# SSH-Guard doesn't want to block.



## bryn1u (Jun 13, 2018)

Hey guys,

I don't know why but SSH-Guard has stopped blocked ip. A few weeks days ago was working great. Since some days doesn't work anymore. I can't find solution.
My ipfw config. There is nothin complicated here.

```
#!/bin/sh
# ipfw config/rules
# from FBSD Handbook, rc.firewall, et. al.

# Flush all rules before we begin.
ipfw -q -f flush
# Set rules command prefix
cmd="ipfw -q add "
vif="em0"
# allow all for localhost
$cmd 00010 allow ip from any to any via lo0

ipfw pipe 1 config bw 1Mbit/s

#ipfw pipe 2 config bw 100Kb/s

### Pipes & Priority ###:
#ipfw queue 1 config pipe 1 weight 40
#ipfw queue 2 config pipe 1 weight 30
#ipfw queue 3 config pipe 1 weight 20
#ipfw queue 4 config pipe 1 weight 10
#ipfw queue 5 config pipe 1 weight 1

######################## Bandwidth #############:
### DNS & HTTP Servers ###:
ipfw add pipe 1 ip from any to any uid xyu

#ipfw add pipe 1 ip from any to any uid bryn1u


$cmd 0050 reass all from any to any in
$cmd 0060 check-state

### IRC
#$cmd 00100 allow tcp from any to any dst-port 6667 in via $vif setup keep-state
$cmd 0099 allow tcp from any to any dst-port 6667 out via $vif setup keep-state

### Oidentd
$cmd 00100 allow tcp from any to any dst-port 113 in via $vif setup keep-state
$cmd 00101 allow tcp from any to any dst-port 113 out via $vif setup keep-state

### Murmur
$cmd 00102 allow tcp from any to any dst-port 64738 in via $vif setup limit src-addr 5
$cmd 00103 allow udp from any to any dst-port 64738 in via $vif limit src-addr 5

### OpenVPN
$cmd 00104 allow udp from any to any dst-port 1194 in via $vif keep-state
$cmd 00105 allow udp from any to any dst-port 1194 out via $vif keep-state
### SSH:
$cmd 00106 allow tcp from any to any dst-port 22 in via $vif setup keep-state
$cmd 00107 allow tcp from any to any dst-port 22 out via $vif setup keep-state

### DNS:
$cmd 00108 allow tcp from any to me dst-port 53 in via $vif setup keep-state
$cmd 00110 allow tcp from me to any dst-port 53 out via $vif setup keep-state
$cmd 00111 allow udp from any to any dst-port 53 via $vif keep-state

### Webmin:
$cmd 00112 allow tcp from any to any dst-port 50000 in via $vif setup keep-state
$cmd 00113 allow tcp from any to any dst-port 50000 out via $vif setup keep-state


# allow HTTP HTTPS replies
$cmd 00400 allow tcp from any to any dst-port 80 in via $vif setup limit src-addr 10
$cmd 00410 allow tcp from any to any dst-port 443 in via $vif setup limit src-addr 10
$cmd 00200 allow tcp from any to any dst-port 80 out via $vif setup keep-state
$cmd 00220 allow tcp from any to any dst-port 443 out via $vif setup keep-state

# allow outbound mail
#$cmd 00230 allow tcp from any to any dst-port 25 out via $vif setup keep-state
#$cmd 00231 allow tcp from any to any dst-port 465 out via $vif setup keep-state
#$cmd 00232 allow tcp from any to any dst-port 587 out via $vif setup keep-state

# allow icmp re: ping, et. al.
# comment this out to disable ping, et.al.
#$cmd 00250 allow icmp from any to any out via $vif keep-state

# alllow timeserver out
#$cmd 00260 allow tcp from any to any dst-port 37 out via $vif setup keep-state

# allow ntp out
#$cmd 00270 allow udp from any to any dst-port 123 out via $vif keep-state

# otherwise deny outbound packets
# outbound catchall.
#$cmd 00299 deny log ip from any to any out via $vif

# inbound rules
# deny inbound traffic to restricted addresses
$cmd 00300 deny ip from 192.168.0.0/16 to any in via $vif
$cmd 00301 deny ip from 172.16.0.0/12 to any in via $vif
$cmd 00302 deny ip from 10.0.0.0/8 to any in via $vif
$cmd 00303 deny ip from 127.0.0.0/8 to any in via $vif
$cmd 00304 deny ip from 0.0.0.0/8 to any in via $vif
$cmd 00305 deny ip from 169.254.0.0/16 to any in via $vif
$cmd 00306 deny ip from 192.0.2.0/24 to any in via $vif
$cmd 00307 deny ip from 204.152.64.0/23 to any in via $vif
$cmd 00308 deny ip from 224.0.0.0/3 to any in via $vif

# deny inbound packets on these ports
# auth 113, netbios (services) 137/138/139, hosts-nameserver 81
$cmd 00315 deny tcp from any to any dst-port 113 in via $vif
$cmd 00320 deny tcp from any to any dst-port 137 in via $vif
$cmd 00321 deny tcp from any to any dst-port 138 in via $vif
$cmd 00322 deny tcp from any to any dst-port 139 in via $vif
$cmd 00323 deny tcp from any to any dst-port 81 in via $vif

#################################################
# Deny Port scanning (Nmap)
#################################################
$cmd 00600 deny log logamount 50 ip from any to any ipoptions rr
$cmd 00610 deny log logamount 50 ip from any to any ipoptions ts
$cmd 00620 deny log logamount 50 ip from any to any ipoptions lsrr
$cmd 00630 deny log logamount 50 ip from any to any ipoptions ssrr
$cmd 00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
$cmd 00650 deny log logamount 50 tcp from any to any tcpflags syn,rst


# deny partial packets
$cmd 00330 deny ip from any to any frag in via $vif
$cmd 00332 deny tcp from any to any established in via $vif

# deny everything else, and log it
# inbound catchall
#$cmd 55000 deny all from 'table(22)' to any
$cmd 55000 deny ip from table\(22\) to any

$cmd 56599 deny log ip from any to any in via $vif
# ipfw built-in default, don't uncomment
# $cmd 65535 deny ip from any to any
```

