[SLVD]Encountering ssh bruteforce and sshguard isn't working properly

dede24ever · 2015-01-10 11:49:19

Jan 10 13:19:05 localhost sshd[7632]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=122.225.97.71  user=root
Jan 10 13:19:06 localhost sshd[7542]: Failed password for root from 122.225.97.71 port 9997 ssh2
Jan 10 13:19:08 localhost sshd[7632]: Failed password for root from 122.225.97.71 port 13212 ssh2
Jan 10 13:19:08 localhost sshd[7601]: Failed password for root from 122.225.97.71 port 11910 ssh2
Jan 10 13:19:09 localhost sshd[7542]: Failed password for root from 122.225.97.71 port 9997 ssh2
Jan 10 13:19:10 localhost sshd[7601]: Failed password for root from 122.225.97.71 port 11910 ssh2
Jan 10 13:19:11 localhost sshd[7632]: Failed password for root from 122.225.97.71 port 13212 ssh2
Jan 10 13:19:11 localhost sshd[7542]: Failed password for root from 122.225.97.71 port 9997 ssh2
Jan 10 13:19:11 localhost sshd[7542]: Disconnecting: Too many authentication failures for root from 122.225.97.71 port 9997 ssh2 [preauth]

I am attacked right now and sshguard is not working, I don't know why. I followed the wiki guide but it is not working, isn't blacklisting anything. I've set the aggressive rule because I rarely use my ssh connection.

journalctl for sshguard (output)

Jan 10 12:48:35 localhost sshguard-journalctl[295]: Warning! Sshguard now uses *attack dangerousness*, not occurrences, to gauge threats.
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Default dangerousness per attack is 10, default threshold is 40.
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Chain INPUT (policy DROP)
Jan 10 12:48:35 localhost sshguard-journalctl[295]: target     prot opt source               destination
Jan 10 12:48:35 localhost sshguard-journalctl[295]: ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
Jan 10 12:48:35 localhost sshguard-journalctl[295]: ACCEPT     all  --  anywhere             anywhere
Jan 10 12:48:35 localhost sshguard-journalctl[295]: DROP       all  --  anywhere             anywhere             ctstate INVALID
Jan 10 12:48:35 localhost sshguard-journalctl[295]: ACCEPT     icmp --  anywhere             anywhere             icmp echo-request ctstate NEW
Jan 10 12:48:35 localhost sshguard-journalctl[295]: UDP        udp  --  anywhere             anywhere             ctstate NEW
Jan 10 12:48:35 localhost sshguard-journalctl[295]: TCP        tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN c
Jan 10 12:48:35 localhost sshguard-journalctl[295]: REJECT     udp  --  anywhere             anywhere             reject-with icmp-port-unreachab
Jan 10 12:48:35 localhost sshguard-journalctl[295]: REJECT     tcp  --  anywhere             anywhere             reject-with tcp-reset
Jan 10 12:48:35 localhost sshguard-journalctl[295]: REJECT     all  --  anywhere             anywhere             reject-with icmp-proto-unreacha
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Chain FORWARD (policy DROP)
Jan 10 12:48:35 localhost sshguard-journalctl[295]: target     prot opt source               destination
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Chain OUTPUT (policy ACCEPT)
Jan 10 12:48:35 localhost sshguard-journalctl[295]: target     prot opt source               destination
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Chain TCP (1 references)
Jan 10 12:48:35 localhost sshguard-journalctl[295]: target     prot opt source               destination
Jan 10 12:48:35 localhost sshguard-journalctl[295]: ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Chain UDP (1 references)
Jan 10 12:48:35 localhost sshguard-journalctl[295]: target     prot opt source               destination
Jan 10 12:48:35 localhost sshguard-journalctl[295]: Chain sshguard (0 references)
Jan 10 12:48:35 localhost sshguard-journalctl[295]: target     prot opt source               destination
Jan 10 12:48:35 localhost sshguard[300]: Started successfully [(a,p,s)=(1, 420, 1200)], now ready to scan.
Jan 10 13:15:48 localhost sshguard[300]: Offender '122.225.97.71:4' scored 10 danger in 1 abuses (threshold 10) -> blacklisted.
Jan 10 13:15:48 localhost sshguard[300]: Blocking 122.225.97.71:4 for >0secs: 10 danger in 1 attacks over 0 seconds (all: 10d in 1 abuses over 0s
Jan 10 13:25:44 localhost sshguard[300]: Got CONTINUE signal, resuming activity.
Jan 10 13:25:44 localhost sshguard[300]: Got exit signal, flushing blocked addresses and exiting...
-- Reboot --

