Hi Folks, I started to use sshguard <http://www.sshguard.net/> with openSuSE 12.1. The package I had been using for many years to protect Internet facing servers from brute force attacks still worked, but it was a hassle to update the regex log scanning glue when bumping OS versions. I really like sshguard, but I had some issues installing it in 12.1 even though the package was available in the openSuSE "security" repository. The main problem was SuSEfirewall2 re-initializing the iptable rules after sshguard during the boot process. Christian (IIRC) helped me to sort things out with the SysV init scripts. But what worked in 12.1 failed in 12.2, it seems that systemd is behaving differently. So I re-addressed the issue and figured out a workaround using custom firewall rules. It would be nice if all this could be sorted out for 12.3, but I thought it valuable to document a workaround for 12.2. sshguard is a good package, but it will never work out-of-the-box without some fumbling around. My workaround will only protect ssh, but it's easy to modify to include other services. Another note: The workaround below doesn't seem to work with IPv6, so I included a line to disable IPv6 in the ssh daemon. This will work in my environment and should give me a chance to sort out what's wrong. Regards, Lew 1: Add the sshguard package from the security repository zypper addrepo http://download.opensuse.org/repositories/security/openSUSE_12.2/ opensuse-security zypper install sshguard 2: Edit /etc/sysconfig/sshguard and change ATTACK_ATTEMPTS from 4 to 40: ATTACK_ATTEMPTS="40" 3: In /etc/init.d/sshguard comment out the lines as shown: # Reset status of this service rc_reset case "$1" in start) echo -n "Starting SSHGUARD " # iptables_start setup_cmdline /sbin/startproc -q $SSHGUARD_BIN $cmdline rc_status -v ;; stop) echo -n "Shutting down SSHGUARD " /sbin/killproc -q -TERM $SSHGUARD_BIN # iptables_stop rc_status -v 4: Enable the sshguard service in yast, or by running: insserv sshguard 5: Enable custom firewall rules in /etc/sysconfig/SuSEfirewall2 by uncommenting the line as shown: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" Then comment out the following line: #FW_CUSTOMRULES="" 6: In /etc/sysconfig/scripts/SuSEfirewall2-custom, add the two lines as shown: fw_custom_after_chain_creation() { # these rules will be loaded after the various input_* and forward_* chains # are created. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. #example: always filter backorifice/netbus trojan connect requests and log them. #for target in LOG DROP; do # for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do # iptables -A $chain -j $target -p tcp --dport 31337 # iptables -A $chain -j $target -p udp --dport 31337 # iptables -A $chain -j $target -p tcp --dport 12345:12346 # iptables -A $chain -j $target -p udp --dport 12345:12346 # done #done Add>>> iptables -N sshguard Add>>> iptables -I INPUT 4 -p tcp --dport 22 -j sshguard true } 7: 7: In /sbin/SuSEfirewall2 comment out the FW_CUSTOMRULES line: #FW_CUSTOMRULES="" 8: To make sshd listen only for IPv4 traffic, uncomment the AddressFamily line and change to: AddressFamily inet Then run "/etc/init.d/sshd restart" A reboot at this time is probably advisable to reset/initialize everything. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org