[Firehol-support] Creating a custom rejection chain with firehol
Tsaousis, Costa
costa at tsaousis.gr
Sun Jun 11 15:57:59 BST 2017
define an action:
action sshguard chain accept
or
action sshguard chain reject
or you can just create an chain with plain iptables commands:
iptables -N sshguard
then, at the point you need it:
server ssh sshguard
I suggest to check sshguard docs.
Costa
On Sun, Jun 11, 2017 at 1:52 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
wrote:
> Unfortunatly, the new version of sshguard (2.0) has dropped support
> for executing an outside script.
> It's hardcoded to add new entries to an sshguard chain.
>
> So, how can I add a drop chain to the wan interface, so it drops all
> packets with matching IP's upon arrival?
>
> Carlos
>
>
>
>
> On 10 June 2017 at 15:19, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> > Hi,
> >
> > Use:
> >
> > action sshguard
> >
> > The above will create a firehol action (an iptables chain) that does
> nothing
> > by default.
> >
> > action sshguard chain accept
> >
> > Same as above but the default action is to accept traffic
> >
> > The action helper of firehol is quite poweful. For advanced uses check
> this:
> > https://firehol.org/firehol-manual/firehol-action/
> >
> > Keep in mind that the right way of externally blocking an IP is to have
> an
> > ipset and the programs to add/remove IPs on this ipset. This way, the
> > firewall is not altered by third parties and it is safe to restart it
> > anytime you see fit. So, if sshguard has a script that handles blocking /
> > unblocking, the best way is to make it add/remove the IPs to such an
> ipset.
> > For example, in firehol.conf you add:
> >
> > ipset4 create sshguard-blocked hash:ip prevent_reset_on_restart
> >
> > and then you do something like this:
> >
> > server ssh accept src not ipset:sshguard-blocked
> >
> > and later, outside firehol, you can add an IP to it with this:
> >
> > ipset add sshguard-blocked IP
> >
> > delete an IP with this:
> >
> > ipset del sshguard-blocked IP
> >
> > show all blocked IPs with this:
> >
> > ipset list sshguard-blocked
> >
> > Costa
> >
> >
> > On Fri, Jun 9, 2017 at 3:30 PM, Carlos Ferreira <carlosmf.pt at gmail.com>
> > wrote:
> >>
> >> Hello to all
> >>
> >> I'm having difficulties in understanding the mechanism of creating
> >> chains with firehol.
> >>
> >> I want to use sshguard with firehol.
> >> When sshguard detects a possible threat, it adds a drop entry to the
> >> sshguard chain, but for this to be successful, the chain must already
> >> exist.
> >>
> >> I want to create that "sshguard" chain and use it with the chain of my
> >> WAN adapter, so it immediately drops the packets upon arrival.
> >>
> >> Can anyone provide me assistance?
> >> Thank you.
> >>
> >> Carlos Ferreira
> >> _______________________________________________
> >> Firehol-support mailing list
> >> Firehol-support at lists.firehol.org
> >> http://lists.firehol.org/mailman/listinfo/firehol-support
> >
> >
>
More information about the Firehol-support
mailing list