Discussion:
Having a problem with sshlockout
Add Reply
Андрей Поляков
2017-12-04 06:10:18 UTC
Reply
Permalink
Raw Message
Hello
I have configured sshlockout. But it doesn't work properly.

Here is auth log:
***@openbsd-gw:~ # cat /var/log/authlog | grep sshlockout
Dec 4 06:37:54 openbsd-gw sshlockout[27074]: Detected ssh preauth attempt for an invalid user, locking out 59.63.166.104
Dec 4 07:40:16 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 5.188.10.176
Dec 4 07:46:34 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 185.190.58.108

But table in pf is empty:
***@openbsd-gw:~ # pfctl -t lockout -T show


Some info:

***@openbsd-gw:~ # uname -sr
OpenBSD 6.2

***@openbsd-gw:~ # syspatch -l
001_tcb_invalid
002_fktrace

***@openbsd-gw:~ # pkg_info sshlockout-0.20170726
Information for inst:sshlockout-0.20170726

***@openbsd-gw:~ # ps -aux | grep sshlockout
_syslogd 62152 0.0 0.2 308 1188 ?? Ip 8:31AM 0:00.01 /usr/local/sbin/sshlockout -pf lockout

***@openbsd-gw:~ # cat /etc/syslog.conf | grep sshlockout
auth.info;authpriv.info |exec /usr/local/sbin/sshlockout -pf lockout

***@openbsd-gw:~ # cat /etc/pf.conf
table <lockout> persist { }

set block-policy drop
set skip on lo

match in all scrub (no-df random-id)

block in all
block in quick from <lockout>

pass in on egress inet proto icmp from any to egress
pass in on egress inet proto tcp from any to egress port { ssh www }

pass out quick inet


Thanks for any help
Jeremie Courreges-Anglas
2017-12-04 14:44:15 UTC
Reply
Permalink
Raw Message
Post by Андрей Поляков
Hello
I have configured sshlockout. But it doesn't work properly.
Dec 4 06:37:54 openbsd-gw sshlockout[27074]: Detected ssh preauth attempt for an invalid user, locking out 59.63.166.104
Dec 4 07:40:16 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 5.188.10.176
Dec 4 07:46:34 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 185.190.58.108
See the readme that comes with the sshlockout package.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Андрей Поляков
2017-12-04 18:08:13 UTC
Reply
Permalink
Raw Message
Thank You!

It worked.

create doas.conf:
***@openbsd-gw:~ # echo 'permit nopass _syslogd as root cmd /usr/local/sbin/sshlockout' > /etc/doas.conf

modify syslog.conf:
***@openbsd-gw:~ # cat /etc/syslog.conf | grep sshlockout
auth.info;authpriv.info |exec /usr/bin/doas -n /usr/local/sbin/sshlockout -pf lockout

check that sshlockout run as root:
***@openbsd-gw:~ # ps -aux | grep sshlockout
root 13074 0.0 0.2 304 1192 ?? Sp 8:52PM 0:00.01 /usr/local/sbin/sshlockout -pf lockout
Post by Jeremie Courreges-Anglas
 Hello
 I have configured sshlockout. But it doesn't work properly.
 Dec 4 06:37:54 openbsd-gw sshlockout[27074]: Detected ssh preauth attempt for an invalid user, locking out 59.63.166.104
 Dec 4 07:40:16 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 5.188.10.176
 Dec 4 07:46:34 openbsd-gw sshlockout[27074]: Detected ssh login attempt for an invalid user, locking out 185.190.58.108
See the readme that comes with the sshlockout package.
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Loading...