# SSHGuard not Blocking Connections



## Lego (Nov 12, 2009)

Ok, This should be here or in ports installation and maintenance, wasn't sure so I started here. 

So The original Thread I had was here: http://forums.freebsd.org/showthread.php?t=8047

Um so, I had not had another hack in attempt since getting sshguard talking properly to everything, so I just checked my security report and well....

```
Nov 12 01:58:59 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:00 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:01 blurr-ink proftpd[11188]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:13 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:13 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:14 blurr-ink proftpd[11189]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:26 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:27 blurr-ink proftpd[11190]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:39 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:40 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:41 blurr-ink proftpd[11191]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 01:59:52 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:53 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 01:59:54 blurr-ink proftpd[11192]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:00 blurr-ink sshguard[10051]: Got exit signal, flushing blocked addresses and exiting...
Nov 12 02:00:00 blurr-ink sshguard[11208]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
Nov 12 02:00:05 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:06 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:07 blurr-ink proftpd[11193]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:19 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:19 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:20 blurr-ink proftpd[11221]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:32 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:33 blurr-ink proftpd[11223]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:45 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:00:46 blurr-ink proftpd[11224]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
Nov 12 02:00:58 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:00:59 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - USER apache: no such user found from 219.146.8.75 [219.146.8.75] to 192.16
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - Maximum login attempts (3) exceeded, connection refused
Nov 12 02:01:00 blurr-ink proftpd[11225]: localhost (219.146.8.75[219.146.8.75]) - FTP session closed.
```

No time gap between the logging attempts, and obviously not blocking the ip, PLUS I have it set for 5 attempts if you look at my config in the thread link up top.  Any Ideas?

Also, There is alot more then just posted but I didn't want to flood the page 'that' bad


----------



## SirDice (Nov 12, 2009)

What firewall do you use? If you use PF did you add the rules?

Something like:

```
block in on $ext_if proto tcp from <sshguard>
```


----------



## Lego (Nov 12, 2009)

yes I did my pf.conf looks like this:

```
#       $FreeBSD: src/share/examples/pf/pf.conf,v 1.1.2.1.4.1 2008/11/25 02:59:29 kensmith Exp $
#       $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

#ext_if="ext0"
#int_if="int0"

#table <spamd-white> persist
table <sshguard> persist

#set skip on lo

#scrub in

#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
#       -> 127.0.0.1 port spamd

#anchor "ftp-proxy/*"
#block in
#pass out

#pass quick on $int_if no state
#antispoof quick for { lo $int_if }

#pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
block in quick on fxp0 from <sshguard> label "ssh bruteforce"
```

My ethernet card is fxp0:

```
blurr-ink# ifconfig fxp0
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:11:11:52:01:13
        inet 192.168.0.194 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
```

This page http://sshguard.sourceforge.net/doc/setup/blockingpf.html  said to change the $ext_if to your WAN interface name, so thats why i put fxp0 is that wrong??

Ironic As I was posting this, it seems the person has stopped trying to get in.... hmmm.. maybe someone on the forum that has seen losts of my posts and figures they can get in easy??


----------



## SirDice (Nov 12, 2009)

Lego said:
			
		

> This page http://sshguard.sourceforge.net/doc/setup/blockingpf.html  said to change the $ext_if to your WAN interface name, so thats why i put fxp0 is that wrong??


No, it's not wrong. I prefer to use variables. If my interface changes I don't have to edit all my rules, just change the variable.

Did you reload your new pf.conf? 
`# pfctl -f /etc/pf.conf`


----------



## Lego (Nov 12, 2009)

I also removed the 'to any port 22' because I want them completely blocked if you try and hack one, why should i let you try to hack another... my thoughts anyway


ADDED: yes I have reloaded the rules twice and even tried a restart

I did a 'pfctl -F all -f /etc/pf.conf' because it said it flushes all rules before reloading them, figured it was a good idea


----------



## DutchDaemon (Nov 12, 2009)

Are you sure SSHguard actually sees these login attempts? Try this trick again if you must. Also make sure that the PID file you gave to SSHguard to check the validity of the logging process is actually present/correct.


----------



## Lego (Nov 12, 2009)

Actually, I did re-add that trick, and restarted syslogd,  Those Failed attempts listed up top are pulled from the sshguard.log file; how do I verify the PID file is present/correct??

when I 'ee /var/run/proftpd.pid' it opens a document that says 932 thats it! not supposed to do that am I? lol


----------



## DutchDaemon (Nov 12, 2009)

So, is ProFTPD actually running as process # 932 in [cmd=]pgrep proftpd[/cmd]? SSHguard will only consider those authentication attempts if /var/run/proftpd.pid and [cmd=]pgrep proftpd[/cmd] match.


----------



## Lego (Nov 12, 2009)

Yes, they do match, weird I thought I was wrong opening the file like that; 932 in the /var/run/proftpd.pid, and 932 for the pgrep:

```
blurr-ink# pgrep proftpd
932
blurr-ink#
```


----------



## DutchDaemon (Nov 12, 2009)

Actually, ProFTPD is service code *310*, not 300 ..., I saw they were both mentioned in the other thread. Make sure it's 310.


----------



## Lego (Nov 13, 2009)

yes that was changed when you had given me the link to the service codes page, this is the current /etc/syslog.conf line:

```
auth.info;authpriv.info;ftp.info;mail.info     |exec /usr/local/sbin/sshguard -f 310:/var/run/proftpd.pid -f 100:/var/run/sshd.pid -f 210:/var/run/dovecot/master.pid -w 127.0.0.1 -a 5
auth.info;authpriv.info;ftp.info;mail.info       /var/log/sshguard.log
```


----------



## DutchDaemon (Nov 13, 2009)

Well, if the service code is ok, the logging arrives ok, the PID is ok, and sshguard is running .. I don't know what's left to look at. Is it working for sshd and Dovecot?


----------



## Lego (Nov 13, 2009)

hmm.... Not sure, I guess I could try and ban myself, but I haven't had any attacks on sshd since I changed the Port and I've never had an attack to my mail server, I'll do 5 failed attempts to ssh now, and see if it works...


----------



## Lego (Nov 13, 2009)

Ok, LOL yes it is blocking sshd attempts.... Now I'm Locked out of my server LOL

```
Nov 13 18:25:29 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:32 blurr-ink last message repeated 2 times
Nov 13 18:25:32 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:25:34 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:34 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:25:35 blurr-ink sshd[49424]: error: PAM: authentication error for lego from 216.8.133.228
Nov 13 18:25:35 blurr-ink sshguard[37486]: Blocking 216.8.133.228: 5 failures over 6 seconds.
Nov 13 18:25:35 blurr-ink sshd[49424]: Failed keyboard-interactive/pam for lego from 216.8.133.228 port 58094 ssh2
Nov 13 18:27:27 blurr-ink sshd[49446]: Accepted keyboard-interactive/pam for lego from 192.168.0.196 port 58108 ssh2
Nov 13 18:27:27 blurr-ink sshd[49443]: error: ssh_msg_send: write
Nov 13 18:27:35 blurr-ink su: lego to root on /dev/ttyp1
```

after the 5 it just crashed my putty, well wouldn't even let me connect, so it is blocking for ssh..... it then let me locally ssh in, so I can remove the blocked address

ADDED: how do I remove the address, or do I just have to wait?? default time is what 2-7 minutes??


----------



## dennylin93 (Nov 13, 2009)

The default is 420 seconds. You get unblocked after 420 ~ 630 seconds.

It's also possible to use `# pfctl -t sshguard -T d ip.add.re.ss` to delete IPs. -T s to show them and -T f to flush the table.


----------



## Lego (Nov 13, 2009)

and Imap seems to be working aswell:

```
Nov 13 18:40:00 blurr-ink imapd[49729]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:12 blurr-ink last message repeated 2 times
Nov 13 18:40:17 blurr-ink imapd[49729]: Login excessive login failures user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:22 blurr-ink imapd[49729]: Login excessive login failures user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:28 blurr-ink imapd[49729]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:28 blurr-ink imapd[49733]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:34 blurr-ink imapd[49733]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:34 blurr-ink imapd[49734]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:37 blurr-ink imapd[49734]: Unexpected client disconnect, while reading line user=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.1
Nov 13 18:40:37 blurr-ink imapd[49735]: Login failed user=lego auth=lego host=dyn216-8-133-228.ADSL.mnsi.net [216.8.133.228]
Nov 13 18:40:37 blurr-ink sshguard[37486]: Blocking 216.8.133.228: 5 failures over 902 seconds.
```


----------



## Lego (Nov 13, 2009)

dennylin93 said:
			
		

> The default is 420 seconds. You get unblocked after 420 ~ 630 seconds.
> 
> It's also possible to use `# pfctl -t sshguard -T d ip.add.re.ss` to delete IPs. -T s to show them and -T f to flush the table.



Thanks, Yea I'm unblocked already.


----------



## Lego (Nov 13, 2009)

Um I think I either don't understand your syntax or its wrong....
this Worked but yours didn't

```
blurr-ink# pfctl -Tshow -t sshguard
No ALTQ support in kernel
ALTQ related functions disabled
```

the -T f didn't flush them either, what am I don't wrong.... http://sshguard.sourceforge.net/doc/setup/blockingpf.html thats where I got the command I used. Oh and I did re-ban myself before trying to flush them... time ran out before I got it to work


----------



## DutchDaemon (Nov 14, 2009)

These are all the same:

```
-t table -T s
-t table -T show
-t table -Ts
-t table -Tshow
-T s -t table
-T show -t table
-Ts -t table
-Tshow -t table
-ttable -T .... etc.
-Td -Tdelete -Tflush -T f -T delete -T flush etc. etc
```


----------



## Lego (Nov 14, 2009)

oh, okay.  So if sshd and dovecot are working why isn't proftpd?


----------



## dennylin93 (Nov 14, 2009)

The problem might be with sshguard.


----------



## Lego (Nov 14, 2009)

any ideas as to what I could try now?


----------



## dennylin93 (Nov 14, 2009)

Try user support?


----------



## Lego (Nov 14, 2009)

Ok, I created an account on source forge and I'm looking at this page: https://sourceforge.net/mailarchive/forum.php?forum_name=sshguard-users ; How do I create a thread??


----------



## Lego (Nov 16, 2009)

Ok, Um I think I did the right thing, Im supposed to submit an email to the mailing list?? so I did, and gave the link to this thread, hopefully thats what I was supposed to do, and someone will be able to help me


----------



## dennylin93 (Nov 16, 2009)

I tried using sshguard with Pure-FTPd, and it didn't work as well.


----------



## Lego (Nov 19, 2009)

Ok So I was suggested to Download sshguard 1.4 compile and install and get back to them, and possibly help port it to bsd, so I downloaded the binary from:

```
blurr-ink# fetch https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2
sshguard-1.4.tar.bz2                          100% of   55 kB   13 kBps
```

And I installed bzip2:

```
===>   Compressing manual pages for bzip2-1.0.5
===>   Running ldconfig
/sbin/ldconfig -m /usr/local/lib
===>   Registering installation for bzip2-1.0.5
===>  Cleaning for bzip2-1.0.5
blurr-ink# rehash
```

and Im trying to extract now:

```
blurr-ink# tar yxf sshguard-1.4.tar.bz2
tar: Unrecognized archive format: Inappropriate file type or format
tar: Error exit delayed from previous errors.
```

What am I doing wrong? And I am in the proper directory that I downloaded it to.


