Difference between revisions of "Sshguard"

From ArchWiki
Jump to: navigation, search
(denyhosts has been dropped: http://www.archlinux.org/news/dropping-tcp_wrappers-support/)
Line 1: Line 1:
 
[[Category:Networking (English)]]
 
[[Category:Networking (English)]]
 
[[Category:Security (English)]]
 
[[Category:Security (English)]]
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacts, similar to [[fail2ban]] and [[DenyHosts]].
+
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacts, similar to [[fail2ban]].
  
 
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while doing it's core function equally well.
 
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while doing it's core function equally well.
Line 51: Line 51:
 
This line will use the built-in log reader (called ''Log Sucker'') instead of ''tail'' to read the logs and will not keep permanent bans:
 
This line will use the built-in log reader (called ''Log Sucker'') instead of ''tail'' to read the logs and will not keep permanent bans:
 
  /usr/sbin/sshguard -l /var/log/auth.log &> /dev/null &
 
  /usr/sbin/sshguard -l /var/log/auth.log &> /dev/null &
 +
 +
==See also==
 +
*[[fail2ban]]

Revision as of 09:24, 22 July 2011

sshguard is a daemon that protects SSH and other services against brute-force attacts, similar to fail2ban.

sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while doing it's core function equally well.

sshguard is not vulnerable to most (or maybe any) of the log analysis vulnerabilities that have caused problems for some other similar tools.

Installation

First, install iptables so sshguard can block remote hosts:

# pacman -S iptables

Then, install Template:Package Official:

# pacman -S sshguard

Configuration

sshguard does not have a configuration file. All configuration that has to be done is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:

# iptables -N sshguard
# iptables -A INPUT -j sshguard
# /etc/rc.d/iptables save

If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:

# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -N sshguard
# iptables -A INPUT -j sshguard
# /etc/rc.d/iptables save

For more information on using iptables to create powerfull firewalls, see Simple Stateful Firewall.

Finally, add iptables and sshguard to the DAEMONS array in Template:Filename:

DAEMONS=(... iptables sshguard ...)

General Information

sshguard works by watching Template:Filename for changes to see if someone is failing to log in too many times. It can also be configured to get this information straight from syslog-ng. After too many login failures (default 4) the offending host is banned from further communication for a limited amount of time. The amount of time the offender is banned starts at 7 minutes and doubles each time he is banned again. By default in the archlinux package, at one point offenders become permanently banned.

Bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.

When sshguard bans someone, the ban is logged to syslog and ends up in Template:Filename.


Since there is no configuration file, all configuration is done by command line switches where sshguard is started. In archlinux we can change these by modifying Template:Filename. By default, the line where the program is started is:

tail -n0 -F /var/log/auth.log | /usr/sbin/sshguard -b /var/db/sshguard/blacklist.db &> /dev/null &

In this default configuration, tail reads log information and passes it to sshguard. Another thing to note is that the -b option is used, which makes some bans permanent. Records of permanent bans are then kept in Template:Filename to be remembered between restarts.

This line will use the built-in log reader (called Log Sucker) instead of tail to read the logs and will not keep permanent bans:

/usr/sbin/sshguard -l /var/log/auth.log &> /dev/null &

See also