My SSH-Guard config:

```
#!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
BACKEND="/usr/local/libexec/sshg-fw-hosts"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"

# Space-separated list of log files to monitor. (optional, no default)
FILES="/var/log/auth.log /var/log/maillog /var/log/security"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=20

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800

# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
#IPV6_SUBNET=128

# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
#IPV4_SUBNET=32

#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

# Full path to PID file (optional, no default)
PID_FILE=/var/run/sshguard.pid

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
```

Someone can help ? 
Thanks )


----------



## SirDice (Jun 13, 2018)

```
# Full path to backend executable (required, no default)
BACKEND="/usr/local/libexec/sshg-fw-hosts"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"
```
You can only enable one of them.

But besides that, you're allowing access to port 22 (rule 106) long before your rules evaluate the ssh-guard block rules (rule 55000). That means it never actually worked.


----------



## VladiBG (Jun 13, 2018)

Your IPFW rule number 55000 that block table22  must be above the allow rules. You can move it to 0070. Then you can check the content of table 22 using
`ipfw table 22 list`


----------



## bryn1u (Jun 13, 2018)

Nope it sill doesn't work. Before changes, the rule was end of line and worked. I have put it to the 70 line.

```
#ipfw add pipe 1 ip from any to any uid bryn1u


$cmd 0050 reass all from any to any in
$cmd 0060 check-state

### SSHGuard
$cmd 0070 deny ip from table\(22\) to any

### IRC
#$cmd 00100 allow tcp from any to any dst-port 6667 in via $vif setup keep-state
$cmd 0099 allow tcp from any to any dst-port 6667 out via $vif setup keep-state
....
....
```
Table 22:

```
root@HardenedBSD:/home/bryn1u # ipfw 22 table list
--- table(22), set(0) ---
root@HardenedBSD:/home/bryn1u #
```

Could it be any problem related to Ssh-guard or ipfw options if i disabled `IPFIREWALL_DEFAULT_TO_ACCEPT` ?

```
options         IPFIREWALL                   # enables IPFW
options         IPFIREWALL_VERBOSE           # enables logging for rules with log keyword
options         IPFIREWALL_VERBOSE_LIMIT=5   # limits number of logged packets per-entry
#options      IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
options         IPDIVERT                     # enables NAT
options         HZ=1000                 # strongly recommended
options         DUMMYNET
```


----------



## ShelLuser (Jun 13, 2018)

Now, this response is not going to directly help you and in all honesty I'm probably also biased.