----------



## jalla (Nov 19, 2009)

> ```
> blurr-ink# tar yxf sshguard-1.4.tar.bz2
> tar: Unrecognized archive format: Inappropriate file type or format
> tar: Error exit delayed from previous errors.
> ...



Use tar -zxf sshguard-1.4.tar.bz2


----------



## DutchDaemon (Nov 19, 2009)

No, 'y' is for bz2, 'z' is for gzip.

Lego, can you bunzip it first? Does that work?


----------



## FBSDin20Steps (Nov 19, 2009)

```
$ tar -yxf sshguard-1.4.tar.bz2
```
 Will do just fine or the fetched file is corrupt.


----------



## jalla (Nov 19, 2009)

DutchDaemon said:
			
		

> No, 'y' is for bz2, 'z' is for gzip.



Not really


```
gong:/h/tl# tar cf z.tar tmp
gong:/h/tl# bzip2 z.tar
gong:/h/tl# tar -tvzf z.tar.bz2
drwxr-xr-x  0 tl     tl          0 Nov  6 08:51 tmp/
-rwxr-xr-x  0 tl     tl    1402400 Nov  5 20:30 tmp/filer02.091004
-rwxr-xr-x  0 tl     tl       2189 Nov  5 20:30 tmp/ops_dp.pl
-rwxr-xr-x  0 tl     tl    1633905 Nov  5 20:30 tmp/filer02.091011
-rwxr-xr-x  0 tl     tl       5430 Nov  6 00:15 tmp/stat_dp.pl
-rwxr-xr-x  0 tl     tl     501267 Nov  5 20:30 tmp/dataf02.txt
-rwxr-xr-x  0 tl     tl    3041058 Nov  5 20:30 tmp/ASUPGrab.zip
gong:/h/tl#
```


----------



## DutchDaemon (Nov 19, 2009)

In fact, you don't even need 'y' or 'z', because both are ignored by tar when decompressing ...


```
-y      (c mode only) Compress the resulting archive with bzip2(1).  In
             extract or list modes, this option is ignored.  Note that, unlike
             other tar implementations, this implementation recognizes bzip2
             compression automatically when reading archives.

     -z      (c mode only) Compress the resulting archive with gzip(1).  In
             extract or list modes, this option is ignored.  Note that, unlike
             other tar implementations, this implementation recognizes gzip
             compression automatically when reading archives.
```


----------



## DutchDaemon (Nov 19, 2009)

Anyway, something else is wrong here:


```
[X] The "/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2" file could not be found or is not available. Please select another file.
```


```
$ fetch https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2
fetch: https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2: Unknown error: 0
```

A direct download doesn't seem to work.

Use a webbrowser and go to http://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2/download

or give that URL to fetch and rename the resulting file ('download', which is 'bzip2 compressed data') to sshguard-1.4.tar.bz2


----------



## Lego (Nov 20, 2009)

WOW! lots of reply's Thanks Everyone!  Yes, It was My screw up, the actual name of the file is download:

```
fetch https://sourceforge.net/projects/sshguard/files/sshguard/sshguard-1.4/sshguard-1.4.tar.bz2/download
download                                      100% of  148 kB  124 kBps
blurr-ink# tar -yxf download
blurr-ink# ls
download        sshguard-1.4
blurr-ink# cd sshguard-1.4
blurr-ink# ls
Changes         aclocal.m4      depcomp         missing         stamp-h1
Makefile.am     config.h.in     examples        mkinstalldirs   ylwrap
Makefile.in     configure       install-sh      scripts
README          configure.ac    man             src
blurr-ink#
```


----------



## Lego (Nov 20, 2009)

Okay, So Now I'm following these Instructions and I'm getting a tad confused. http://sshguard.sourceforge.net/doc/setup/compileinstall1x.html 

I figured there would be a clash between sshguard-pf (which is sshguard 1.3) and the new Install of sshguard-1.4 so I:

```
#cd /usr/ports/security/sshguard-pf && make deinstall
```

and went back to my home dir and into the sshguard-1.4 folder:

```
./configure --with-firewall=pf
```

Everything looks fine, so I 'make' and then 'make install' as directed, But two questions: 1, do I need to actually install pf now?? or will it do that like sshguard-pf did?? 2, when I ran make it went fine as I could tell, and when I did the make install I got this:

```
blurr-ink# make
Making all in src
make  all-recursive
Making all in parser
make  all-am
Making all in fwalls
gcc -DHAVE_CONFIG_H -I. -I../../src     -I. -I.. -Wall -std=c99 -D_POSIX_C_SOURCE=
200112L -g -O2 -MT command.o -MD -MP -MF .deps/command.Tpo -c -o command.o command.c
mv -f .deps/command.Tpo .deps/command.Po
rm -f libfwall.a
ar cru libfwall.a command.o
ranlib libfwall.a
gcc -DHAVE_CONFIG_H -I.     -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L   -g -O2 -MT 
sshguard_options.o -MD -MP -MF .deps/sshguard_options.Tpo -c -o 
sshguard_options.o sshguard_options.c
mv -f .deps/sshguard_options.Tpo .deps/sshguard_options.Po
gcc -I. -std=c99 -Wall -D_POSIX_C_SOURCE=200112L   -g -O2   -o sshguard sshguard.o 
sshguard_whitelist.o  sshguard_log.o sshguard_procauth.o  
sshguard_blacklist.o sshguard_options.o  simclist.o parser/libparser.a fwalls/libfwall.a -lpthread
Making all in man
blurr-ink# make install
Making install in src
Making install in parser
make  install-am
Making install in fwalls
test -z "/usr/local/sbin" || .././install-sh -c -d "/usr/local/sbin"
  /usr/bin/install -c 'sshguard' '/usr/local/sbin/sshguard'
Making install in man
test -z "/usr/local/share/man/man8" || .././install-sh -c -d "/usr/local/share/man/man8"
 /usr/bin/install -c -m 644 'sshguard.8' '/usr/local/share/man/man8/sshguard.8'
blurr-ink#
```

so everything looks ok but....

```
blurr-ink#
blurr-ink# rehash
blurr-ink# pkg_info|grep sshguard
blurr-ink#
```

its doesn't look like its installed.... what Have I done wrong now?? :S


----------



## DutchDaemon (Nov 20, 2009)

Manual installs from tarballs don't end up in pkg_info. That doesn't mean it's not installed, it's just outside of the scope of ports management tools. You could try incorporating this version into the ports tree by editing the Makefile in /usr/ports/security/sshguard-pf and by changing the hashes in distinfo. Or you can just run this version until the port version bumps up to 1.4 and replace it then.


----------



## Lego (Nov 20, 2009)

Yup Your right!

```
blurr-ink# /usr/local/sbin/sshguard -v
sshguard 1.4.4

Copyright (c) 2007,2008 Mij <mij@*beep**beep**beep**beep**beep*x.it>
This is free software; see the source for conditions on copying.
blurr-ink#
```

So If I wanted to help update the port tree to the new version how would I do that?? what do you mean when you say 'change the hashes in distinfo' whats weird is when I open the Makefile in /usr/ports/security/sshguard-pf it says this:

```
# New ports collection makefile for:    sshguard-pf
# Date created:                         17 May 2007
# Whom:                                 Mij <mij@*beep**beep**beep**beep**beep*x.it>
#
# $FreeBSD: ports/security/sshguard-pf/Makefile,v 1.4 2008/07/26 14:01:10 lwhsu Exp $
#

PKGNAMESUFFIX=  -pf

COMMENT=        Protect hosts from brute force attacks against ssh and other services using pf

CONFLICTS=      sshguard-1.* sshguard-ipfilter-1.* sshguard-ipfw-1.*

SSHGUARDFW=     pf
MASTERDIR=      ${.CURDIR}/../sshguard

.include "${MASTERDIR}/Makefile"
```

Whats funny is it had installed 1.3 from ports and to get 1.4 i had to download and compile/install :S

