Difference between revisions of "Sshguard"

From ArchWiki
Jump to: navigation, search
(fixed spelling)
(nftables: formatting)
 
(128 intermediate revisions by 29 users not shown)
Line 1: Line 1:
 
[[Category:Secure Shell]]
 
[[Category:Secure Shell]]
 +
[[Category:Firewalls]]
 
[[es:Sshguard]]
 
[[es:Sshguard]]
{{warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}
+
[[ja:Sshguard]]
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacts, similar to [[fail2ban]].
+
{{Related articles start}}
 +
{{Related|fail2ban}}
 +
{{Related|ssh}}
 +
{{Related articles end}}
 +
{{warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, with the knowledge of your IP address, the attacker can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}
 +
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacks, similar to [[fail2ban]].
  
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
+
sshguard is different from the latter in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
  
sshguard is not vulnerable to most (or maybe any) of the log analysis [http://www.ossec.net/main/attacking-log-analysis-tools vulnerabilities] that have caused problems for similar tools.
+
sshguard is not vulnerable to most (or maybe any) of the log analysis [https://web.archive.org/web/20120625102244/http://www.ossec.net/main/attacking-log-analysis-tools vulnerabilities] that have caused problems for similar tools.
  
 
==Installation==
 
==Installation==
Install {{Pkg|sshguard}} from the [[official repositories]].
+
[[Install]] the {{Pkg|sshguard}} package.
  
==Configuration==
+
==Setup==
The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
+
 
 +
sshguard works by monitoring {{ic|/var/log/auth.log}}, syslog-ng or the systemd journal for failed login attempts. For each failed attempt, the offending host is banned from further communication for a limited amount of time. The default amount of time the offender is banned starts at 120 seconds, and is increases by a factor of 1.5 every time it fails another login. sshguard can be configured to permanently ban a host with too many failed attempts.
 +
 
 +
Both temporary and permanent bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. The ban is then logged to syslog and ends up in {{ic|/var/log/auth.log}}, or the systemd journal if the latter is being used.
 +
 
 +
You must configure one of the following firewalls to be used with sshguard in order for blocking to work.
 +
 
 +
==== FirewallD ====
 +
 
 +
sshguard can work with Firewalld. Make sure you have firewalld enabled, configured and setup first. To make sshguard write to your zone of preference, issue the following commands:
 +
 
 +
# firewallctl zone "<zone name>" --permanent add rich-rule "rule source ipset=sshguard4 drop"
 +
 
 +
If you use ipv6, you can issue the same command but substitute sshguard4 with sshguard6. Finish with
 +
# firewall-cmd --reload
 +
 
 +
You can verify the above with
 +
# firewall-cmd --info-ipset=sshguard4
 +
 
 +
Finally, in /etc/sshguard.conf, find the line for BACKEND and change it as follows
 +
 
 +
BACKEND="/usr/lib/sshguard/sshg-fw-firewalld"
 +
 
 +
==== UFW ====
 +
 
 +
If UFW is installed and enabled, it must be given the ability to pass along DROP control to sshguard.  This is accomplished by modifying {{ic|/etc/ufw/before.rules}} to contain the following lines which should be inserted just after the section for loopback devices.  {{Note|Users running sshd on a non-standard port should substitute that in the final line above (where 22 is the standard).}}
 +
 
 +
{{hc|/etc/ufw/before.rules|
 +
# allow all on loopback
 +
-A ufw-before-input -i lo -j ACCEPT
 +
-A ufw-before-output -o lo -j ACCEPT
 +
 
 +
# hand off control for sshd to sshguard
 +
-N sshguard
 +
-A ufw-before-input -p tcp --dport 22 -j sshguard
 +
}}
 +
 
 +
[[Restart]] ufw after making this modification.
 +
 
 +
==== iptables ====
 +
 
 +
{{Note|See [[iptables]] and [[Simple stateful firewall]] first to set up a firewall.}}
 +
 
 +
The main configuration required is creating a chain named {{ic|sshguard}}, where sshguard automatically inserts rules to drop packets coming from bad hosts:
 
  # iptables -N sshguard
 
  # iptables -N sshguard
# iptables -A INPUT -j sshguard
 
# /etc/rc.d/iptables save
 
  
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
+
Then add a rule to jump to the {{ic|sshguard}} chain from the {{ic|INPUT}} chain. This rule must be added '''before''' any other rules processing the ports that sshguard is protecting. Use the following line to protect FTP and SSH or see [http://www.sshguard.net/docs/setup/#netfilter-iptables this documentation] for more examples.
# iptables -F
+
  # iptables -A INPUT -m multiport -p tcp --destination-ports 21,22 -j sshguard
# iptables -X
+
 
  # iptables -P INPUT ACCEPT
+
To save the rules:
# iptables -P FORWARD ACCEPT
+
  # iptables-save > /etc/iptables/iptables.rules
# iptables -P OUTPUT ACCEPT
+
 
# iptables -N sshguard
+
{{Note|For IPv6, repeat the same steps with ''ip6tables'' and save the rules with ''ip6tables-save'' to {{ic|/etc/iptables/ip6tables.rules}}.}}
# iptables -A INPUT -j sshguard  
+
 
  # iptables-save > /etc/iptables/iptables.rules  
+
==== nftables ====
 +
 
 +
Edit {{ic|/etc/sshguard.conf}} and change the value of {{ic|BACKEND}} to the following:
 +
 
 +
{{hc|1=/etc/sshguard.conf|2=
 +
BACKEND="/usr/lib/sshguard/sshg-fw-nft-sets"
 +
}}
 +
 
 +
Additionally you will need to [[edit]] the {{ic|sshguard.service}} so that [[iptables]] is not run:
 +
 
 +
[Service]
 +
ExecStartPre=
 +
 
 +
When you [[start/enable]] the {{ic|sshguard.service}}, two new tables named {{ic|sshguard}} in the {{ic|ip}} and {{ic|ip6}} address families are added which filter incoming traffic through sshguard's list of IP addresses. The chains in the {{ic|sshguard}} table have a priority of -10 and will be processed before other rules of lower priority. See {{man|7|sshguard-setup}} and [[nftables]] for more information.
 +
 
 +
==Usage==
  
To finish saving your iptables configuration. Repeat above steps with {{ic|ip6tables}} to configure the firewall rules for IPv6 and save them
+
===systemd===
with {{ic|ip6tables-save}} to {{ic|/etc/iptables/ip6tables.rules}}.
 
  
For more information on using iptables to create powerful firewalls, see [[Simple Stateful Firewall]].
+
[[Enable]] and [[start]] {{ic|sshguard.service}}.
  
Then, enable the service:
+
===syslog-ng===
# systemctl enable sshguard
+
If you have {{Pkg|syslog-ng}} installed, you may start sshguard directly from the command line instead.
  
===In Arch Linux===
 
{{out of date|systemd sshguard.service relies on logging to systemd journal and ignores /var/log/auth.log}}
 
By default, sshguard does not have its own configuration file: all options are supplied on the command line.  However, Arch Linux uses the {{ic|/etc/conf.d/sshguard}} configuration file, allowing additional arguments to be passed to the command line when sshguard is started.
 
By default sshguard will use its built-in log reader, called ''Log Sucker'', to read the logs:
 
 
  /usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
 
  /usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
  
The {{ic|-l}} switch tells sshguard which log to watch. Note also the {{ic|-b}} option is used, which makes some bans permanent. Records of permanent bans are then kept in {{ic|/var/db/sshguard/blacklist.db}} to be remembered between restarts.
+
==Configuration==
 +
 
 +
Configuration is done in {{ic|/etc/sshguard.conf}} which is required for ''sshguard'' to start. A commented example is located at {{ic|/usr/share/doc/sshguard/sshguard.conf.sample}}.
 +
 
 +
{{Note|Piped commands and runtime flags in ''sshguard's'' systemd units [https://sourceforge.net/p/sshguard/mailman/message/35709860/ are not supported]. Such flags can be modified in the configuration file.}}
 +
 
 +
===Blacklisting threshold===
 +
 
 +
By default in the Arch-provided configuration file, offenders become permanently banned once they reach a "danger" level of 120 (or 12 failed logins; see [https://www.sshguard.net/docs/terminology/#attack-dangerousness attack dangerousness] for more details). This behavior can be modified by prepending a danger level to the blacklist file.
 +
 
 +
BLACKLIST_FILE=200:/var/db/sshguard/blacklist.db
 +
 
 +
The {{ic|200:}} in this example tells sshguard to permanently ban a host after achieving a danger level of 200.
 +
 
 +
Finally [[restart]] {{ic|sshguard.service}}
 +
 
 +
===Moderate banning example===
 +
 
 +
A slightly more aggressive banning rule than the default one is proposed here to illustrate various options. It monitors [[sshd]] and [[vsftpd]] via logs from systemd journal.
 +
It blocks attackers after 2 attempts for 180 sec, subsequent blocks increase by a factor of 1.5. The attackers are remembered up to 3600 sec and permanently blacklisted after 10 attempts.
 +
It blocks not only the attacker's IP but all the IPv4 subnet 24 ([[wikipedia:Classless_Inter-Domain_Routing|CIDR]] notation).
 +
 
 +
BACKEND="/usr/lib/sshguard/sshg-fw-iptables"
 +
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t vsftpd -o cat"
 +
THRESHOLD=20
 +
BLOCK_TIME=180
 +
DETECTION_TIME=3600
 +
BLACKLIST_FILE=100:/var/db/sshguard/blacklist.db
 +
IPV4_SUBNET=24
 +
 
 +
===Aggressive banning===
 +
 
 +
For some users under constant attack, a more aggressive banning policy can be adopted. If you are confident that accidental failed logins are unlikely, you can instruct SSHGuard to permanently ban hosts after a single failed login. Modify the parameters in the configuration file in the following way:
 +
THRESHOLD=10
 +
BLACKLIST_FILE=10:/var/db/sshguard/blacklist.db
 +
 
 +
Finally [[restart]] {{ic|sshguard.service}}.
 +
 
 +
Also, to prevent multiple authentication attempts during a single connection, you may want to change {{ic|/etc/ssh/sshd_config}} by defining:
 +
MaxAuthTries 1
 +
 
 +
[[Restart]] {{ic|sshd.service}} for this change to take effect.
 +
 
 +
==Tips and Tricks==
 +
 
 +
=== Unbanning ===
 +
 
 +
If you ban ''yourself'', you can wait to get unbanned automatically or use iptables or nftables to unban yourself.
 +
 
 +
==== iptables ====
 +
 
 +
First check if your IP is banned by sshguard:
 +
# iptables --list sshguard --line-numbers --numeric
 +
 
 +
Then use the following command to unban, with the line-number as identified in the former command:
 +
# iptables --delete sshguard ''line-number''
 +
 
 +
You will also need to remove the IP address from {{ic|/var/db/sshguard/blacklist.db}} in order to make unbanning persistent.
 +
 
 +
==== nftables ====
 +
 
 +
Remove your IP address from the {{ic|attackers}} set:
 +
 
 +
# nft delete element ''family'' sshguard attackers { ''ip_address'' }
  
==General Information==
+
where {{ic|''family''}} is either {{ic|ip}} or {{ic|ip6}}.
sshguard works by watching {{ic|/var/log/auth.log}} for changes to see if someone is failing to log in too many times. It can also be configured to get this information straight from syslog-ng. After too many login failures (default 4) the offending host is banned from further communication for a limited amount of time. The amount of time the offender is banned starts at 7 minutes and doubles each time he is banned again. By default in the archlinux package, at one point offenders become permanently banned.
 
  
Bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
+
=== Logging ===
  
When sshguard bans someone, the ban is logged to syslog and ends up in {{ic|/var/log/auth.log}}.
+
To see what is being passed to sshguard, examine the script in {{ic|/usr/lib/systemd/scripts/sshguard-journalctl}} and the systemd service {{ic|sshguard.service}}. An equivalent command to view the logs in the terminal:
  
==See also==
+
$ journalctl -afb -p info SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
*[[fail2ban]]
 

Latest revision as of 20:48, 7 November 2017

Warning: Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, with the knowledge of your IP address, the attacker can send packets with a spoofed source header and get you locked out of the server. SSH keys provide an elegant solution to the problem of brute forcing without these problems.

sshguard is a daemon that protects SSH and other services against brute-force attacks, similar to fail2ban.

sshguard is different from the latter in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.

sshguard is not vulnerable to most (or maybe any) of the log analysis vulnerabilities that have caused problems for similar tools.

Installation

Install the sshguard package.

Setup

sshguard works by monitoring /var/log/auth.log, syslog-ng or the systemd journal for failed login attempts. For each failed attempt, the offending host is banned from further communication for a limited amount of time. The default amount of time the offender is banned starts at 120 seconds, and is increases by a factor of 1.5 every time it fails another login. sshguard can be configured to permanently ban a host with too many failed attempts.

Both temporary and permanent bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. The ban is then logged to syslog and ends up in /var/log/auth.log, or the systemd journal if the latter is being used.

You must configure one of the following firewalls to be used with sshguard in order for blocking to work.

FirewallD

sshguard can work with Firewalld. Make sure you have firewalld enabled, configured and setup first. To make sshguard write to your zone of preference, issue the following commands:

# firewallctl zone "<zone name>" --permanent add rich-rule "rule source ipset=sshguard4 drop"

If you use ipv6, you can issue the same command but substitute sshguard4 with sshguard6. Finish with

# firewall-cmd --reload

You can verify the above with

# firewall-cmd --info-ipset=sshguard4

Finally, in /etc/sshguard.conf, find the line for BACKEND and change it as follows

BACKEND="/usr/lib/sshguard/sshg-fw-firewalld"

UFW

If UFW is installed and enabled, it must be given the ability to pass along DROP control to sshguard. This is accomplished by modifying /etc/ufw/before.rules to contain the following lines which should be inserted just after the section for loopback devices.
Note: Users running sshd on a non-standard port should substitute that in the final line above (where 22 is the standard).
/etc/ufw/before.rules
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

Restart ufw after making this modification.

iptables

Note: See iptables and Simple stateful firewall first to set up a firewall.

The main configuration required is creating a chain named sshguard, where sshguard automatically inserts rules to drop packets coming from bad hosts:

# iptables -N sshguard

Then add a rule to jump to the sshguard chain from the INPUT chain. This rule must be added before any other rules processing the ports that sshguard is protecting. Use the following line to protect FTP and SSH or see this documentation for more examples.

# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22 -j sshguard

To save the rules:

# iptables-save > /etc/iptables/iptables.rules
Note: For IPv6, repeat the same steps with ip6tables and save the rules with ip6tables-save to /etc/iptables/ip6tables.rules.

nftables

Edit /etc/sshguard.conf and change the value of BACKEND to the following:

/etc/sshguard.conf
BACKEND="/usr/lib/sshguard/sshg-fw-nft-sets"

Additionally you will need to edit the sshguard.service so that iptables is not run:

[Service]
ExecStartPre= 

When you start/enable the sshguard.service, two new tables named sshguard in the ip and ip6 address families are added which filter incoming traffic through sshguard's list of IP addresses. The chains in the sshguard table have a priority of -10 and will be processed before other rules of lower priority. See sshguard-setup(7) and nftables for more information.

Usage

systemd

Enable and start sshguard.service.

syslog-ng

If you have syslog-ng installed, you may start sshguard directly from the command line instead.

/usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db

Configuration

Configuration is done in /etc/sshguard.conf which is required for sshguard to start. A commented example is located at /usr/share/doc/sshguard/sshguard.conf.sample.

Note: Piped commands and runtime flags in sshguard's systemd units are not supported. Such flags can be modified in the configuration file.

Blacklisting threshold

By default in the Arch-provided configuration file, offenders become permanently banned once they reach a "danger" level of 120 (or 12 failed logins; see attack dangerousness for more details). This behavior can be modified by prepending a danger level to the blacklist file.

BLACKLIST_FILE=200:/var/db/sshguard/blacklist.db

The 200: in this example tells sshguard to permanently ban a host after achieving a danger level of 200.

Finally restart sshguard.service

Moderate banning example

A slightly more aggressive banning rule than the default one is proposed here to illustrate various options. It monitors sshd and vsftpd via logs from systemd journal. It blocks attackers after 2 attempts for 180 sec, subsequent blocks increase by a factor of 1.5. The attackers are remembered up to 3600 sec and permanently blacklisted after 10 attempts. It blocks not only the attacker's IP but all the IPv4 subnet 24 (CIDR notation).

BACKEND="/usr/lib/sshguard/sshg-fw-iptables"
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t vsftpd -o cat"
THRESHOLD=20
BLOCK_TIME=180
DETECTION_TIME=3600
BLACKLIST_FILE=100:/var/db/sshguard/blacklist.db
IPV4_SUBNET=24

Aggressive banning

For some users under constant attack, a more aggressive banning policy can be adopted. If you are confident that accidental failed logins are unlikely, you can instruct SSHGuard to permanently ban hosts after a single failed login. Modify the parameters in the configuration file in the following way:

THRESHOLD=10
BLACKLIST_FILE=10:/var/db/sshguard/blacklist.db

Finally restart sshguard.service.

Also, to prevent multiple authentication attempts during a single connection, you may want to change /etc/ssh/sshd_config by defining:

MaxAuthTries 1

Restart sshd.service for this change to take effect.

Tips and Tricks

Unbanning

If you ban yourself, you can wait to get unbanned automatically or use iptables or nftables to unban yourself.

iptables

First check if your IP is banned by sshguard:

# iptables --list sshguard --line-numbers --numeric

Then use the following command to unban, with the line-number as identified in the former command:

# iptables --delete sshguard line-number

You will also need to remove the IP address from /var/db/sshguard/blacklist.db in order to make unbanning persistent.

nftables

Remove your IP address from the attackers set:

# nft delete element family sshguard attackers { ip_address }

where family is either ip or ip6.

Logging

To see what is being passed to sshguard, examine the script in /usr/lib/systemd/scripts/sshguard-journalctl and the systemd service sshguard.service. An equivalent command to view the logs in the terminal:

$ journalctl -afb -p info SYSLOG_FACILITY=4 SYSLOG_FACILITY=10