But have you ever considered using blacklistd instead? See blacklistd(8). It's a native intrusion detection system, in other words: it's part of the FreeBSD base system, and it provides a lot more flexibility than SSHGuard in my opinion. Obviously support for all the firewall types provided by FreeBSD, but also the ability to fully customize its behavior if you want to (by using a custom script for the handling of the intrusions).

Best of all is that FreeBSD's SSH provides native support for this (see the UseBlacklist option). Meaning that the intrusion daemon doesn't have to try and detect any bad logon attempts, it simply needs to process those which get reported by sshd itself, which I personally consider a major pro in comparison.

Maybe something worth considering?


----------



## VladiBG (Jun 13, 2018)

Your table(22) is empty so there's no blacklisted hosts to be blocked at the moment. Also you need to commend this line out
`#BACKEND="/usr/local/libexec/sshg-fw-hosts"`


----------



## bryn1u (Jun 13, 2018)

ShelLuser said:


> Now, this response is not going to directly help you and in all honesty I'm probably also biased.
> 
> But have you ever considered using blacklistd instead? See blacklistd(8). It's a native intrusion detection system, in other words: it's part of the FreeBSD base system, and it provides a lot more flexibility than SSHGuard in my opinion. Obviously support for all the firewall types provided by FreeBSD, but also the ability to fully customize its behavior if you want to (by using a custom script for the handling of the intrusions).
> 
> ...



I think is a good idea. Im going to try it. Thank you.



VladiBG said:


> Your table(22) is empty so there's no blacklisted hosts to be blocked at the moment.


And it will not. I saw in the log thousands of bad attemts login to ssh. The problem is that ssh table for sshguard is empty. This is the main problem.


----------



## VladiBG (Jun 13, 2018)

Is there any error messages in /var/log/messages ? is the sshguard service started?

`$cmd 0070 deny tcp from 'table(22)' to any`


----------



## bryn1u (Jun 13, 2018)

VladiBG said:


> Is there any error messages in /var/log/messages ? is the sshguard service started?
> 
> `$cmd 0070 deny tcp from 'table(22)' to any`


Nope, it's completely deaf.


----------



## VladiBG (Jun 13, 2018)

bryn1u said:


> Could it be any problem related to Ssh-guard or ipfw options if i disabled  IPFIREWALL_DEFAULT_TO_ACCEPT ?


No it's not related to this. You have:
`$cmd 56599 deny log ip from any to any in via $vif`
that block any connections on your $vif that are not allowed before this rule.

You can try to make several faulty ssh attempts to see if there's log message in /var/log/messages. The sshguard doesn't rescan the log file so if you have previously logged attempts in your /var/log/auth  is irrelevant.

Did you change your sshguard.conf file to leave only one backend and restart the sshguard after it?


----------



## SirDice (Jun 13, 2018)

Have you tried the debug mode? Something like `env SSHGUARD_DEBUG=1 sshguard -b 120:/var/db/sshguard/blacklist.db -l /var/log/auth.log`


----------



## bryn1u (Jun 13, 2018)

SirDice said:


> Have you tried the debug mode? Something like `env SSHGUARD_DEBUG=1 sshguard -b 120:/var/db/sshguard/blacklist.db -l /var/log/auth.log`



And that's all. (

```
root@HardenedBSD:/var/log # env SSHGUARD_DEBUG=1 sshguard -b 120:/var/db/sshguard/blacklist.db -l /var/log/auth.log
sshguard[6654]: blacklist: blocking 0 addresses
sshguard[6654]: whitelist: add '127.0.0.1' as plain IPv4.
sshguard[6654]: whitelist: add plain IPv4 127.0.0.1.
sshguard[6654]: Now monitoring attacks.
```



ShelLuser said:


