Having a problem with sshlockout

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Having a problem with sshlockout

Андрей Поляков
Hello
I have configured sshlockout. But it doesn't work properly.

Here is auth log:
root@openbsd-gw:~ # cat /var/log/authlog | grep sshlockout
Dec  4 06:37:54 openbsd-gw sshlockout[27074]: Detected ssh preauth attempt for an invalid user, locking out 59.63.166.104
Dec  4 07:40:16 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 5.188.10.176
Dec  4 07:46:34 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 185.190.58.108

But table in pf is empty:
root@openbsd-gw:~ # pfctl -t lockout -T show


Some info:

root@openbsd-gw:~ # uname -sr
OpenBSD 6.2

root@openbsd-gw:~ # syspatch -l
001_tcb_invalid
002_fktrace

root@openbsd-gw:~ # pkg_info sshlockout-0.20170726
Information for inst:sshlockout-0.20170726

root@openbsd-gw:~ # ps -aux | grep sshlockout
_syslogd 62152  0.0  0.2   308  1188 ??  Ip     8:31AM    0:00.01 /usr/local/sbin/sshlockout -pf lockout

root@openbsd-gw:~ # cat /etc/syslog.conf | grep sshlockout
auth.info;authpriv.info                                 |exec /usr/local/sbin/sshlockout -pf lockout

root@openbsd-gw:~ # cat /etc/pf.conf
table <lockout> persist { }

set block-policy drop
set skip on lo

match in all scrub (no-df random-id)

block in all
block in quick from <lockout>

pass in on egress inet proto icmp from any to egress
pass in on egress inet proto tcp from any to egress port { ssh www }

pass out quick inet


Thanks for any help

Reply | Threaded
Open this post in threaded view
|

Re: Having a problem with sshlockout

Jeremie Courreges-Anglas-2
On Mon, Dec 04 2017, Андрей Поляков <[hidden email]> wrote:

> Hello
> I have configured sshlockout. But it doesn't work properly.
>
> Here is auth log:
> root@openbsd-gw:~ # cat /var/log/authlog | grep sshlockout
> Dec  4 06:37:54 openbsd-gw sshlockout[27074]: Detected ssh preauth attempt for an invalid user, locking out 59.63.166.104
> Dec  4 07:40:16 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 5.188.10.176
> Dec  4 07:46:34 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 185.190.58.108
>
> But table in pf is empty:
> root@openbsd-gw:~ # pfctl -t lockout -T show

See the readme that comes with the sshlockout package.

--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Reply | Threaded
Open this post in threaded view
|

Re: Having a problem with sshlockout

Андрей Поляков
Thank You!

It worked.

create doas.conf:
root@openbsd-gw:~ # echo 'permit nopass _syslogd as root cmd /usr/local/sbin/sshlockout' > /etc/doas.conf

modify syslog.conf:
root@openbsd-gw:~ # cat /etc/syslog.conf | grep sshlockout
auth.info;authpriv.info                                 |exec /usr/bin/doas -n /usr/local/sbin/sshlockout -pf lockout

check that sshlockout run as root:
root@openbsd-gw:~ # ps -aux | grep sshlockout
root     13074  0.0  0.2   304  1192 ??  Sp     8:52PM    0:00.01 /usr/local/sbin/sshlockout -pf lockout



04.12.2017, 20:45, "Jeremie Courreges-Anglas" <[hidden email]>:

> On Mon, Dec 04 2017, Андрей Поляков <[hidden email]> wrote:
>>  Hello
>>  I have configured sshlockout. But it doesn't work properly.
>>
>>  Here is auth log:
>>  root@openbsd-gw:~ # cat /var/log/authlog | grep sshlockout
>>  Dec 4 06:37:54 openbsd-gw sshlockout[27074]: Detected ssh preauth attempt for an invalid user, locking out 59.63.166.104
>>  Dec 4 07:40:16 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 5.188.10.176
>>  Dec 4 07:46:34 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 185.190.58.108
>>
>>  But table in pf is empty:
>>  root@openbsd-gw:~ # pfctl -t lockout -T show
>
> See the readme that comes with the sshlockout package.
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE