10 blacktower sshd[5471]: Failed password for root from 122.225.97.71 port 21500 ssh2
Nov 08 16:40:12 blacktower sshd[5473]: Failed password for root from 122.225.97.71 port 21475 ssh2
Nov 08 16:40:12 blacktower sshd[5471]: Failed password for root from 122.225.97.71 port 21500 ssh2
Nov 08 16:40:15 blacktower sshd[5473]: Failed password for root from 122.225.97.71 port 21475 ssh2
Nov 08 16:40:15 blacktower sshd[5471]: Failed password for root from 122.225.97.71 port 21500 ssh2
Nov 08 16:40:16 blacktower sshd[5458]: Failed password for root from 122.225.97.71 port 19027 ssh2
Nov 08 16:40:17 blacktower sshd[5473]: Failed password for root from 122.225.97.71 port 21475 ssh2
Nov 08 16:40:17 blacktower sshd[5471]: Failed password for root from 122.225.97.71 port 21500 ssh2
Nov 08 16:40:19 blacktower sshd[5473]: Failed password for root from 122.225.97.71 port 21475 ssh2
Nov 08 16:40:19 blacktower sshd[5473]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 21475 ssh2 [preauth]
Nov 08 16:40:19 blacktower sshd[5473]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:19 blacktower sshd[5471]: Failed password for root from 122.225.97.71 port 21500 ssh2
Nov 08 16:40:19 blacktower sshd[5471]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 21500 ssh2 [preauth]
Nov 08 16:40:19 blacktower sshd[5471]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:20 blacktower sshd[5476]: Connection from 122.225.97.71 port 25054 on 192.168.0.3 port 22
Nov 08 16:40:20 blacktower sshd[5458]: Failed password for root from 122.225.97.71 port 19027 ssh2
Nov 08 16:40:20 blacktower sshd[5478]: Connection from 122.225.97.71 port 25195 on 192.168.0.3 port 22
Nov 08 16:40:22 blacktower sshd[5458]: Failed password for root from 122.225.97.71 port 19027 ssh2
Nov 08 16:40:22 blacktower sshd[5458]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 19027 ssh2 [preauth]
Nov 08 16:40:22 blacktower sshd[5458]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:23 blacktower sshd[5480]: Connection from 122.225.97.71 port 25836 on 192.168.0.3 port 22
Nov 08 16:40:26 blacktower sshd[5480]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:27 blacktower sshd[5478]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:28 blacktower sshd[5478]: Failed password for root from 122.225.97.71 port 25195 ssh2
Nov 08 16:40:28 blacktower sshd[5480]: Failed password for root from 122.225.97.71 port 25836 ssh2
Nov 08 16:40:31 blacktower sshd[5478]: Failed password for root from 122.225.97.71 port 25195 ssh2
Nov 08 16:40:33 blacktower sshd[5478]: Failed password for root from 122.225.97.71 port 25195 ssh2
Nov 08 16:40:33 blacktower sshd[5480]: Failed password for root from 122.225.97.71 port 25836 ssh2
Nov 08 16:40:36 blacktower sshd[5478]: Failed password for root from 122.225.97.71 port 25195 ssh2
Nov 08 16:40:38 blacktower sshd[5480]: Failed password for root from 122.225.97.71 port 25836 ssh2
Nov 08 16:40:38 blacktower sshd[5478]: Failed password for root from 122.225.97.71 port 25195 ssh2
Nov 08 16:40:41 blacktower sshd[5478]: Failed password for root from 122.225.97.71 port 25195 ssh2
Nov 08 16:40:41 blacktower sshd[5478]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 25195 ssh2 [preauth]
Nov 08 16:40:41 blacktower sshd[5478]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:41 blacktower sshd[5485]: Connection from 122.225.97.71 port 29897 on 192.168.0.3 port 22
Nov 08 16:40:42 blacktower sshd[5480]: Failed password for root from 122.225.97.71 port 25836 ssh2
Nov 08 16:40:43 blacktower sshd[5485]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:46 blacktower sshd[5485]: Failed password for root from 122.225.97.71 port 29897 ssh2
Nov 08 16:40:46 blacktower sshd[5480]: Failed password for root from 122.225.97.71 port 25836 ssh2
Nov 08 16:40:48 blacktower sshd[5485]: Failed password for root from 122.225.97.71 port 29897 ssh2
Nov 08 16:40:48 blacktower sshd[5480]: Failed password for root from 122.225.97.71 port 25836 ssh2
Nov 08 16:40:48 blacktower sshd[5480]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 25836 ssh2 [preauth]
Nov 08 16:40:48 blacktower sshd[5480]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:49 blacktower sshd[5487]: Connection from 122.225.97.71 port 31450 on 192.168.0.3 port 22
Nov 08 16:40:50 blacktower sshd[5485]: Failed password for root from 122.225.97.71 port 29897 ssh2
Nov 08 16:40:51 blacktower sshd[5487]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:52 blacktower sshd[5485]: Failed password for root from 122.225.97.71 port 29897 ssh2
Nov 08 16:40:52 blacktower sshd[5487]: Failed password for root from 122.225.97.71 port 31450 ssh2
Nov 08 16:40:54 blacktower sshd[5485]: Failed password for root from 122.225.97.71 port 29897 ssh2
Nov 08 16:40:55 blacktower sshd[5487]: Failed password for root from 122.225.97.71 port 31450 ssh2
Nov 08 16:40:58 blacktower sshd[5485]: Failed password for root from 122.225.97.71 port 29897 ssh2
Nov 08 16:40:58 blacktower sshd[5485]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 29897 ssh2 [preauth]
Nov 08 16:40:58 blacktower sshd[5485]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:40:58 blacktower sshd[5487]: Failed password for root from 122.225.97.71 port 31450 ssh2
Nov 08 16:40:58 blacktower sshd[5490]: Connection from 122.225.97.71 port 33823 on 192.168.0.3 port 22
Nov 08 16:41:00 blacktower sshd[5487]: Failed password for root from 122.225.97.71 port 31450 ssh2
Nov 08 16:41:00 blacktower sshd[5490]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:41:02 blacktower sshd[5487]: Failed password for root from 122.225.97.71 port 31450 ssh2
Nov 08 16:41:02 blacktower sshd[5490]: Failed password for root from 122.225.97.71 port 33823 ssh2
Nov 08 16:41:04 blacktower sshd[5487]: Failed password for root from 122.225.97.71 port 31450 ssh2
Nov 08 16:41:04 blacktower sshd[5487]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 31450 ssh2 [preauth]
Nov 08 16:41:04 blacktower sshd[5487]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:41:04 blacktower sshd[5490]: Failed password for root from 122.225.97.71 port 33823 ssh2
Nov 08 16:41:05 blacktower sshd[5493]: Connection from 122.225.97.71 port 35411 on 192.168.0.3 port 22
Nov 08 16:41:06 blacktower sshd[5490]: Failed password for root from 122.225.97.71 port 33823 ssh2
Nov 08 16:41:07 blacktower sshd[5493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:41:09 blacktower sshd[5490]: Failed password for root from 122.225.97.71 port 33823 ssh2
Nov 08 16:41:10 blacktower sshd[5493]: Failed password for root from 122.225.97.71 port 35411 ssh2
Nov 08 16:41:11 blacktower sshd[5490]: Failed password for root from 122.225.97.71 port 33823 ssh2
Nov 08 16:41:12 blacktower sshd[5493]: Failed password for root from 122.225.97.71 port 35411 ssh2
Nov 08 16:41:14 blacktower sshd[5490]: Failed password for root from 122.225.97.71 port 33823 ssh2
Nov 08 16:41:14 blacktower sshd[5490]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 33823 ssh2 [preauth]
Nov 08 16:41:14 blacktower sshd[5490]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Nov 08 16:41:14 blacktower sshd[5493]: Failed password for root from 122.225.97.71 port 35411 ssh2
Nov 08 16:41:15 blacktower sshd[5495]: Connection from 122.225.97.71 port 37711 on 192.168.0.3 port 22
Nov 08 16:41:16 blacktower sshd[5493]: Failed password for root from 122.225.97.71 port 35411 ssh2
Nov 08 16:41:16 blacktower sshd[5493]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root

is there still something wrong with my iptables rules??!!!!! That IP does appear blocked in the sshguard chain:

[root@blacktower iptables]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  127.0.0.0/8          anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
UDP        udp  --  anywhere             anywhere             ctstate NEW
TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT     tcp  --  anywhere             anywhere             recent: SET name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere             recent: SET name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreachable
sshguard   tcp  --  anywhere             anywhere             tcp

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain TCP (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
REJECT     tcp  --  anywhere             anywhere             recent: UPDATE seconds: 60 name: TCP-PORTSCAN side: source mask: 255.255.255.255 reject-with tcp-reset
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:microsoft-ds
DROP       tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds

Chain UDP (1 references)
target     prot opt source               destination         
REJECT     udp  --  anywhere             anywhere             recent: UPDATE seconds: 60 name: UDP-PORTSCAN side: source mask: 255.255.255.255 reject-with icmp-port-unreachable
ACCEPT     udp  --  192.168.0.0/24       anywhere             udp dpt:epmap
DROP       udp  --  anywhere             anywhere             udp dpt:epmap
ACCEPT     udp  --  192.168.0.0/24       anywhere             udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-ns

Chain sshguard (1 references)
target     prot opt source               destination         
DROP       all  --  122.225.97.71        anywhere            
DROP       all  --  122.225.109.194      anywhere            
DROP       all  --  122.225.109.205      anywhere            
DROP       all  --  117.27.158.88        anywhere            
DROP       all  --  122.225.109.218      anywhere            
DROP       all  --  117.27.158.72        anywhere            
DROP       all  --  205.51.174.61.dial.wz.zj.dynamic.163data.com.cn  anywhere            
DROP       all  --  mx6.fund123.cn       anywhere            
DROP       all  --  117.27.158.71        anywhere            
DROP       all  --  210.51.174.61.dial.wz.zj.dynamic.163data.com.cn  anywhere

Last edited by tornadof3 (2014-11-08 17:17:37)

graysky · 2014-11-08 20:30:51

Think I figured out using ufw and sshguard. You need to run the ufw-brz package then modify as I posted above. See the wiki I updated: https://wiki.archlinux.org/index.php/Sshguard#UFW

Works for me!

Note that there a bug in sshguard.service which causes failures of unneeded services currently. FS#42718.

Last edited by graysky (2014-11-08 20:37:02)

Leonid.I · 2014-11-09 01:08:17

tornadof3 wrote:

So, I rebuilt all of my iptables rules:

Glad you've gotten rid of UFW and welcome to the iptables-land. A few comments below:

tornadof3 wrote:

-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP

I'd REJECT these packets (or better yet, LOG them).

tornadof3 wrote:

-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

Don't mess with ICMP. It is more than ping, so allow all of it (-p icmp -j ACCEPT).

tornadof3 wrote:

-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp -j sshguard
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A TCP -p tcp -m tcp --dport 139 -j DROP
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A TCP -p tcp -m tcp --dport 445 -j DROP
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 135 -j ACCEPT
-A UDP -p udp -m udp --dport 135 -j DROP
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A UDP -p udp -m udp --dport 137 -j DROP
-A sshguard -s 122.225.109.194/32 -j DROP
-A sshguard -s 122.225.109.205/32 -j DROP
-A sshguard -s 117.27.158.88/32 -j DROP
-A sshguard -s 122.225.109.218/32 -j DROP
-A sshguard -s 117.27.158.72/32 -j DROP
-A sshguard -s 61.174.51.205/32 -j DROP
-A sshguard -s 122.225.97.103/32 -j DROP
-A sshguard -s 117.27.158.71/32 -j DROP
-A sshguard -s 61.174.51.210/32 -j DROP

This is a mess. The 1st NEW TCP packet to port 22 is going to be ACCEPT'ed (it's the 1st rule in the TCP chain) -- so why do you even need sshquard? The "recent" line in TCP should be after all open ports (80, 443, 139, etc.) otherwise you'll block too frequent requests to these ports.

