sshguard & systemd

[DrMikeDuke]

Good afternoon all,

I am trying to get sshguard working with Centos 7, whilst it seems that it's now running, it never blocks any intrusion attempts.
I have compiled sshguard from source and I'm using it in conjunction with iptables, I think it may not be parsing what I expect.

Since I'm *very* new at systemd/7 (long time RHEL user though) I could well be wrong about how I've written (ported) the systemd stuff.
Corrections, suggestions or diagnostic tool suggestions welcome, I've googled this one to death, only arch seems to have doco on sshguard+systemd which I've followed as well as I can. See below for a output:

systemctl status sshguard output:

Code: Select all

systemctl status sshguard
sshguard.service - Block hacking attempts
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled)
   Active: active (running) since Mon 2014-09-08 16:40:42 WST; 14min ago
 Main PID: 10361 (sshguard-journa)
   CGroup: /system.slice/sshguard.service
           ââ10361 /bin/sh /usr/lib/systemd/system/sshguard-journalctl -b /var/db/sshguard/blacklist.db SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
           ââ10362 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
           ââ10363 /usr/local/sbin/sshguard -l- -b /var/db/sshguard/blacklist.db

SSHGUARD Version

Code: Select all

# sshguard -v
sshguard 1.5.0

Copyright (c) 2007,2008 Mij <mij@sshguard.net>
This is free software; see the source for conditions on copying.

Uname

Code: Select all

# uname -a
Linux shodan 3.14.17-grsec #4 SMP Fri Sep 5 11:22:06 WST 2014 x86_64 x86_64 x86_64 GNU/Linux

iptables

Code: Select all

 59  3056 sshguard   tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh

sshguard-journalctl

Code: Select all

]# cat /usr/lib/systemd/system/sshguard-journalctl
#!/bin/sh
SSHGUARD_OPTS=$1
shift
LANG=C /bin/journalctl -afb -p info -n1 -o cat "$@" | /usr/local/sbin/sshguard -l- $SSHGUARD_OPTS

sshguard.service

Code: Select all

# cat /usr/lib/systemd/system/sshguard.service
[Unit]
Description=Block hacking attempts
After=iptables.service ip6tables.service network.target
Wants=iptables.service ip6tables.service

[Service]
ExecStart=/usr/lib/systemd/system/sshguard-journalctl "-b /var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

[Install]
WantedBy=multi-user.target

Thanks kindly,

Mike.


EDIT: FWIW, I've probably written the systemd unit file/s wrong or named/placed them incorrectly: still don't have a full grasp of this stuff.

[TrevorH]

I see you mention iptables. Did you disable firewalld or does sshguard know about firewalld and use it?

[DrMikeDuke]

Hi,

Thanks for the quick moderation. Firewalld is disabled (so far as I can tell)

Code: Select all

systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: inactive (dead)

sshguard was built (from source) with iptables support during ./configure.


Cheers.



EDIT: Worth mentioning, I see dmesg reporting iptables blocking/accepting traffic from my other rules OK.

[hsafe]

Hello
Allow me to say that this is the first post of me. I used to read this wiki much of the time for almost anything and find the answers to my questions, particularly the replies from Trevor.
Now am surprised on the same scenario: hhsguard+Centos7 and I am stock as the same. Oddly the sshguard site had poor documentation and online search did not yield any solution. Have had experience setting it up in Arch and worked like a gem particularly that it is so small and nibble. Can somebody try to find out what went wrong for the set up ?
Many many thanks

[TrevorH]

If it is manipulating iptables rules directly and firewalld is running then firewalld probably immediately removes any newly added rules. To work properly sshguard would need to talk to firewalld and not insert iptables rules itself. You could try removing firewalld and using iptables.service instead and see if that makes it work.

[giulix63]

I just noticed sshguard has recently started to be actively maintained again after a gap of four years. It's one of the projects I looked at when I was looking for a similar solution. I wanted a compiled (vs. interpreted) solution that would work with systemd, possibly natively, and use ipset. I used failban for a while, but found it overkill for my needs, so I wrote something very lightweight and simple that, along with shorewall, is currently doing the job for me. I called it sshwsd: SSH Watch SystemD version. It's still in a very beta stage.

[AlanBartlett]

Uname

Code: Select all

# uname -a
Linux shodan 3.14.17-grsec #4 SMP Fri Sep 5 11:22:06 WST 2014 x86_64 x86_64 x86_64 GNU/Linux

That is not a CentOS 7 kernel. So that we have the full picture, please post the output returned by the following --

rpm -qa kernel\* | sort
rpm -qa \*release\* | sort