sshguard

Warning: Display title "sshguard" overrides earlier display title "Sshguard".

Resources

Home

GitWeb

Open Hub

Come funziona

sshguard è un semplice demone che setaccia in continuazione uno o più file di log. Esso analizza i log che i demoni inviano in caso di tentativi di accesso non riusciti e poi blocca ogni ulteriore tentativo da quelle connessioni aggiornando il firewall del sistema.

Installazione

Emerge

installa app-admin/sshguard:

Additional software

Depending on the init system and the desired firewall backend to be used by sshguard, additional software may be required to be emerged in order for sshguard to block malicious actors.

More information on various supported backends can be found by reading the setup manpage:

iptables

When iptables are being used as the system firewall.

Maggiori informazioni riguardo l'uso e la configurazione di IPtables possono essere trovati nel IPtables article.

nftables

When nftables are being used as the system firewall:

Configurazione

iptables backend

When sshguard blocks any malicious users (by blocking their IP addresses), it will use the sshguard chain.

Prepare the chain with iptables and make sure it is also triggered when new incoming connections are detected:

Then verify that the appropriate path to the iptables backend library is set in /etc/sshguard.conf:

# Full path to backend executable (required, no default)
BACKEND="/usr/libexec/sshg-fw-iptables"

Osservare i file log

The basic idea behind sshguard is that the administrator passes on the log file(s) to watch as options to the application - there is no native sshguard configuration file.

On Gentoo, the options can be best configured in the /etc/sshguard.conf file:

# Space-separated list of log files to monitor. (optional, no default)
FILES="/var/log/messages /var/log/auth.log" 
#
# How many problematic attempts trigger a block
THRESHOLD=10
# Blocks last at least 24 hours (60480 seconds)
BLOCKTIME=60480
# Track IP addresses for 24 hours (60480 seconds)
DETECTION_TIME=60480
#
# IPv6 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=64
# IPv4 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=24
#
# Full path to PID file (optional, no default)
PID_FILE=/run/sshguard.pid

Make sure that the log files are accessible for the runtime user that sshguard uses.

Servizi

OpenRC

Have sshguard be started by default by adding it to the default runlevel, and then start it:

systemd

Use systemd's conventional way to enable it, and then start it:

Blacklisting hosts

With the blacklisting option after a number of abuses the IP address of the attacker or a IP subnet will be blocked permanently. The blacklist will be loaded at each startup and extended with new entries during operation. sshguard inserts a new address after it exceeded a threshold of abuses.

Blacklisted addresses are never scheduled to be released (allowed) again.

To enable blacklisting, create an appropriate directory and file:

While defining a blacklist it is important to exclude trusted IP networks and hosts in a whitelist.

To enable whitelisting, create an appropriate directory and file:

The whitelist has to include the loopback interface, and should have at least 1 IP trusted network f.e. 192.0.2.0/24.

127.0.0.0/8
::1/128
192.0.2.0/24

Add the BLACKLIST_FILE and WHITELIST_FILE file to the configuration. Example configuration listed blocks all hosts after the first login attempt. To setup a less agressive blocking policy, adjust the THRESHOLD and BLACKLIST_FILE integer, and set it to f.e. 10 instead of 2:

BACKEND="/usr/libexec/sshg-fw-iptables"
FILES="/var/log/auth.log"
#
THRESHOLD=2
BLOCK_TIME=43200
DETECTION_TIME=604800
#
IPV4_SUBNET=24
IPV6_SUBNET=64
#
PID_FILE=/run/sshguard.pid
#
# Add following lines
BLACKLIST_FILE=2:/var/lib/sshguard/blacklist.db
WHITELIST_FILE=/etc/sshguard/whitelist

Restart the sshguard daemon to have the changes take effect:

Risoluzione dei problemi

File '/var/log/auth.log' vanished while adding!

When starting up, sshguard reports the following error:

Sep 23 03:39:11 foo.bar.com sshguard[64933]: File '/var/log/auth.log' vanished while adding!

Such an error (the file path itself can be different) occurs when the target file is not available on the system. Make sure that it is created, or update the sshguard configuration to not add it for monitoring.

On a syslog-ng system with OpenRC, the following addition to syslog-ng.conf can suffice:

log { source(src); destination(messages); };
log { source(src); destination(console_all); };
 
destination authlog {file("/var/log/auth.log"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
log { source(src);  filter(f_authpriv);  destination(authlog);  };

Reload the configuration for the changes to take effect:

Risorse esterne

La documentazione sshguard fornisce tutte le informazioni necessarie per ottimizzare ulteriormente l'applicazione.