> Now, this response is not going to directly help you and in all honesty I'm probably also biased.
> 
> But have you ever considered using blacklistd instead? See blacklistd(8). It's a native intrusion detection system, in other words: it's part of the FreeBSD base system, and it provides a lot more flexibility than SSHGuard in my opinion. Obviously support for all the firewall types provided by FreeBSD, but also the ability to fully customize its behavior if you want to (by using a custom script for the handling of the intrusions).
> 
> ...




```
root@HardenedBSD:~ # blacklistctl dump -b
        address/ma:port    id    nfail    last access
 169.55.194.233/32:22    OK    9/3    2018/06/13 21:18:01
  139.219.14.63/32:22    OK    15/3    2018/06/13 21:44:46
  80.211.138.31/32:22    OK    23/3    2018/06/13 21:43:26
root@HardenedBSD:~ #
```
How do i know if it's really blocked by ipfw ?
I don't see any additionally port added by blacklistd:

```
00010 allow ip from any to any via lo0
00050 reass ip from any to any in
00060 check-state :default
00070 deny ip from table(22) to any
00099 allow tcp from any to any 6667 out via em0 setup keep-state :default
00100 allow tcp from any to any 113 in via em0 setup keep-state :default
00101 allow tcp from any to any 113 out via em0 setup keep-state :default
00102 allow tcp from any to any 64738 in via em0 setup limit src-addr 5 :default
00103 allow udp from any to any 64738 in via em0 limit src-addr 5 :default
00104 allow udp from any to any 1194 in via em0 keep-state :default
00105 allow udp from any to any 1194 out via em0 keep-state :default
00106 allow tcp from any to any 22 in via em0 setup keep-state :default
00107 allow tcp from any to any 22 out via em0 setup keep-state :default
00108 allow tcp from any to me 53 in via em0 setup keep-state :default
00110 pipe 1 ip from any to any uid xyu
00110 allow tcp from me to any 53 out via em0 setup keep-state :default
00111 allow udp from any to any 53 via em0 keep-state :default
00200 allow tcp from any to any 80 out via em0 setup keep-state :default
00220 allow tcp from any to any 443 out via em0 setup keep-state :default
00300 deny ip from 192.168.0.0/16 to any in via em0
00301 deny ip from 172.16.0.0/12 to any in via em0
00302 deny ip from 10.0.0.0/8 to any in via em0
00303 deny ip from 127.0.0.0/8 to any in via em0
00304 deny ip from 0.0.0.0/8 to any in via em0
00305 deny ip from 169.254.0.0/16 to any in via em0
00306 deny ip from 192.0.2.0/24 to any in via em0
00307 deny ip from 204.152.64.0/23 to any in via em0
00308 deny ip from 224.0.0.0/3 to any in via em0
00315 deny tcp from any to any 113 in via em0
00320 deny tcp from any to any 137 in via em0
00321 deny tcp from any to any 138 in via em0
00322 deny tcp from any to any 139 in via em0
00323 deny tcp from any to any 81 in via em0
00330 deny ip from any to any frag in via em0
00332 deny tcp from any to any established in via em0
00400 allow tcp from any to any 80 in via em0 setup limit src-addr 10 :default
00410 allow tcp from any to any 443 in via em0 setup limit src-addr 10 :default
00600 deny log logamount 50 ip from any to any ipoptions rr
00610 deny log logamount 50 ip from any to any ipoptions ts
00620 deny log logamount 50 ip from any to any ipoptions lsrr
00630 deny log logamount 50 ip from any to any ipoptions ssrr
00640 deny log logamount 50 tcp from any to any tcpflags syn,fin
00650 deny log logamount 50 tcp from any to any tcpflags syn,rst
02022 deny tcp from table(port22) to any 22
56599 deny log logamount 5 ip from any to any in via em0
65535 deny ip from any to any
```


----------



## VladiBG (Jun 13, 2018)

check your ipfw table 22


----------



## bryn1u (Jun 13, 2018)

VladiBG said:


> check your ipfw table 22




```
root@HardenedBSD:~ # ipfw table 22 list
--- table(22), set(0) ---
root@HardenedBSD:~ #
```


```
root@HardenedBSD:~ # ipfw list | grep table
00070 deny ip from table(22) to any
02022 deny tcp from table(port22) to any 22
root@HardenedBSD:~ #
```


----------



## ShelLuser (Jun 13, 2018)

It depends on /etc/blacklistd.conf what table is going to be used, but the default is without spaces. So check table22, _not_ table(22).

Note: I don't use ipfw myself but pf, but I base myself on the default script (/usr/libexec/blacklistd-helper), see here:


```
ipfw)
                /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK
                ;;
```

(edit)

This is the actual code which adds the offenders:

```
ipfw)
                # use $ipfw_offset+$port for rule number
                rule=$(($ipfw_offset + $6))
                tname="port$6"
                /sbin/ipfw table $tname create type addr 2>/dev/null
                /sbin/ipfw -q table $tname add "$addr/$mask"
```
As you can see: tname is used as port$6 therefor my conclusion: table22.