One More problem:

```
Nov 20 14:00:24 blurr-ink webmin[943]: Webmin starting
Nov 20 14:00:24 blurr-ink sshguard[944]: authenticating service 310 with process ID from /var/run/proftpd.pid
Nov 20 14:00:24 blurr-ink sshguard[944]: unable to open pidfile '/var/run/sshd.pid': No such file or directory.
Nov 20 14:00:24 blurr-ink sshguard[944]: authenticating service 100 with process ID from /var/run/sshd.pid
Nov 20 14:00:24 blurr-ink sshguard[944]: unable to open pidfile '/var/run/dovecot/master.pid': No such file or directory.
Nov 20 14:00:24 blurr-ink sshguard[944]: authenticating service 210 with process ID from /var/run/dovecot/master.pid
Nov 20 14:00:24 blurr-ink sshguard[944]: Started successfully [(a,p,s)=(5, 420, 1200)], now ready to scan.
```

Why is it saying it can't find the pid files now?? i already attempted to block myself on ssh and it did work, but isn't that weird ?


----------



## Lego (Nov 20, 2009)

Also, sshd, and dovecot are being blocked properly again, but still not proftpd AARRGGG!!! lol

```
Nov 20 14:12:09 blurr-ink proftpd[1382]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:12:09 blurr-ink proftpd[1382]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:12:24 blurr-ink proftpd[1385]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:12:24 blurr-ink proftpd[1385]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:12:40 blurr-ink proftpd[1386]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:12:40 blurr-ink proftpd[1386]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:13:19 blurr-ink proftpd[1455]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:13:19 blurr-ink proftpd[1455]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:13:34 blurr-ink proftpd[1456]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:13:34 blurr-ink proftpd[1456]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:13:50 blurr-ink proftpd[1457]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:13:50 blurr-ink proftpd[1457]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:14:06 blurr-ink proftpd[1460]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego (Login failed): Incorrect password.
Nov 20 14:14:06 blurr-ink proftpd[1460]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - FTP session closed.
Nov 20 14:14:30 blurr-ink proftpd[1464]: localhost (dyn216-8-133-228.ADSL.mnsi.net[216.8.133.228]) - USER lego: Login successful.
```


----------



## Lego (Nov 21, 2009)

OK, I'm A Retard, I apologize.  After removing the hashes, on the lines that uninstalling sshguard-pf hashed in my syslog.conf and restarting syslogd and reloading pf rules it started blocking proftpd attempts. Not quite sure which factor fixed the issues but its fixed!

sshguard 1.4.4 is what I have installed and it is blocking sshd/dovecot & proftpd properly now  But I have a question about this:


```
Nov 20 18:49:25 blurr-ink sshguard[2356]: Got exit signal, flushing blocked addresses and exiting...
Nov 20 18:49:25 blurr-ink sshguard[6911]: authenticating service 310 with process ID from /var/run/proftpd.pid
Nov 20 18:49:25 blurr-ink sshguard[6911]: authenticating service 100 with process ID from /var/run/sshd.pid
Nov 20 18:49:25 blurr-ink sshguard[6911]: unable to open pidfile '/var/run/dovecot/master.pid': No such file or directory.
Nov 20 18:49:25 blurr-ink sshguard[6911]: authenticating service 210 with process ID from /var/run/dovecot/master.pid
Nov 20 18:49:25 blurr-ink sshguard[6911]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
```

Its successfully blocks attempts to crack my imapd server but says it can't find the proper PID file, which this proves:


```
blurr-ink# tail /var/run/sshd.pid
1094
blurr-ink# tail /var/run/proftpd.pid
932
blurr-ink# tail /var/run/sshd.pid
1094
blurr-ink# tail /var/run/dovecot/master.pid
tail: /var/run/dovecot/master.pid: No such file or directory
blurr-ink# cd /var/run/ && ls
ConsoleKit              httpd.pid               saslauthd
PolicyKit               inetd.pid               sendmail.pid
accept.lock.1082        ld-elf.so.hints         spamass-milter.sock
clamav                  ld.so.hints             spamd
cron.pid                log                     sshd.pid
dbus                    logpriv                 syslog.pid
devd.pid                named                   syslogd.sockets
devd.pipe               ppp                     utmp
dmesg.boot              proftpd                 xauth
hald                    proftpd.pid             xdmctl
```

