Difference between revisions of "Sshguard"
Thestinger (talk | contribs) (→Installation: sshguard depends on iptables (also, Help:Style)) |
(→Configuration) |
||
(10 intermediate revisions by 8 users not shown) | |||
Line 14: | Line 14: | ||
The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts: | The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts: | ||
# iptables -N sshguard | # iptables -N sshguard | ||
− | # iptables -A INPUT -j sshguard | + | # iptables -A INPUT -p tcp --dport 22 -j sshguard |
− | # /etc/ | + | # iptables-save > /etc/iptables/iptables.rules |
+ | If you use IPv6: | ||
+ | # ip6tables -N sshguard | ||
+ | # ip6tables -A INPUT -p tcp --dport 22 -j sshguard | ||
+ | # ip6tables-save > /etc/iptables/ip6tables.rules | ||
+ | If you don't use IPv6, create and empty file "ip6tables.rules" with: | ||
+ | # touch /etc/iptables/ip6tables.rules | ||
+ | Finally: | ||
+ | # systemctl reload iptables | ||
+ | |||
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work: | If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work: | ||
Line 27: | Line 36: | ||
# iptables-save > /etc/iptables/iptables.rules | # iptables-save > /etc/iptables/iptables.rules | ||
− | To finish saving your iptables configuration. | + | To finish saving your iptables configuration. Repeat above steps with {{ic|ip6tables}} to configure the firewall rules for IPv6 and save them |
− | + | with {{ic|ip6tables-save}} to {{ic|/etc/iptables/ip6tables.rules}}. | |
− | |||
− | + | For more information on using iptables to create powerful firewalls, see [[Simple Stateful Firewall]]. | |
− | |||
− | + | Then, enable the service: | |
# systemctl enable sshguard | # systemctl enable sshguard | ||
===In Arch Linux=== | ===In Arch Linux=== | ||
+ | {{out of date|systemd sshguard.service relies on logging to systemd journal and ignores /var/log/auth.log}} | ||
By default, sshguard does not have its own configuration file: all options are supplied on the command line. However, Arch Linux uses the {{ic|/etc/conf.d/sshguard}} configuration file, allowing additional arguments to be passed to the command line when sshguard is started. | By default, sshguard does not have its own configuration file: all options are supplied on the command line. However, Arch Linux uses the {{ic|/etc/conf.d/sshguard}} configuration file, allowing additional arguments to be passed to the command line when sshguard is started. | ||
By default sshguard will use its built-in log reader, called ''Log Sucker'', to read the logs: | By default sshguard will use its built-in log reader, called ''Log Sucker'', to read the logs: |
Revision as of 12:52, 16 August 2013
sshguard is a daemon that protects SSH and other services against brute-force attacts, similar to fail2ban.
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
sshguard is not vulnerable to most (or maybe any) of the log analysis vulnerabilities that have caused problems for similar tools.
Installation
Install sshguard from the official repositories.
Configuration
The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
# iptables -N sshguard # iptables -A INPUT -p tcp --dport 22 -j sshguard # iptables-save > /etc/iptables/iptables.rules
If you use IPv6:
# ip6tables -N sshguard # ip6tables -A INPUT -p tcp --dport 22 -j sshguard # ip6tables-save > /etc/iptables/ip6tables.rules
If you don't use IPv6, create and empty file "ip6tables.rules" with:
# touch /etc/iptables/ip6tables.rules
Finally:
# systemctl reload iptables
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
# iptables -F # iptables -X # iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT # iptables -N sshguard # iptables -A INPUT -j sshguard # iptables-save > /etc/iptables/iptables.rules
To finish saving your iptables configuration. Repeat above steps with ip6tables
to configure the firewall rules for IPv6 and save them
with ip6tables-save
to /etc/iptables/ip6tables.rules
.
For more information on using iptables to create powerful firewalls, see Simple Stateful Firewall.
Then, enable the service:
# systemctl enable sshguard
In Arch Linux
By default, sshguard does not have its own configuration file: all options are supplied on the command line. However, Arch Linux uses the /etc/conf.d/sshguard
configuration file, allowing additional arguments to be passed to the command line when sshguard is started.
By default sshguard will use its built-in log reader, called Log Sucker, to read the logs:
/usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
The -l
switch tells sshguard which log to watch. Note also the -b
option is used, which makes some bans permanent. Records of permanent bans are then kept in /var/db/sshguard/blacklist.db
to be remembered between restarts.
General Information
sshguard works by watching /var/log/auth.log
for changes to see if someone is failing to log in too many times. It can also be configured to get this information straight from syslog-ng. After too many login failures (default 4) the offending host is banned from further communication for a limited amount of time. The amount of time the offender is banned starts at 7 minutes and doubles each time he is banned again. By default in the archlinux package, at one point offenders become permanently banned.
Bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
When sshguard bans someone, the ban is logged to syslog and ends up in /var/log/auth.log
.