Disable or whitelist sshguard



  • SG-1100 running 2.4.4-RELEASE-p3 (arm64)
    I am randomly unable to logon to gui via https from the machine running our network mgmt apps. I found this logged which is the IP of the mgmt machine:

    Jun 19 17:33:48 sshguard 27748 Blocking "192.168.25.121/32" for 960 secs (3 attacks in 1571 secs, after 4 abuses over 15079 secs.)

    Based on the 2.4.4 p3 release notes I believe sshguard is overriding the firewall rules allowing connections to ports 22, 443.

    I am unable to find any documentation re. how to disable or whitelist sshguard. Where is the documentation and settings for this "feature".

    Thank you.



  • Try: System > Advanced > Login Protection



  • I have whitelisted, thank you for the pointer.

    I'm unable to find any documentation for "Login Protection" or sshguard other than it's a new feature. Netgate, pls document everything.


  • LAYER 8 Global Moderator

    @pfnewb2016 said in Disable or whitelist sshguard:

    believe sshguard is overriding the firewall rules allowing connections to ports 22, 443.

    Its not overriding the rules - the rules still allow you to TALK to the port... sshguard is just blocking you from logging in because of failed login attempts..

    The login protection section in the gui is pretty straight forward on the settings..



  • @johnpoz
    Nope, sshguard blocks talking to the port, the webpage doesn't load. This is not a failed login, it happens before that and is documented here. The effect is that sshguard is overriding the Firewall Allow rules. In my case sshguard saw failed logins on snmp and ssh and blocked the the source IP from all service ports.

    Re. "Login protection is straight forward": the gui simple enough, however:

    1. It's not documented that by default, even with Firewall allow rules in place, it is possible for Login Protection to prevent access to the inside interface on both ssh and https.

    2. There is no GUI that shows IP's currently or previously blocked by Login Protection. The log entry only shows the "attack", not the action or duration. IMO, there should be more logging and it s/b either under Firewall or it's own category.

    3. The logs are not under Firewall rules, so when you can't login from one PC and then go to the firewall logs and don't see the block it's hard to troubleshoot.

    4. The log entries in General are sourced or labeled sshguard, not Login Protection. This make it difficult to correlate the sshguard entry with Login Protection, particularly without any pfsense documentation.


  • Netgate Administrator

    You should see logged immediately before the sshguard line what triggered it's attack response:

    Jun 24 00:17:49 	php-fpm 	30238 	/index.php: webConfigurator authentication error for user 'admin' from: 172.21.16.5
    Jun 24 00:17:50 	sshguard 	65461 	Attack from "172.21.16.5" on service 380 with danger 10. 
    

    That should only ever be for services on the firewall itself.

    Steve


Log in to reply