iptables.conf (using ufw)

# Generated by iptables-save v1.4.21 on Sat Jan 10 13:46:40 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [928:160917]
:TCP - [0:0]
:UDP - [0:0]
:sshguard - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A sshguard -s 54.164.79.227/32 -j DROP
-A sshguard -s 125.65.165.215/32 -j DROP
-A sshguard -s 122.225.97.71/32 -j DROP
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
COMMIT
# Completed on Sat Jan 10 13:46:40 2015

Seems to me that iptables isn't "refreshing" itself or something like this...

LE:
Forgot about this, also I get this message when I need to update manually the iptables config

┌─╸[mark@localhost]—[~]
└───╸ sudo iptables-save > /etc/iptables/iptables.rules                                                                                [ 1:48PM] 
zsh: permission denied: /etc/iptables/iptables.rules

so I login as root with

su

and execute it.

Last edited by dede24ever (2015-01-10 19:05:18)

cleanrock · 2015-01-10 12:15:53

I think you are missing a rule to let the sshguard table drop packages, you should have lines like this in your iptables.rules:
-A TCP -p tcp -m tcp --dport 22 -j sshguard
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

See https://wiki.archlinux.org/index.php/Sshguard#UFW and note that the wiki says you need ufw-bzr from AUR, I don't use ufw myself so i don't know if you still need ufw-bzr.

dede24ever · 2015-01-10 14:36:23

I am using ufw-brz from AUR.
I added the line " -A TCP -p tcp -m tcp --dport 22 -j sshguard " and rebooted. Still the same, sshguard isn't working. I tried to login with ssh from a remote machine (koding.com) and still the same, ip is banned in iptables but I still can "bruteforce" my local machine.

Last edited by dede24ever (2015-01-10 14:36:37)

graysky · 2015-01-10 14:42:06

I have ufw-brz + sshguard and it works. There are two lines you need to add to /etc/ufw/before.rules per the wiki. Do you have both?

# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

dede24ever · 2015-01-10 14:56:35

graysky wrote:

I have ufw-brz + sshguard and it works. There are two lines you need to add to /etc/ufw/before.rules per the wiki. Do you have both?
# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

Yes I do have those lines...

┌─╸[mark@localhost]—[~]
└───╸ sudo cat /etc/ufw/before.rules                                                                                                   [ 4:50PM] 
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT

LE: Solved by switching the position of ACCEPT rule on 22 with SSHGUARD rule on 22. It was accepting before checking and that is what messed up the entire thing, my bad.
Marked as solved...

Last edited by dede24ever (2015-01-10 19:03:45)

Arch Linux

#1 2015-01-10 11:49:19

[SLVD]Encountering ssh bruteforce and sshguard isn't working properly

#2 2015-01-10 12:15:53

Re: [SLVD]Encountering ssh bruteforce and sshguard isn't working properly

#3 2015-01-10 14:36:23

Re: [SLVD]Encountering ssh bruteforce and sshguard isn't working properly

#4 2015-01-10 14:42:06

Re: [SLVD]Encountering ssh bruteforce and sshguard isn't working properly

#5 2015-01-10 14:56:35

Re: [SLVD]Encountering ssh bruteforce and sshguard isn't working properly

Board footer