You are not logged in.

#1 2019-01-05 21:12:12

Murray_B
Member
From: Germany
Registered: 2008-07-29
Posts: 120

Problems with securing SSH with ufw and sshguard

Hi!

I tried to configure ufw with sshguard like shown at https://wiki.archlinux.org/index.php/Sshguard#UFW
I modified /etc/ufw/before.rules and inserted those lines in the shown position:

# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

When I try to configure "ufw default deny" I get an "Problem running 'etc/ufw/before.rules'" until I delete those lines again.

sshguard and ufw are both active. Any idea what went wrong?

I thought about using "ufw limit SSH" instead and tried to find out what really happened during a brute force attack.
Every howto says the IP is denied, but what does that mean? Is there a blacklist somewhere, where sshguard puts
the IP? How can I show blocked IPs and maybe delete them from the list?

Thanks for your help in advance!

Offline

#2 2019-01-12 16:32:36

Laurens
Member
Registered: 2017-03-29
Posts: 1

Re: Problems with securing SSH with ufw and sshguard

Hi Murray, I have the same issue.

In summary:
0. Server running Arch, reachable by SSH (only private key, no password or root)
1. install UFW, enable/start.
2. install sshguard, enable/start. add rules to before.rules.
3. So far so good.

After this I tried to do an update:

$ sudo pacman -Syyu
:: Synchronizing package databases...
error: failed retrieving file 'core.db' from mirror.i3d.net : Resolving timed out after 10000 milliseconds

This is strange to me. So I disabled UFW:

$sudo ufw disable

Then the update went fine.

Then re-enable UFW:

$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 26 failed

Problem running '/etc/ufw/before.rules'

Which is exactly the line you mention.

SSH Guard status presents me:

$ sudo systemctl status sshguard
● sshguard.service - SSHGuard - blocks brute-force login attempts
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-01-12 16:55:48 CET; 16min ago
  Process: 505 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
 Main PID: 511 (sshguard)
    Tasks: 8 (limit: 4915)
   Memory: 118.6M
   CGroup: /system.slice/sshguard.service
● sshguard.service - SSHGuard - blocks brute-force login attempts
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2019-01-12 16:55:48 CET; 16min ago
  Process: 505 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
 Main PID: 511 (sshguard)
    Tasks: 8 (limit: 4915)
   Memory: 118.6M
   CGroup: /system.slice/sshguard.service
           ├─511 /bin/sh /usr/sbin/sshguard
           ├─513 /bin/sh /usr/sbin/sshguard
           ├─514 /usr/lib/sshguard/sshg-parser
           ├─515 /usr/lib/sshguard/sshg-blocker -b 120:/var/db/sshguard/blacklist.db
           ├─516 /bin/sh /usr/sbin/sshguard
           ├─517 /bin/sh /usr/lib/sshguard/sshg-fw-iptables
           └─519 /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat

Jan 12 16:55:48 lakohost sshguard[511]: Chain INPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain FORWARD (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain OUTPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain sshguard (0 references)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 17:03:05 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
Jan 12 17:03:10 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
           ├─511 /bin/sh /usr/sbin/sshguard
           ├─513 /bin/sh /usr/sbin/sshguard
           ├─514 /usr/lib/sshguard/sshg-parser
           ├─515 /usr/lib/sshguard/sshg-blocker -b 120:/var/db/sshguard/blacklist.db
           ├─516 /bin/sh /usr/sbin/sshguard
           ├─517 /bin/sh /usr/lib/sshguard/sshg-fw-iptables
           └─519 /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat

Jan 12 16:55:48 lakohost sshguard[511]: Chain INPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain FORWARD (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain OUTPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain sshguard (0 references)
Jan 12 16:55:48 lakohost sshguard[511]: target     prot opt source               destination
Jan 12 17:03:05 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
Jan 12 17:03:10 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
~

If someone could tell me where to start looking I would be very grateful.

Update:
I tried a bit more and now have this:

● sshguard.service - SSHGuard - blocks brute-force login attempts
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2019-01-18 09:03:42 CET; 33s ago
  Process: 20322 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=1/FAILURE)

any help?

Last edited by Laurens (2019-01-18 08:13:20)

Offline

#3 2019-01-12 17:30:33

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 2,533

Re: Problems with securing SSH with ufw and sshguard

Please edit your post and use [ code ] tags (not quote tags) when posting output.

https://wiki.archlinux.org/index.php/Co … s_and_code
https://bbs.archlinux.org/help.php#bbcode

Offline

Board footer

Powered by FluxBB