sshguard

From Gentoo Wiki
Jump to: navigation, search
This page contains changes which are not marked for translation.

Other languages:
English • ‎español • ‎italiano • ‎日本語 • ‎한국어 • ‎русский • ‎中文(中国大陆)‎


Resources

sshguard is an intrusion prevention system that parses server logs, determines malicious activity, and uses the system firewall to block the IP addresses of malicious connections. sshguard is written in C so it does not tax an interpreter.

How it works

sshguard is a simple daemon that continuously tracks one or more log files. It parses the log events that daemons send out in case of failed login attempts and then blocks any further attempts from those connections by updating the system's firewall.

Unlike what the name implies, sshguard does not only parse SSH logs. It also supports many mail systems as well as a few FTP ones. A full listing of supported services can be found on the sshguard.net website.

Installation

USE flags

USE flags for app-admin/sshguard protects hosts from brute force attacks against ssh

Emerge

Install app-admin/sshguard:

root #emerge --ask app-admin/sshguard

Also make sure that net-firewall/iptables is installed and used as the system firewall. At the time of writing, sshguard does not yet support net-firewall/nftables.

root #emerge --ask net-firewall/iptables

More information about using and configuring IPtables can also be found on the IPtables article.

Configuration

Preparing the firewall

When sshguard blocks any malicious users (by blocking their IP addresses), it will use the sshguard chain.

Prepare the chain, and make sure it is also triggered when new incoming connections are detected:

root #iptables -N sshguard
root #iptables -A INPUT -j sshguard

Watching logfiles

The basic idea behind sshguard is that the administrator passes on the log file(s) to watch as options to the application - there is no native sshguard configuration file.

On Gentoo, the options can be best configured in the /etc/conf.d/sshguard file:

FILE /etc/conf.d/sshguardConfiguring sshguard to read /var/log/messages
PARDONTIME="3600" # Blocks last at least 1 hour (3600 seconds)
WATCHTIME="360"   # Track IP addresses for 5 minutes (360 seconds)
THRESHOLD="10"    # How many problematic attempts trigger a block
  
LOGFILES="-l /var/log/messages"                      # Watch this file...
LOGFILES="${LOGFILES} -l /var/log/auth.log"          # And this one
  
SSHGUARD_OPTS="-p ${PARDONTIME} -s ${WATCHTIME} -a ${THRESHOLD} ${LOGFILES}"

Make sure that the log files are accessible for the runtime user that sshguard uses.

Services

OpenRC

Have sshguard be started by default by adding it to the default runlevel, and then start it:

root #rc-update add sshguard default
root #rc-service sshguard start

Blacklisting hosts

With the blacklisting option after a number of abuses the IP address of the attacker will be blocked permanently. The blacklist will be loaded at each startup and extended with new entries during operation. sshguard inserts a new address after it exceeded a threshold of abuses.

Blacklisted addresses are never scheduled to be released (allowed) again.

The -b command line option enables blacklisting and requires a filename to use for permanent storage of the blacklist. An optional threshold is configurable within the same option. This threshold is then first, after which the filename is mentioned separated by :.

To enable blacklisting, create an appropriate directory and file:

root #mkdir -p /var/db/sshguard
root #touch /var/db/sshguard/blacklist.db

Add the blacklist file to the configuration and alter the SSHGUARD_OPTS variable:

FILE /etc/conf.d/sshguardConfiguring sshguard to blacklist abusers
PARDONTIME="3600" # Blocks last at least 1 hour (3600 seconds)
WATCHTIME="360"   # Track IP addresses for 5 minutes (360 seconds)
THRESHOLD="10"    # How many problematic attempts trigger a block
  
BLACKLIST="/var/db/sshguard/blacklist.db"            # Blacklisted addresses are in this file
LOGFILES="-l /var/log/messages"                      # Watch this file...
LOGFILES="${LOGFILES} -l /var/log/auth.log"          # And this one
  
SSHGUARD_OPTS="-b 50:${BLACKLIST} -p ${PARDONTIME} -s ${WATCHTIME} -a ${THRESHOLD} ${LOGFILES}"

Restart the sshguard daemon to have the changes take effect:

root #/etc/init.d/sshguard restart

Troubleshooting

File '/var/log/auth.log' vanished while adding!

When starting up, sshguard reports the following error:

CODE Error message when trying to add a monitor for /var/log/auth.log
Sep 23 03:39:11 foo.bar.com sshguard[64933]: File '/var/log/auth.log' vanished while adding!

Such an error (the file path itself can be different) occurs when the target file is not available on the system. Make sure that it is created, or update the sshguard configuration to not add it for monitoring.

On a syslog-ng system with OpenRC, the following addition to syslog-ng.conf can suffice:

FILE /etc/syslog-ng/syslog-ng.confcreating auth.log file
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
 
destination authlog {file("/var/log/auth.log"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
log { source(src);  filter(f_authpriv);  destination(authlog);  };

Reload the configuration for the changes to take effect:

root #rc-service syslog-ng reload

See also

  • Iptables - An article on installing and configuring the iptables firewall on Gentoo.

External resources

The sshguard documentation provides all the information needed to further tune the application.