sshguard

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page Sshguard and the translation is 24% complete.
Outdated translations are marked like this.

sshguard is an intrusion prevention system that parses server logs, determines malicious activity, and uses the system firewall to block the IP addresses of malicious connections. sshguard is written in C so it does not tax an interpreter.

எவ்வாறு வேலை செய்கிறது

sshguard is a simple daemon that continuously tracks one or more log files. It parses the log events that daemons send out in case of failed login attempts and then blocks any further attempts from those connections by updating the system's firewall.

Unlike what the name implies, sshguard does not only parse SSH logs. It also supports many mail systems as well as a few FTP ones. A full listing of supported services can be found on the sshguard.net website.

நிறுவல்

இ-ஒன்றாக்குதல் (Emerge)

app-admin/sshguard தொகுப்பை நிறுவவும்:

root #emerge --ask app-admin/sshguard

Additional software

Depending on the init system and the desired firewall backend to be used by sshguard, additional software may be required to be emerged in order for sshguard to block malicious actors.

More information on various supported backends can be found by reading the setup manpage:

root #man 7 sshguard-setup

iptables

When iptables are being used as the system firewall.

root #emerge --ask net-firewall/iptables

IP அட்டவணைகளைப் பயன்படுத்துதல் மற்றும் உள்ளமைத்தல் பற்றிய மேலும் தகவல்களுக்கு IP அட்டவணை கட்டுரையை காணவும்.

nftables

When nftables are being used as the system firewall:

root #emerge --ask net-firewall/nftables

உள்ளமைவு

iptables backend

தீயரணை ஆயத்தப்படுத்துதல்

When sshguard blocks any malicious users (by blocking their IP addresses), it will use the sshguard chain.

Prepare the chain with iptables and make sure it is also triggered when new incoming connections are detected:

root #iptables -N sshguard
root #iptables -A INPUT -j sshguard

Then verify that the appropriate path to the iptables backend library is set in /etc/sshguard.conf:

கோப்பு /etc/sshguard.confSet iptables library for BACKEND
# Full path to backend executable (required, no default)
BACKEND="/usr/libexec/sshg-fw-iptables"

குறிப்புப்பதிவு கோப்புகளைப் பார்த்தல்

The basic idea behind sshguard is that the administrator passes on the log file(s) to watch as options to the application - there is no native sshguard configuration file.

ஜென்டூவில், விருப்பத்தேர்வுகளை /etc/sshguard.conf கோப்பில் சிறப்பாக உள்ளமைக்க இயலும்:

{{FileBox|filename=/etc/sshguard.conf|title=/var/log/messages மற்றும் /var/log/auth.log களை படிப்பதற்கு sshguard ஐ உள்ளமைத்தல்|lang=bash|1=

  1. பின்நிலை செயல்படுத்தகு நிரலுக்கான முழு பாதை (தேவைப்படுகிறது, முன்னிருப்பு எதுவும் இல்லை)

BACKEND="/usr/libexec/sshg-fw-iptables"

Make sure that the log files are accessible for the runtime user that sshguard uses.

சேவைகள்

OpenRC

Have sshguard be started by default by adding it to the default runlevel, and then start it:

root #rc-update add sshguard default
root #rc-service sshguard start

systemd

Use systemd's conventional way to enable it, and then start it:

root #systemctl enable sshguard
root #systemctl restart sshguard

Blacklisting hosts

With the blacklisting option after a number of abuses the IP address of the attacker or a IP subnet will be blocked permanently. The blacklist will be loaded at each startup and extended with new entries during operation. sshguard inserts a new address after it exceeded a threshold of abuses.

Blacklisted addresses are never scheduled to be released (allowed) again.

To enable blacklisting, create an appropriate directory and file:

root #mkdir -p /var/lib/sshguard
root #touch /var/lib/sshguard/blacklist.db

While defining a blacklist it is important to exclude trusted IP networks and hosts in a whitelist.

To enable whitelisting, create an appropriate directory and file:

root #mkdir -p /etc/sshguard
root #touch /etc/sshguard/whitelist

The whitelist has to include the loopback interface, and should have at least 1 IP trusted network f.e. 192.0.2.0/24.

கோப்பு /etc/sshguard/whitelistWhitelisting trusted networks
127.0.0.0/8
::1/128
192.0.2.0/24
குறிப்பு
The 192.0.2.0/24 entry has to be adjusted to fit the own needs.

Add the BLACKLIST_FILE and WHITELIST_FILE file to the configuration. Example configuration listed blocks all hosts after the first login attempt. To setup a less agressive blocking policy, adjust the THRESHOLD and BLACKLIST_FILE integer, and set it to f.e. 10 instead of 2:

கோப்பு /etc/sshguard.confConfiguring sshguard to blacklist abusers
BACKEND="/usr/libexec/sshg-fw-iptables"
FILES="/var/log/auth.log"
#
THRESHOLD=2
BLOCK_TIME=43200
DETECTION_TIME=604800
#
IPV4_SUBNET=24
IPV6_SUBNET=64
#
PID_FILE=/run/sshguard.pid
#
# Add following lines
BLACKLIST_FILE=2:/var/lib/sshguard/blacklist.db
WHITELIST_FILE=/etc/sshguard/whitelist

Restart the sshguard daemon to have the changes take effect:

root #/etc/init.d/sshguard restart

Troubleshooting

File '/var/log/auth.log' vanished while adding!

When starting up, sshguard reports the following error:

குறிமுறை Error message when trying to add a monitor for /var/log/auth.log
Sep 23 03:39:11 foo.bar.com sshguard[64933]: File '/var/log/auth.log' vanished while adding!

Such an error (the file path itself can be different) occurs when the target file is not available on the system. Make sure that it is created, or update the sshguard configuration to not add it for monitoring.

On a syslog-ng system with OpenRC, the following addition to syslog-ng.conf can suffice:

கோப்பு /etc/syslog-ng/syslog-ng.confcreating auth.log file
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
 
destination authlog {file("/var/log/auth.log"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
log { source(src);  filter(f_authpriv);  destination(authlog);  };

Reload the configuration for the changes to take effect:

root #rc-service syslog-ng reload

See also

  • Fail2ban — a system denying hosts causing multiple authentication errors access to a service.
  • Iptables — a program used to configure and manage the kernel's netfilter modules.

External resources

The sshguard documentation provides all the information needed to further tune the application.