There is no master.pid, or dovecot folder/dovecot.pid file(that information was on the old service codes page i believe); There also no impad.pid file. So why/How is it successfully doing that? I think I need to modify my syslog.conf but I'm not sure.  

SO! I have imap-uw installed;  The Link that DutchDaemon gave me for the service codes I cannot find now: http://sshguard.sourceforge.net/doc/servicecodes.html it sends you to a different page, So which pid file do I use and where can I find the service codes now?

Would I use the sendmail.pid file?? or leave it as is?


----------



## DutchDaemon (Nov 21, 2009)

There really should be a /var/run/dovecot/ directory, with several files in it, among which master.pid. First `# pkg_delete dovecot\*`, and then install the port again. I guess sshguard still works because it will take the logging from Dovecot 'on face value' instead of checking it against a pid file.


----------



## Lego (Nov 21, 2009)

what exactly is dovecot, do I need to install it? I thought I remembered seeing service codes for imap-uw or uw-imap....

Is dovecot just the 'program' used by all imap/pop servers to log in??


----------



## DutchDaemon (Nov 21, 2009)

Huh, I assumed you were using Dovecot because you had it in your sshguard configuration: http://forums.freebsd.org/showpost.php?p=48701&postcount=11

Dovecot is a POP3/IMAP server, of which there are several in the ports tree. If you don't use it, why feed it to sshguard?

Check in [cmd=]pkg_info[/cmd] whether you have Dovecot installed or not, and if not, remove that stuff from sshguard and replace it with the imap you're actually using ...


----------



## Lego (Nov 21, 2009)

Yea I figured thats what I had to do.... so in that folder listed above i don't see my imap pid file


----------



## DutchDaemon (Nov 21, 2009)

Are you running imap-uw from inetd?


----------



## DutchDaemon (Nov 21, 2009)

Either imap-uw gets a 'child pid' from inetd, in which case inetd's pid file could be used, or imap-uw places a very _temporary_ pid file (because imap-uw is not running as a daemon, i.e. permanently) in /var/run/. I don't know which it is. I have mailed sshguard's maintainers to get that servicecode page back online a.s.a.p. It will likely contain the answer.

P.S. that email bounced, because the email address is not valid ..


----------



## Lego (Nov 21, 2009)

No, Im not using Dovecot, not installed at all... which is why I thought it was weird that it worked to block the imap attempts

Yes as a matter of fact I am running imap from inetd, now that I think about it.  I remember adding inetd_enable="YES" to my rc.conf and unhashing the pop3 and imapd lines when I installed uw-imap.

So which would you suggest I do: Add the imap info from the service codes page when It comes back up? or should I change it to the inetd.pid? or LOL should I just leave as is since its working :S which is kinda odd if you ask me...

What bounced email are you talking about??


----------



## DutchDaemon (Nov 21, 2009)

> I have mailed sshguard's maintainers to get that servicecode page back online a.s.a.p. It will likely contain the answer.
> 
> P.S. that email bounced, because the email address is not valid ..



That wasn't _that_ academic a statement, was it?


----------



## DutchDaemon (Nov 21, 2009)

As to your setup: leave it as it is until that page comes back online, and then apply the proper settings.


----------



## Lego (Nov 21, 2009)

Sounds good, I didn't put two and two together for the email thing  Should I ask on the mailing list for it to be reposted?? (the service codes that is)


----------



## DutchDaemon (Nov 21, 2009)

I think that would be the best thing. And tell them that their broken link report address doesn't work


----------

