[Firehol-support] Creating a custom rejection chain with firehol

Sun Jun 11 21:20:03 BST 2017

Thank you for the support!
It seems that I was not interpreting the firehol manual correctly
I was defining "action sshguard chain drop" and it was not working properly.

The action in your example works just nice.
Still, I will try to follow your proper example, because as you say,
it is the correct way to get the job done.

Carlos Ferreira

On 11 June 2017 at 15:57, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>
> define an action:
>
> action sshguard chain accept
>
> or
>
> action sshguard chain reject
>
> or you can just create an chain with plain iptables commands:
>
> iptables -N sshguard
>
> then, at the point you need it:
>
> server ssh sshguard
>
> I suggest to check sshguard docs.
>
> Costa
>
>
> On Sun, Jun 11, 2017 at 1:52 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
> wrote:
>>
>> Unfortunatly, the new version of sshguard (2.0) has dropped support
>> for executing an outside script.
>> It's hardcoded to add new entries to an sshguard chain.
>>
>> So, how can I add a drop chain to the wan interface, so it drops all
>> packets with matching IP's upon arrival?
>>
>> Carlos
>>
>>
>>
>>
>> On 10 June 2017 at 15:19, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>> > Hi,
>> >
>> > Use:
>> >
>> >  action sshguard
>> >
>> > The above will create a firehol action (an iptables chain) that does
>> > nothing
>> > by default.
>> >
>> >  action sshguard chain accept
>> >
>> > Same as above but the default action is to accept traffic
>> >
>> > The action helper of firehol is quite poweful. For advanced uses check
>> > this:
>> > https://firehol.org/firehol-manual/firehol-action/
>> >
>> > Keep in mind that the right way of externally blocking an IP is to have
>> > an
>> > ipset and the programs to add/remove IPs on this ipset. This way, the
>> > firewall is not altered by third parties and it is safe to restart it
>> > anytime you see fit. So, if sshguard has a script that handles blocking
>> > /
>> > unblocking, the best way is to make it add/remove the IPs to such an
>> > ipset.
>> > For example, in firehol.conf you add:
>> >
>> > ipset4 create  sshguard-blocked hash:ip prevent_reset_on_restart
>> >
>> > and then you do something like this:
>> >
>> > server ssh accept src not ipset:sshguard-blocked
>> >
>> > and later, outside firehol, you can add an IP to it with this:
>> >
>> >  ipset add sshguard-blocked IP
>> >
>> > delete an IP with this:
>> >
>> >  ipset del sshguard-blocked IP
>> >
>> > show all blocked IPs with this:
>> >
>> >  ipset list sshguard-blocked
>> >
>> > Costa
>> >
>> >
>> > On Fri, Jun 9, 2017 at 3:30 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
>> > wrote:
>> >>
>> >> Hello to all
>> >>
>> >> I'm having difficulties in understanding the mechanism of creating
>> >> chains with firehol.
>> >>
>> >> I want to use sshguard with firehol.
>> >> When sshguard detects a possible threat, it adds a drop entry to the
>> >> sshguard chain, but for this to be successful, the chain must already
>> >> exist.
>> >>
>> >> I want to create that "sshguard" chain and use it with the chain of my
>> >> WAN adapter, so it immediately drops the packets upon arrival.
>> >>
>> >> Can anyone provide me assistance?
>> >> Thank you.
>> >>
>> >> Carlos Ferreira
>> >> _______________________________________________
>> >> Firehol-support mailing list
>> >> Firehol-support at lists.firehol.org
>> >> http://lists.firehol.org/mailman/listinfo/firehol-support
>> >
>> >
>
>