# sshguard-pf + proftpd



## Lego (Oct 29, 2009)

So as recommended in another thread, I installed sshguard-pf. Using These As Resources: http://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html , http://sshguard.sourceforge.net/doc/setup/setup.html , http://sshguard.sourceforge.net/doc/setup/blockingpf.html.  As I was setting it up it seems like the documentation is lacking, Im not sure if I have everything setup properly, so I would like to show you What I have and If its Correct or if Im missing something.

/etc/pf.conf:

```
#       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.4.1 2008/11/25 02:59:2
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#ext_if="ext0"
#int_if="int0"

#table <spamd-white> persist
table <sshguard> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
block in quick on ral0 proto tcp from <sshguard> label "ssh bruteforce"
```

/etc/rc.conf:

```
pf_enable="YES"
pf_rules="/etc/pf.conf"
```

pkgs:

```
blurr-ink# pkg_info | grep sshguard-pf
sshguard-pf-1.3     Protect hosts from brute force attacks against ssh and othe
blurr-ink# pkg_info|grep pf
qt4-makeqpf-4.4.1   Qt qtopia font creator
sshguard-pf-1.3     Protect hosts from brute force attacks against ssh and othe
```


```
blurr-ink# ps ax | grep sshguard-pf
blurr-ink# ps ax | grep sshguard
41887  ??  Is     0:00.01 /usr/local/sbin/sshguard
blurr-ink# ps ax | grep pf
   47  ??  DL     0:31.58 [softdepflush]
39926  ??  DL     0:00.07 [pfpurge]
43436  p0  R+     0:00.00 grep pf
```

So, First is everything running properly? Second, How Do I control it... Like Set it so it watches proftpd or even webmin, and blacklists the IP and/or hostname from any access? Third, How do I control the amount of attempts they have?


----------



## Lego (Oct 29, 2009)

After a Reboot:

```
blurr-ink# ps ax | grep sshguard
  944  ??  Is     0:00.01 /usr/local/sbin/sshguard
blurr-ink# ps ax | grep sshguard-pf
 1199  p0  R+     0:00.00 grep sshguard-pf
blurr-ink# ps ax | grep pf
   47  ??  DL     0:00.00 [softdepflush]
  444  ??  DL     0:00.00 [pfpurge]
 1201  p0  R+     0:00.00 grep pf
blurr-ink# pfctl -f /etc/pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
blurr-ink# pfctl -Tshow -tsshguard
No ALTQ support in kernel
ALTQ related functions disabled
blurr-ink#
```


----------



## DutchDaemon (Oct 30, 2009)

See the flags in sshguard(8) and add the relevant bits to the line in /etc/syslog.conf. You may have to play around with the logging facilities, but I think ftp.info is right for proftpd. Remember to restart syslogd to reactivate sshguard.


```
auth.info;authpriv.info;mail.info;ftp.info              |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 210:/var/run/dovecot/master.pid -f 100:/var/run/sshd.pid -w 127.0.0.1 -w another_trusted_ip
```


----------



## Lego (Oct 30, 2009)

Ok, Im still a tad confused, what is the number representing in "-f 300:" I don't use dovecot, I use sendmail and procmail, I'll have to try and figure it out for those but I modified yours a bit and I think it would suit my needs.

```
auth.info;authpriv.info;ftp.info     |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 100:/var/run/sshd.pid -w 127.0.0.1 -a 5
```

And would I also be able to use this in my imap server??


----------



## DutchDaemon (Oct 30, 2009)

It is in the documentation:
http://sshguard.sourceforge.net/doc/
http://sshguard.sourceforge.net/doc/servicecodes.html

Sendmail and procmail are on the SMTP side ("port 25" plus local delivery), they have nothing to do with Dovecot, which is on the POP3/IMAP side. You can protect IMAP.


----------



## Lego (Oct 30, 2009)

```
auth.info;authpriv.info;ftp.info;mail.info     |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 100:/var/run/sshd.pid -f 200:/var/run/uwimap.pid -w 127.0.0.1 -a 5
```

Is that correct then?


----------



## DutchDaemon (Oct 30, 2009)

Looks about right to me. If you're unsure whether login attempts actually get sent to the sshguard process, copy the log facilities to a new line and send them to /var/log/sshguard.log (create it first with `# touch /var/log/sshguard.log`).


```
auth.info;authpriv.info;ftp.info;mail.info       /var/log/sshguard.log
```

Restart syslog, and logging will start.

Then just tail that logfile to make sure that ftp/ssh/imap logins actually end up there. 

If not, try other facilities (like e.g. mail.notice -- see syslog.conf(5)). 

Don't forget to remove this syslog line when you're done.


----------



## Lego (Oct 30, 2009)

DutchDaemon said:
			
		

> If you're unsure whether login attempts actually get sent to the sshguard process, copy the log facilities to a new line and send them to /var/log/sshguard.log (create it first with `# touch /var/log/sshguard.log`).
> 
> 
> ```
> ...



what do you mean copy the log facilities to a new line? I did the #touch /var/log/sshguard.log, and how do i send them? I have restarted syslogd and putty'd to my server and put the wrong password, then tail /var/log/sshguard.log and it shows nothing.

NEVERMIND, GIVE ME A FEW MINUTES PLEASE IGNORE THIS POST!!!


----------



## Lego (Oct 30, 2009)

Ok here is the /var/log/sshguard.log:

```
Oct 30 14:33:40 blurr-ink sshguard[16855]: Got exit signal, flushing blocked addresses and exiting...
Oct 30 14:33:40 blurr-ink sshguard[18154]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
Oct 30 14:33:47 blurr-ink sshd[18156]: error: PAM: authentication error for lego from 216.8.133.228
Oct 30 14:35:45 blurr-ink sshd[18161]: error: ssh_msg_send: write
Oct 30 14:35:53 blurr-ink proftpd[18166]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Oct 30 14:35:53 blurr-ink proftpd[18166]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Oct 30 14:36:51 blurr-ink imapd[18169]: Login failed user=Lego auth=Lego host=localhost [127.0.0.1]
Oct 30 14:36:51 blurr-ink sshguard[18154]: unable to open pidfile '/var/run/uwimap.pid': No such file or directory.
Oct 30 14:36:51 blurr-ink sshguard[18154]: Pass over address 127.0.0.1 because it's been whitelisted.
Oct 30 14:36:54 blurr-ink imapd[18169]: Unexpected client disconnect, while reading line user=Lego host=localhost [127.0.0.1]
```

I did a failed ssh attempt, a failed ftp attempt, then a failed imapd attempt....

Why is the roundcube/imapd login said to be local whitelisted (because I placed a -w for 127.0.0.1 right?)? How do I find the correct PID file? But it shouldn't be localhost should it? shouldn't it pull my ip instead?


----------



## Lego (Oct 30, 2009)

Ok I fixed the PID file...

```
auth.info;authpriv.info;ftp.info;mail.info     |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot.pid -w 127.0.0.1 -a 5
```

and:

```
Oct 30 15:44:33 blurr-ink sshguard[19316]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
Oct 30 15:44:42 blurr-ink imapd[19318]: Login failed user=Lego auth=Lego host=localhost [127.0.0.1]
Oct 30 15:44:42 blurr-ink sshguard[19316]: Pass over address 127.0.0.1 because it's been whitelisted.
Oct 30 15:44:45 blurr-ink imapd[19318]: Unexpected client disconnect, while reading line user=Lego host=localhost [127.0.0.1]
```

So I guess my last question is why is it a localhost connection instead of the IP I'm using? Because of Roundcube?


----------



## DutchDaemon (Oct 30, 2009)

Roundcube gets its email via localhost. It connects 'into the system' over the loopback interface. That's normal for all webmail. If you're not running IMAP on a public IP address (in other words: if only webmail talks to the IMAP server) you might as well drop IMAP checking from sshguard, because it will be of no use. All connections will come in over localhost.


----------



## Lego (Oct 31, 2009)

ah, that makes sense I think; So if I had another computer/server hosting the mail services then it wouldn't be a local connection because its on a different computer/server then the rest of the services? or am I miss-understanding you?

or is it like Sendmail/Procmail would be on one server/computer and IMAP/roundcube would be on a second server/computer???

okay, Obviously, I'm not understanding.... How do I set it up so I can use sshguard to monitor webmail logins, or is the point that I can't? In which case how do I setup IMAP on a public IP

Last try.... so Sendmail is my mail service, which just passes info to the IMAP server, and roundcube just reads what IMAP says, so no matter how you try, roundcube/IMAP only talk to sendmail locally?   LOL!


----------



## DutchDaemon (Oct 31, 2009)

sshguard can't monitor IMAP in this case, because _your own server_ is performing all of the login attempts (hence: _localhost_). Well, it can _monitor_ them, of course, but it doesn't know about the IP addresses using webmail, and sshguard has no access to those (because it doesn't monitor apache/roundcube). All sshguard sees is: 127.0.0.1, which is Roundcube connecting to IMAP internally. You don't want to lock that route ...

With regard to Sendmail, I'll try _one more time_, and never again:

Sendmail accepts incoming mail from the Internet, and drops it (using a local delivery agent like procmail) in a mailbox (I'll skip sending email out to the Internet for now, but that should be obvious -- it's a mail _transfer_ agent). Anyway: Sendmail/procmail plays absolutely no role in any of this IMAP/sshguard tale.

The IMAP server reads that mailbox and presents the email in it to those logging in with the IMAP protocol. One of the ways to log in to IMAP is by using webmail, where Roundcube (in this case) is an intermediary service logging in to the IMAP server for the person who wants to read their email over the web. Roundcube is a proxy/go-between/front-end/interface to IMAP, as it were. It uses localhost to connect to the IMAP server (when web server and IMAP server are on the same machine).

If people want to use IMAP _directly_ (without the web interface of Roundcube in between), you tell IMAP (Dovecot, UW-IMAP, Cyrus, whatever) to run on your public IP address, and tell people to point their email program (e.g. Thunderbird) to talk IMAP (port 143) to your public IP address (or the hostname that's pointing to it). 

In that case, sshguard can monitor login attempts, because the original IP addresses are then visible to it.


----------



## Lego (Oct 31, 2009)

Yes, that makes much more sense, Thanks! I think I leave the login as is for now; instead of making things more complicated


----------



## Lego (Nov 1, 2009)

hehe okay; I 100% understand now! So I still have roundcube installed, and its still usable; But your "e.g. Thunderbird" got me thinking, So I installed Windows Live Mail, and set it up to talk to my imap-uw; which was pretty straight forward.  First try it connected, retrieved all my mail.
So! tail /var/log/sshguard.log:

```
Oct 31 21:17:16 blurr-ink imapd[51332]: Login user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Oct 31 21:17:16 blurr-ink imapd[51332]: Logout user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
```

Awesome! so I guess, I could .htaccess the roundcube folder, and force anyone using a blurr-ink.com email account to use a mail client.  Thanks Again So much DutchDaemon, Your Awesome!


----------



## Lego (Nov 6, 2009)

Um, Can I also have sshguard monitor webmin login attempts? or phpMyAdmin, or MySQL logins??


----------



## DutchDaemon (Nov 6, 2009)

None of these are currently implemented (there are no log facilities and service codes for them). I think you should join their mailing list and ask around there.

https://lists.sourceforge.net/lists/listinfo/sshguard-users
http://sourceforge.net/mailarchive/forum.php?forum_name=sshguard-users


----------



## Lego (Nov 6, 2009)

I just joined, awaiting the email to confirm creation, thanks!


----------