But if you are going to limit packets based on the rate of their arrival, why not protext port 22? Most attacks rely on frequent connection attempts to brute-force the password, so just cut them short after >3 connections per 2 mins, for example...

Here is a ruleset that I use to protect my server:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOG-NORM - [0:0]
:LOG-FRAG - [0:0]
:LOG-INVL - [0:0]
:LOG-PRIV - [0:0]
:SSH_ACCEPT - [0:0]
###
# Log chains (dead-end)
###
#--- Normal packets
-A LOG-NORM -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "firewall-norm: " --log-level 6 --log-ip-options --log-tcp-options --log-uid
-A LOG-NORM -j REJECT --reject-with icmp-host-prohibited
#--- Fragmeted packets
-A LOG-FRAG -j LOG --log-prefix "firewall-frag: " --log-level 6 --log-ip-options --log-uid
-A LOG-FRAG -j DROP
#--- Invalid packets
-A LOG-INVL -j LOG --log-prefix "firewall-invl: " --log-level 6 --log-ip-options --log-tcp-options --log-uid
-A LOG-INVL -j REJECT --reject-with icmp-host-prohibited
#--- Packets from private IPs
-A LOG-PRIV -j LOG --log-prefix "firewall-priv: " --log-level 6 --log-ip-options --log-tcp-options --log-uid
-A LOG-PRIV -j REJECT --reject-with icmp-host-prohibited
###
# Rate-limit connections to SSHD
###
-A SSH_ACCEPT -m recent --set --name NEW_SSH --rsource
-A SSH_ACCEPT -m recent --update --seconds 60 --hitcount 4 --name NEW_SSH --rsource -j LOG-NORM
-A SSH_ACCEPT -j ACCEPT
###
# Traffic destined for the firewall host
###
#--- Check for fragmented and invalid packets, and allow all ICMP types
-A INPUT -i lo -j ACCEPT
-A INPUT --fragment -j LOG-FRAG
-A INPUT -m conntrack --ctstate INVALID -j LOG-INVL
-A INPUT -p icmp -j ACCEPT
#--- Check for malformed TCP headers [see "man 8 iptables-extensions"]
-A INPUT -p tcp -m tcp --tcp-flags ALL ALL -j LOG-NORM
-A INPUT -p tcp -m tcp --tcp-flags ALL NONE -j LOG-NORM
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG-NORM
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG-NORM
-A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j LOG-NORM
-A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW -j LOG-NORM
-A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j LOG-NORM
#--- We already took care of ICMP and don't run an FTP server, so no need for RELATED
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
#--- Protect SSHD
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j SSH_ACCEPT
#--- Log and reject everything else
-A INPUT -p tcp -j LOG-NORM
-A INPUT -p udp -j REJECT
-A INPUT -j LOG --log-prefix "firewall-prot: " --log-level 6 --log-ip-options --log-uid
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

Finally, my advice to everyone using SSHguard/fail2ban/denyhosts:

get rid of this stupid software.

It is bad due to so many reasons:
1. It manipulates iptables rules from userspace (this is BAD).
2. It relies on log files to blacklist hosts.
3. It pollutes your logs more than the unauthorized login attempts.
4. It is a direct DoS attack vector.
5. It is security through obscurity: use

$ cat /dev/random | tr -cd '[:graph]' | head -c 20

as your password and sleep well.
6. Should I continue?

graysky · 2014-11-09 10:37:15

Leonid.I wrote:

Finally, my advice to everyone using SSHguard/fail2ban/denyhosts:
get rid of this stupid software.

Poor advice and off topic.

Leonid.I wrote:

It is bad due to so many reasons:
1. It manipulates iptables rules from userspace (this is BAD).
2. It relies on log files to blacklist hosts.
3. It pollutes your logs more than the unauthorized login attempts.
4. It is a direct DoS attack vector.
5. It is security through obscurity: use
$ cat /dev/random | tr -cd '[:graph]' | head -c 20
as your password and sleep well.
6. Should I continue?

#5 is just wrong, you should be using keys not passwords in sshd. I don't see how #4 is right. #2 is just a statement of fact and neither good nor bad.

Last edited by graysky (2014-11-09 10:37:42)

tornadof3 · 2014-11-09 17:56:25

Thank you for all the replies. As pointed out, one of the problems was that I had a port 22 accept in the TCP chain before passing input through the sshguard chain.... here is my updated iptables rule set, which did appear to successfully record and *block* an SSH attacker... for any future reader, the key difference is the -A INPUT -j sshguard is quite high up, and certainly before the --dport 22 - j accept in the TCP chain.... It has been really interesting learning more about iptables.

[user@blacktower iptables]$ cat iptables.rules
# Generated by iptables-save v1.4.21 on Sat Nov  8 16:05:36 2014
*nat
:PREROUTING ACCEPT [1:343]
:INPUT ACCEPT [3:188]
:OUTPUT ACCEPT [35:2414]
:POSTROUTING ACCEPT [35:2414]
-A PREROUTING -p tcp -m tcp --dport 8383 -j REDIRECT --to-ports 22
COMMIT
# Completed on Sat Nov  8 16:05:36 2014
# Generated by iptables-save v1.4.21 on Sat Nov  8 16:05:36 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4992:624306]
:sshguard - [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -j sshguard
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m recent --set --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m recent --set --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A TCP -p tcp -m tcp --dport 443 -j ACCEPT
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A TCP -p tcp -m tcp --dport 139 -j DROP
-A TCP -s 192.168.0.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A TCP -p tcp -m tcp --dport 445 -j DROP
-A TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with tcp-reset
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 135 -j ACCEPT
-A UDP -p udp -m udp --dport 135 -j DROP
-A UDP -s 192.168.0.0/24 -p udp -m udp --dport 137 -j ACCEPT
-A UDP -p udp -m udp --dport 137 -j DROP
-A UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN --mask 255.255.255.255 --rsource -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Sat Nov  8 16:05:36 2014

Last edited by tornadof3 (2014-11-09 17:57:48)

Leonid.I · 2014-11-09 19:27:55

graysky wrote:

Leonid.I wrote:
Finally, my advice to everyone using SSHguard/fail2ban/denyhosts:
get rid of this stupid software.
Poor advice and off topic.

That's why I said "Finally"...

graysky wrote:

Leonid.I wrote:
It is bad due to so many reasons:
1. It manipulates iptables rules from userspace (this is BAD).
2. It relies on log files to blacklist hosts.
3. It pollutes your logs more than the unauthorized login attempts.
4. It is a direct DoS attack vector.
5. It is security through obscurity: use
$ cat /dev/random | tr -cd '[:graph]' | head -c 20
as your password and sleep well.
6. Should I continue?
#5 is just wrong, you should be using keys not passwords in sshd. I don't see how #4 is right. #2 is just a statement of fact and neither good nor bad.

Yes, that's a common wodoo knowledge together with "always have PermitRootLogin no". Yes, _I_ should be using keys. However, I am yet to see a machine which allows user shells and has more than 3 users, that accepts keys _only_. Passwords are here to stay, and there is nothing wrong with them.

Parsing log files for real-time security is not the way to go. What if your syslog crashes? What if it provides an entry that's not parseable by sshguard? FS writes are cached by the kernel, so /var/log/auth.log always lags behind the real situation. Also, what if syslog logs to a remote DB?

In general, you let attackers an (indirect) way to manipulate your config -- this has to be exploitable somehow... The only correct approach would be for sshd to provide a DBUS-like API for programs like sshguard to use. There is a reason why such thing doesn't exist -- because openbsd devs are not interested in security theatre (and of course this would be a performance degradation).

#4 is right because if I know that you have sshguard, then I can emit 5000 packets/sec with a spoofed IP and prevent that host from accessing your server.

Finally, by design, sshguard solves only a problem of polluted log files. But it does so in a very inefficient way: it needs _some_ activity in auth.log, consumes CPU and disk IO by parsing that, and creates even bigger log of its own... The kernel, OTOH, tracks all connections by default and is more efficient than any userspace program, so use it!

maseone · 2014-11-14 02:53:29

Leonid.I wrote:

graysky wrote:
Leonid.I wrote:
Finally, my advice to everyone using SSHguard/fail2ban/denyhosts:
get rid of this stupid software.
Poor advice and off topic.
That's why I said "Finally"...
graysky wrote:
Leonid.I wrote:
It is bad due to so many reasons:
1. It manipulates iptables rules from userspace (this is BAD).
2. It relies on log files to blacklist hosts.
3. It pollutes your logs more than the unauthorized login attempts.
4. It is a direct DoS attack vector.
5. It is security through obscurity: use
$ cat /dev/random | tr -cd '[:graph]' | head -c 20
as your password and sleep well.
6. Should I continue?
#5 is just wrong, you should be using keys not passwords in sshd. I don't see how #4 is right. #2 is just a statement of fact and neither good nor bad.
Yes, that's a common wodoo knowledge together with "always have PermitRootLogin no". Yes, _I_ should be using keys. However, I am yet to see a machine which allows user shells and has more than 3 users, that accepts keys _only_. Passwords are here to stay, and there is nothing wrong with them.
Parsing log files for real-time security is not the way to go. What if your syslog crashes? What if it provides an entry that's not parseable by sshguard? FS writes are cached by the kernel, so /var/log/auth.log always lags behind the real situation. Also, what if syslog logs to a remote DB?
In general, you let attackers an (indirect) way to manipulate your config -- this has to be exploitable somehow... The only correct approach would be for sshd to provide a DBUS-like API for programs like sshguard to use. There is a reason why such thing doesn't exist -- because openbsd devs are not interested in security theatre (and of course this would be a performance degradation).
#4 is right because if I know that you have sshguard, then I can emit 5000 packets/sec with a spoofed IP and prevent that host from accessing your server.
Finally, by design, sshguard solves only a problem of polluted log files. But it does so in a very inefficient way: it needs _some_ activity in auth.log, consumes CPU and disk IO by parsing that, and creates even bigger log of its own... The kernel, OTOH, tracks all connections by default and is more efficient than any userspace program, so use it!

I'm not going to sugar coat it, that was one hell of a discussion. Thanks to both of you for that. Good stuff from both sides even if it was off topic. These points could be part of a few existing wiki articles.

Arch Linux

#1 2014-11-07 17:26:49

Is SSHGuard/Iptables really working?

#2 2014-11-07 17:43:42

Re: Is SSHGuard/Iptables really working?

#3 2014-11-07 17:45:39

Re: Is SSHGuard/Iptables really working?

#4 2014-11-07 18:06:48

Re: Is SSHGuard/Iptables really working?

#5 2014-11-07 18:09:01

Re: Is SSHGuard/Iptables really working?

#6 2014-11-07 18:16:03

Re: Is SSHGuard/Iptables really working?

#7 2014-11-07 18:22:53

Re: Is SSHGuard/Iptables really working?

#8 2014-11-07 20:22:40

Re: Is SSHGuard/Iptables really working?

#9 2014-11-08 13:03:27

Re: Is SSHGuard/Iptables really working?

#10 2014-11-08 13:07:48

Re: Is SSHGuard/Iptables really working?

#11 2014-11-08 13:19:45

Re: Is SSHGuard/Iptables really working?

#12 2014-11-08 13:21:51

Re: Is SSHGuard/Iptables really working?

#13 2014-11-08 17:14:20

Re: Is SSHGuard/Iptables really working?

#14 2014-11-08 20:30:51

Re: Is SSHGuard/Iptables really working?

#15 2014-11-09 01:08:17

Re: Is SSHGuard/Iptables really working?

#16 2014-11-09 10:37:15

Re: Is SSHGuard/Iptables really working?

#17 2014-11-09 17:56:25

Re: Is SSHGuard/Iptables really working?

#18 2014-11-09 19:27:55

Re: Is SSHGuard/Iptables really working?

#19 2014-11-14 02:53:29

Re: Is SSHGuard/Iptables really working?

Board footer