Hello, sshguard detects brute force attacks and blocks IPs according to a certain algorithm. For it to work it needs a rule: iptables -N sshguard iptables -A INPUT -j sshguard And so in Shorewall''s started.d/ I created a file and added; #!/bin/bash iptables -N sshguard iptables -I INPUT 1 -j sshguard Which makes this rule the first one, after which the Shorewall rules are defined. Is this the right way to add such a rule ? When a packet enters it will go to sshguard. If the packet is not concerned by any rule in there, will it go back to the first Shorewall INPUT rule ? Thanks for suggestions/comments ! ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/19/2013 02:13 PM, Fred Maillou wrote:> Hello, > > sshguard detects brute force attacks and blocks IPs according to a > certain algorithm. For it to work it needs a rule: > > iptables -N sshguard > iptables -A INPUT -j sshguard > > And so in Shorewall''s started.d/ I created a file and added;Shorewall has no started.d/ directory.> > #!/bin/bash > iptables -N sshguard > iptables -I INPUT 1 -j sshguard > > Which makes this rule the first one, after which the Shorewall rules are > defined. > > Is this the right way to add such a rule ? When a packet enters it will > go to sshguard. If the packet is not concerned by any rule in there, > will it go back to the first Shorewall INPUT rule ? > > Thanks for suggestions/comments !In /etc/shorewall/start: run_iptables -N sshguard run_iptables -I INPUT 1 -j sshguard -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On Fri, Apr 19, 2013 at 02:13:46PM -0700, Fred Maillou wrote:> Hello, > sshguard detects brute force attacks and blocks IPs according to a > certain algorithm. For it to work it needs a rule: > iptables -N sshguard > iptables -A INPUT -j sshguard > And so in Shorewall''s started.d/ I created a file and added; > #!/bin/bash > iptables -N sshguard > iptables -I INPUT 1 -j sshguard > Which makes this rule the first one, after which the Shorewall rules are > defined. > Is this the right way to add such a rule ? When a packet enters it will > go to sshguard. If the packet is not concerned by any rule in there, will > it go back to the first Shorewall INPUT rule ? > Thanks for suggestions/comments !Tom already noted that that there is no started.d/ directory for Shorewall. However, I will add that the "right" solution is to disable password login for ssh, and allow only key-based authentication. That makes it effectively impossible for a brute force attack to succeed. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
On 04/19/2013 09:05 PM, Roberto C. Sánchez wrote:> On Fri, Apr 19, 2013 at 02:13:46PM -0700, Fred Maillou wrote: >> Hello, >> sshguard detects brute force attacks and blocks IPs according to a >> certain algorithm. For it to work it needs a rule: >> iptables -N sshguard >> iptables -A INPUT -j sshguard >> And so in Shorewall''s started.d/ I created a file and added; >> #!/bin/bash >> iptables -N sshguard >> iptables -I INPUT 1 -j sshguard >> Which makes this rule the first one, after which the Shorewall rules are >> defined. >> Is this the right way to add such a rule ? When a packet enters it will >> go to sshguard. If the packet is not concerned by any rule in there, will >> it go back to the first Shorewall INPUT rule ? >> Thanks for suggestions/comments ! > > Tom already noted that that there is no started.d/ directory for > Shorewall. However, I will add that the "right" solution is to disable > password login for ssh, and allow only key-based authentication. That > makes it effectively impossible for a brute force attack to succeed.We also recommend using the RATE LIMIT column on ssh ACCEPT rules to limit the number of attempts allowed from a given IP address. I personally use this rule: ACCEPT net all tcp 22 - - s:ssh:1/min:3 That allows up to three attempts in a minute; if the three fail, then only one attempt per minute is allowed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
> On 04/19/2013 02:13 PM, Fred Maillou wrote: > > Hello, > > > > sshguard detects brute force attacks and blocks IPs according to a > > certain algorithm. For it to work it needs a rule: > > > > iptables -N sshguard > > iptables -A INPUT -j sshguard > > > > And so in Shorewall''s started.d/ I created a file and added; > > Shorewall has no started.d/ directory.I''ve been working with those systems for so long that I forgot about that. Those systems do have Shorewall st*.d directories. The main start/started/stop/stopped files have a run-parts <directory> in them. This enables different processes/features of the system to add to the firewall by not modifying a single start/stop file. Makes it easier to add various clearly identified small components to the firewall. The systems are configured by end users. Depending on what users chooses, independent processes can add to the firewall in this way. This being said, this haven''t been used much and there is a major drawback to this initial way of doing things, which is the assumption that everything works and that there''s no need to catch errors. Time to update this old way then. It would be nice to keep the same modularity while being able to return error codes to Shorewall so that Shorewall could run something like stop_firewall when something''s wrong. Currently if a run_parts located in the started file returns 1, Shorewall does: Processing /etc/shorewall/started ... run-parts: /etc/shorewall/started.d/filler exited with return code 1 done. And the firewall is up and running even if there was an error. So, is there a Shorewall call that could be used, similar perhaps to run_iptables, to execute any type of script/utility returning either 0 or 1 ? This call could be used to execute the main run_parts. Thanks for any comments/suggestions ! ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter