Difference between revisions of "Sshguard"

From ArchWiki
Jump to: navigation, search
(fixed spelling)
(Logging: just use plain journalctl to view the logs)
 
(55 intermediate revisions by 18 users not shown)
Line 1: Line 1:
 
[[Category:Secure Shell]]
 
[[Category:Secure Shell]]
 
[[es:Sshguard]]
 
[[es:Sshguard]]
 +
[[ja:Sshguard]]
 +
{{Related articles start}}
 +
{{Related|fail2ban}}
 +
{{Related|ssh}}
 +
{{Related articles end}}
 
{{warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}
 
{{warning|Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacts, similar to [[fail2ban]].
+
[http://www.sshguard.net sshguard] is a daemon that protects [[SSH]] and other services against brute-force attacks, similar to [[fail2ban]].
  
 
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
 
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
Line 9: Line 14:
  
 
==Installation==
 
==Installation==
Install {{Pkg|sshguard}} from the [[official repositories]].
+
[[Install]] the {{Pkg|sshguard}} package.
  
==Configuration==
+
==Setup==
 +
 
 +
sshguard works by monitoring {{ic|/var/log/auth.log}}, syslog-ng or the systemd journal for failed login attempts. For each failed attempt, the offending host is banned from further communication for a limited amount of time. The default amount of time the offender is banned starts at 7 minutes, and doubles each time he or she fails another login. sshguard can be configured to permanently ban a host with too many failed attempts.
 +
 
 +
Both temporary and permanent bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. The ban is then logged to syslog and ends up in {{ic|/var/log/auth.log}}, or the systemd journal, if systemd is being used. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
 +
 
 +
You must configure a firewall to be used with sshguard in order for blocking to work.
 +
 
 +
==== UFW ====
 +
{{Out of date|Is the following warning still applicable?|section=ufw issue}}
 +
{{Warning|Currently, ufw-033-3 in [community] is not compatible with the method shown below.  Users must use {{AUR|ufw-bzr}} from the AUR.}}
 +
 
 +
If UFW is installed and enabled, it must be given the ability to pass along DROP control to sshguard.  This is accomplished by modifying {{ic|/etc/ufw/before.rules}} to contain the following lines which should be inserted just after the section for loopback devices.  {{Note|Users running sshd on a non-standard port should substitute that in the final line above (where 22 is the standard).}}
 +
 
 +
{{hc|/etc/ufw/before.rules|
 +
# hand off control for sshd to sshguard
 +
-N sshguard
 +
-A ufw-before-input -p tcp --dport 22 -j sshguard
 +
}}
 +
 
 +
[[Restart]] ufw after making this modification.
 +
 
 +
==== iptables ====
 
The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
 
The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
 
  # iptables -N sshguard
 
  # iptables -N sshguard
  # iptables -A INPUT -j sshguard
+
  # iptables -A INPUT -p tcp --dport 22 -j sshguard
  # /etc/rc.d/iptables save
+
  # iptables-save > /etc/iptables/iptables.rules
 +
If you use IPv6:
 +
# ip6tables -N sshguard
 +
# ip6tables -A INPUT -p tcp --dport 22 -j sshguard
 +
# ip6tables-save > /etc/iptables/ip6tables.rules
 +
If you do not use IPv6, create and empty file "ip6tables.rules" with:
 +
# touch /etc/iptables/ip6tables.rules
 +
Finally, [[reload]] the {{ic|iptables}} service.
  
 
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
 
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
Line 30: Line 64:
 
with {{ic|ip6tables-save}} to {{ic|/etc/iptables/ip6tables.rules}}.
 
with {{ic|ip6tables-save}} to {{ic|/etc/iptables/ip6tables.rules}}.
  
For more information on using iptables to create powerful firewalls, see [[Simple Stateful Firewall]].
+
For more information on using iptables to create powerful firewalls, see [[Simple stateful firewall]].
  
Then, enable the service:
+
==Usage==
# systemctl enable sshguard
+
 
 +
===systemd===
 +
 
 +
[[Enable]] and start the {{ic|sshguard.service}}. The provided systemd unit uses a blacklist located at {{ic|/var/db/sshguard/blacklist.db}} and pipes journalctl into sshguard for monitoring.
 +
 
 +
To add optional sshguard arguments, modify the provided service with drop-in snippets as described in [[systemd#Editing provided units]].
 +
 
 +
===syslog-ng===
 +
If you have {{Pkg|syslog-ng}} installed, you may start sshguard directly from the command line instead.
  
===In Arch Linux===
 
{{out of date|systemd sshguard.service relies on logging to systemd journal and ignores /var/log/auth.log}}
 
By default, sshguard does not have its own configuration file: all options are supplied on the command line.  However, Arch Linux uses the {{ic|/etc/conf.d/sshguard}} configuration file, allowing additional arguments to be passed to the command line when sshguard is started.
 
By default sshguard will use its built-in log reader, called ''Log Sucker'', to read the logs:
 
 
  /usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
 
  /usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
  
The {{ic|-l}} switch tells sshguard which log to watch. Note also the {{ic|-b}} option is used, which makes some bans permanent. Records of permanent bans are then kept in {{ic|/var/db/sshguard/blacklist.db}} to be remembered between restarts.
+
==Configuration==
 +
 
 +
===Change danger level===
 +
 
 +
By default in the Arch-provided systemd unit, offenders become permanently banned once they have reached a "danger" level of 120 (or 12 failed logins; see [http://www.sshguard.net/docs/terminology/ terminology] for more details). This behavior can be modified by prepending a danger level to the blacklist file.
 +
 
 +
[[systemd#Editing provided units|Edit the provided systemd unit]] and change the {{ic|1=ExecStart=}} line:
 +
 
 +
[Service]
 +
ExecStart=
 +
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-b 200:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
 +
 
 +
The {{ic|200:}} in this example tells sshguard to permanently ban a host after achieving a danger level of 200.
 +
 
 +
Finally [[restart]] the {{ic|sshguard.service}} unit.
 +
 
 +
===Aggressive banning===
 +
 
 +
For some users under constant attack, it may be beneficial to enable a more aggressive banning policy. If you can be reasonably sure that accidental failed logins are unlikely, then you can instruct SSHGuard to automatically ban hosts with a single failed login. [[systemd#Editing provided units|Edit the provided systemd unit]] in the following way:
 +
 
 +
[Service]
 +
ExecStart=
 +
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 1 -b 10:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
 +
 
 +
Finally [[restart]] the {{ic|sshguard.service}} unit.
 +
 
 +
==Tips and Tricks==
 +
 
 +
=== Unbanning ===
 +
 
 +
If you get banned, you can wait to get unbanned automatically or use iptables to unban yourself. First check if your IP is banned by sshguard:
 +
# iptables -L sshguard --line-numbers --numeric
 +
 
 +
Then use the following command to unban, with the line-number as identified in the former command:
 +
# iptables -D sshguard <line-number>
  
==General Information==
+
You will also need to remove the IP address from {{ic|/var/db/sshguard/blacklist.db}} in order to make unbanning persistent.
sshguard works by watching {{ic|/var/log/auth.log}} for changes to see if someone is failing to log in too many times. It can also be configured to get this information straight from syslog-ng. After too many login failures (default 4) the offending host is banned from further communication for a limited amount of time. The amount of time the offender is banned starts at 7 minutes and doubles each time he is banned again. By default in the archlinux package, at one point offenders become permanently banned.
+
# sed -i '/<ip-address>/d' /var/db/sshguard/blacklist.db
  
Bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
+
=== Logging ===
  
When sshguard bans someone, the ban is logged to syslog and ends up in {{ic|/var/log/auth.log}}.
+
To see what is being passed to sshguard, examine the script in {{ic|/usr/lib/systemd/scripts/sshguard-journalctl}} and the systemd service {{ic|sshguard.service}}. An equivalent command to view the logs in the terminal:
  
==See also==
+
$ journalctl -afb -p info SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
*[[fail2ban]]
+

Latest revision as of 21:17, 19 July 2016

Related articles

Warning: Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. SSH keys provide an elegant solution to the problem of brute forcing without these problems.

sshguard is a daemon that protects SSH and other services against brute-force attacks, similar to fail2ban.

sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.

sshguard is not vulnerable to most (or maybe any) of the log analysis vulnerabilities that have caused problems for similar tools.

Installation

Install the sshguard package.

Setup

sshguard works by monitoring /var/log/auth.log, syslog-ng or the systemd journal for failed login attempts. For each failed attempt, the offending host is banned from further communication for a limited amount of time. The default amount of time the offender is banned starts at 7 minutes, and doubles each time he or she fails another login. sshguard can be configured to permanently ban a host with too many failed attempts.

Both temporary and permanent bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. The ban is then logged to syslog and ends up in /var/log/auth.log, or the systemd journal, if systemd is being used. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.

You must configure a firewall to be used with sshguard in order for blocking to work.

UFW

Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: Is the following warning still applicable? (Discuss in Talk:Sshguard#ufw issue)
Warning: Currently, ufw-033-3 in [community] is not compatible with the method shown below. Users must use ufw-bzrAUR from the AUR.
If UFW is installed and enabled, it must be given the ability to pass along DROP control to sshguard. This is accomplished by modifying /etc/ufw/before.rules to contain the following lines which should be inserted just after the section for loopback devices.
Note: Users running sshd on a non-standard port should substitute that in the final line above (where 22 is the standard).
/etc/ufw/before.rules
# hand off control for sshd to sshguard
-N sshguard
-A ufw-before-input -p tcp --dport 22 -j sshguard

Restart ufw after making this modification.

iptables

The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:

# iptables -N sshguard
# iptables -A INPUT -p tcp --dport 22 -j sshguard
# iptables-save > /etc/iptables/iptables.rules

If you use IPv6:

# ip6tables -N sshguard
# ip6tables -A INPUT -p tcp --dport 22 -j sshguard
# ip6tables-save > /etc/iptables/ip6tables.rules

If you do not use IPv6, create and empty file "ip6tables.rules" with:

# touch /etc/iptables/ip6tables.rules

Finally, reload the iptables service.

If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:

# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -N sshguard
# iptables -A INPUT -j sshguard 
# iptables-save > /etc/iptables/iptables.rules    

To finish saving your iptables configuration. Repeat above steps with ip6tables to configure the firewall rules for IPv6 and save them with ip6tables-save to /etc/iptables/ip6tables.rules.

For more information on using iptables to create powerful firewalls, see Simple stateful firewall.

Usage

systemd

Enable and start the sshguard.service. The provided systemd unit uses a blacklist located at /var/db/sshguard/blacklist.db and pipes journalctl into sshguard for monitoring.

To add optional sshguard arguments, modify the provided service with drop-in snippets as described in systemd#Editing provided units.

syslog-ng

If you have syslog-ng installed, you may start sshguard directly from the command line instead.

/usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db

Configuration

Change danger level

By default in the Arch-provided systemd unit, offenders become permanently banned once they have reached a "danger" level of 120 (or 12 failed logins; see terminology for more details). This behavior can be modified by prepending a danger level to the blacklist file.

Edit the provided systemd unit and change the ExecStart= line:

[Service]
ExecStart=
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-b 200:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

The 200: in this example tells sshguard to permanently ban a host after achieving a danger level of 200.

Finally restart the sshguard.service unit.

Aggressive banning

For some users under constant attack, it may be beneficial to enable a more aggressive banning policy. If you can be reasonably sure that accidental failed logins are unlikely, then you can instruct SSHGuard to automatically ban hosts with a single failed login. Edit the provided systemd unit in the following way:

[Service]
ExecStart=
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 1 -b 10:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

Finally restart the sshguard.service unit.

Tips and Tricks

Unbanning

If you get banned, you can wait to get unbanned automatically or use iptables to unban yourself. First check if your IP is banned by sshguard:

# iptables -L sshguard --line-numbers --numeric

Then use the following command to unban, with the line-number as identified in the former command:

# iptables -D sshguard <line-number>

You will also need to remove the IP address from /var/db/sshguard/blacklist.db in order to make unbanning persistent.

# sed -i '/<ip-address>/d' /var/db/sshguard/blacklist.db

Logging

To see what is being passed to sshguard, examine the script in /usr/lib/systemd/scripts/sshguard-journalctl and the systemd service sshguard.service. An equivalent command to view the logs in the terminal:

$ journalctl -afb -p info SYSLOG_FACILITY=4 SYSLOG_FACILITY=10