You are not logged in.
Hi!
I tried to configure ufw with sshguard like shown at https://wiki.archlinux.org/index.php/Sshguard#UFW
I modified /etc/ufw/before.rules and inserted those lines in the shown position:
# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard
When I try to configure "ufw default deny" I get an "Problem running 'etc/ufw/before.rules'" until I delete those lines again.
sshguard and ufw are both active. Any idea what went wrong?
I thought about using "ufw limit SSH" instead and tried to find out what really happened during a brute force attack.
Every howto says the IP is denied, but what does that mean? Is there a blacklist somewhere, where sshguard puts
the IP? How can I show blocked IPs and maybe delete them from the list?
Thanks for your help in advance!
Offline
Hi Murray, I have the same issue.
In summary:
0. Server running Arch, reachable by SSH (only private key, no password or root)
1. install UFW, enable/start.
2. install sshguard, enable/start. add rules to before.rules.
3. So far so good.
After this I tried to do an update:
$ sudo pacman -Syyu
:: Synchronizing package databases...
error: failed retrieving file 'core.db' from mirror.i3d.net : Resolving timed out after 10000 millisecondsThis is strange to me. So I disabled UFW:
$sudo ufw disableThen the update went fine.
Then re-enable UFW:
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
iptables-restore: line 26 failed
Problem running '/etc/ufw/before.rules'Which is exactly the line you mention.
SSH Guard status presents me:
$ sudo systemctl status sshguard
● sshguard.service - SSHGuard - blocks brute-force login attempts
Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-01-12 16:55:48 CET; 16min ago
Process: 505 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
Main PID: 511 (sshguard)
Tasks: 8 (limit: 4915)
Memory: 118.6M
CGroup: /system.slice/sshguard.service
● sshguard.service - SSHGuard - blocks brute-force login attempts
Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-01-12 16:55:48 CET; 16min ago
Process: 505 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
Main PID: 511 (sshguard)
Tasks: 8 (limit: 4915)
Memory: 118.6M
CGroup: /system.slice/sshguard.service
├─511 /bin/sh /usr/sbin/sshguard
├─513 /bin/sh /usr/sbin/sshguard
├─514 /usr/lib/sshguard/sshg-parser
├─515 /usr/lib/sshguard/sshg-blocker -b 120:/var/db/sshguard/blacklist.db
├─516 /bin/sh /usr/sbin/sshguard
├─517 /bin/sh /usr/lib/sshguard/sshg-fw-iptables
└─519 /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat
Jan 12 16:55:48 lakohost sshguard[511]: Chain INPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain FORWARD (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain OUTPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain sshguard (0 references)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 17:03:05 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
Jan 12 17:03:10 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
├─511 /bin/sh /usr/sbin/sshguard
├─513 /bin/sh /usr/sbin/sshguard
├─514 /usr/lib/sshguard/sshg-parser
├─515 /usr/lib/sshguard/sshg-blocker -b 120:/var/db/sshguard/blacklist.db
├─516 /bin/sh /usr/sbin/sshguard
├─517 /bin/sh /usr/lib/sshguard/sshg-fw-iptables
└─519 /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat
Jan 12 16:55:48 lakohost sshguard[511]: Chain INPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain FORWARD (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain OUTPUT (policy ACCEPT)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 16:55:48 lakohost sshguard[511]: Chain sshguard (0 references)
Jan 12 16:55:48 lakohost sshguard[511]: target prot opt source destination
Jan 12 17:03:05 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
Jan 12 17:03:10 lakohost sshguard[515]: Attack from "2.178.117.7" on service 100 with danger 10.
~If someone could tell me where to start looking I would be very grateful.
Update:
I tried a bit more and now have this:
● sshguard.service - SSHGuard - blocks brute-force login attempts
Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-01-18 09:03:42 CET; 33s ago
Process: 20322 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=1/FAILURE)any help?
Last edited by Laurens (2019-01-18 08:13:20)
Offline
Please edit your post and use [ code ] tags (not quote tags) when posting output.
https://wiki.archlinux.org/index.php/Co … s_and_code
https://bbs.archlinux.org/help.php#bbcode
Offline