In case you're wondering about the parameter usage:


```
#set -x
# $1 command
# $2 rulename
# $3 protocol
# $4 address
# $5 mask
# $6 port
# $7 id
```

Hope this can help!


----------



## VladiBG (Jun 14, 2018)

@ *ShelLuser *
The table name is displayed in brackets. By default the sshguard is using table number 22 if needed you can change it inside /usr/local/libexec/sshg-fw-ipfw
The tables in ipfw are used to handle large sparse sets of addresses or other keys. Sshguard is dynamically add the ip address into the table but you still need to specify the rule for this table inside your ipfw rule set. To list all all tables you can use
`ipfw table all list`

@*bryn1u*

If you are going to use blacklistd then you need to consider that the blaclistd-helper is creating a rule at range 2000 with the respective port number for your example this is 2022 and table with the name "port22" in which it put all black listed hosts. So you will need to modify your "allow" rules to be with number above/after this deny rule to work. Otherwise this deny rule at 2022 will never be reached

```
00106 allow tcp from any to any 22 in via em0 setup keep-state :default
00107 allow tcp from any to any 22 out via em0 setup keep-state :default
```


You need to think for a better way to reorganize your ipfw rules into bigger sections like 11000 12000 13000

You can change the default rule offset by editing /etc/ipfw-blacklist.rc
`echo "ifpw_offset=4000" > /etc/ipfw-blacklist.rc`

This will tell the blacklistd to use range of 4000 instead of default 2000


----------



## SirDice (Jun 14, 2018)

bryn1u said:


> And that's all. (


Leave it running for a while. You should see it detect attacks and then the actual rules that are created.


----------



## bryn1u (Jun 14, 2018)

ShelLuser said:


> It depends on /etc/blacklistd.conf what table is going to be used, but the default is without spaces. So check table22, _not_ table(22).
> 
> Note: I don't use ipfw myself but pf, but I base myself on the default script (/usr/libexec/blacklistd-helper), see here:
> 
> ...



Hey,

```
root@HardenedBSD:/home/bryn1u # ipfw table all list
--- table(22), set(0) ---
--- table(port22), set(0) ---
5.188.10.76/32 0
13.78.44.224/32 0
51.38.89.190/32 0
80.211.138.31/32 0
139.219.14.63/32 0
164.132.58.90/32 0
193.201.224.214/32 0
```
I have the 2 tables. One "22" table is definied for sshguard, second "port22" is definied for blacklistd.
Why i can't list table for balcklist:

```
root@HardenedBSD:/home/bryn1u # ipfw port22 table list
ipfw: bad command `port22'
```
For sshguard works

```
root@HardenedBSD:/home/bryn1u # ipfw 22 table list
--- table(22), set(0) ---
root@HardenedBSD:/home/bryn1u #
```

But if i entry for all tables, looks good, and getting all tables:

```
root@HardenedBSD:/home/bryn1u # ipfw table all list
--- table(22), set(0) ---
--- table(port22), set(0) ---
5.188.10.76/32 0
13.78.44.224/32 0
51.38.89.190/32 0
80.211.138.31/32 0
139.219.14.63/32 0
164.132.58.90/32 0
193.201.224.214/32 0
```


----------



## VladiBG (Jun 14, 2018)

If you are going to use IPFW then make yourself a favor and read ipfw(8)



> *ipfw* [*set* _N_] *table*    {_name_ |    _all_} *list*



`ipfw table port22 list`

It's a good idea to use only one of them(sshguard or blacklistd) not both.

There's several other tools that you can also check like fail2ban.


----------



## bryn1u (Jun 14, 2018)

VladiBG said:


> If you are going to use IPFW then make yourself a favor and read ipfw(8)
> 
> 
> 
> ...



Yes, im using one of them but i just want to check in this case. Do you know any tools  equivalent to fail2ban ? Except sshguard which dosen't work.


----------



## VladiBG (Jun 14, 2018)

sshguard is working just fine, i tested it on my laptop. On some of my postfix servers i'm using fail2ban because it's easy for me to edit the filter configuration.

So you already know about:
blacklistd;sshguard;fail2ban


----------



## SirDice (Jun 14, 2018)

VladiBG said:


> sshguard is working just fine, i tested it on my laptop


Yep, it works fine. I have it running on my VPS. Although I use PF instead of IPFW. I did have a few issues some time ago but that was due to my own mistakes in pf.conf. And I found those relatively quickly by running sshguard in debug mode.


----------

