Sshguard

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page Sshguard and the translation is 24% complete.
Outdated translations are marked like this.
Other languages:
Resources

sshguard 是一种入侵防御系统。 sshguard 解析服务器日志,检测恶意行为,然后通过防火墙规则禁止恶意用户登录。 sshguard 是用 C 写的,因此不需要额外的解析器。

工作原理

sshguard 是一个持续跟踪一个或多个日志文件的守护进程。它通过分析由失败的登录尝试引发的守护进程的日志活动,通过更新系统的防火墙阻止这些用户进一步的连接尝试。

不像名字暗示的那样, sshguard 不仅可以解析 SSH 日志。它也支持多种邮件系统和一些 FTP 系统。它支持的服务的详细列表可以在 sshguard.net 网站找到。

安装

Emerge

安装 app-admin/sshguard

root #emerge --ask app-admin/sshguard

Additional software

Depending on the init system and the desired firewall backend to be used by sshguard, additional software may be required to be emerged in order for sshguard to block malicious actors.

More information on various supported backends can be found by reading the setup manpage:

root #man 7 sshguard-setup

iptables

然后确保安装了 net-firewall/iptables 并被用作系统防火墙。截止到本文写作时间,sshguard 还不支持 net-firewall/nftables

root #emerge --ask net-firewall/iptables

更多关于使用和配置 Iptables 的信息可以参阅 IPtables 文章

nftables

When nftables are being used as the system firewall:

root #emerge --ask net-firewall/nftables

配置

iptables backend

准备防火墙

sshguard 会使用 sshguard 链阻止恶意用户(通过阻止他们的 IP 地址)。

准备 iptable 链,并确保当检测到新的进入的连接会被触发:

root #iptables -N sshguard
root #iptables -A INPUT -j sshguard

Then verify that the appropriate path to the iptables backend library is set in /etc/sshguard.conf:

文件 /etc/sshguard.confSet iptables library for BACKEND
# Full path to backend executable (required, no default)
BACKEND="/usr/libexec/sshg-fw-iptables"

监控日志文件

sshguard 背后的基本思路是,不通过 sshguard 的内置的配置文件,而是由管理员将需要监控的日志文件作为参数传给程序。

在 Gentoo 上,参数可以通过 /etc/conf.d/sshguard 文件进行配置:

文件 /etc/conf.d/sshguard配置 sshguard 读取 /var/log/messages
PARDONTIME="3600" # Blocks last at least 1 hour (3600 seconds)
WATCHTIME="360"   # Track IP addresses for 5 minutes (360 seconds)
THRESHOLD="10"    # How many problematic attempts trigger a block
  
LOGFILES="-l /var/log/messages"                      # Watch this file...
LOGFILES="${LOGFILES} -l /var/log/auth.log"          # And this one
  
SSHGUARD_OPTS="-p ${PARDONTIME} -s ${WATCHTIME} -a ${THRESHOLD} ${LOGFILES}"

确保日志文件对于运行 sshguard 的用户是可读的。

服务

OpenRC

把 sshguard 加入到默认的运行级别,然后启动:

root #rc-update add sshguard default
root #rc-service sshguard start

systemd

Use systemd's conventional way to enable it, and then start it:

root #systemctl enable sshguard
root #systemctl restart sshguard

Blacklisting hosts

With the blacklisting option after a number of abuses the IP address of the attacker or a IP subnet will be blocked permanently. The blacklist will be loaded at each startup and extended with new entries during operation. sshguard inserts a new address after it exceeded a threshold of abuses.

Blacklisted addresses are never scheduled to be released (allowed) again.

To enable blacklisting, create an appropriate directory and file:

root #mkdir -p /var/lib/sshguard
root #touch /var/lib/sshguard/blacklist.db

While defining a blacklist it is important to exclude trusted IP networks and hosts in a whitelist.

To enable whitelisting, create an appropriate directory and file:

root #mkdir -p /etc/sshguard
root #touch /etc/sshguard/whitelist

The whitelist has to include the loopback interface, and should have at least 1 IP trusted network f.e. 192.0.2.0/24.

文件 /etc/sshguard/whitelistWhitelisting trusted networks
127.0.0.0/8
::1/128
192.0.2.0/24
附注
The 192.0.2.0/24 entry has to be adjusted to fit the own needs.

Add the BLACKLIST_FILE and WHITELIST_FILE file to the configuration. Example configuration listed blocks all hosts after the first login attempt. To setup a less agressive blocking policy, adjust the THRESHOLD and BLACKLIST_FILE integer, and set it to f.e. 10 instead of 2:

文件 /etc/sshguard.confConfiguring sshguard to blacklist abusers
BACKEND="/usr/libexec/sshg-fw-iptables"
FILES="/var/log/auth.log"
#
THRESHOLD=2
BLOCK_TIME=43200
DETECTION_TIME=604800
#
IPV4_SUBNET=24
IPV6_SUBNET=64
#
PID_FILE=/run/sshguard.pid
#
# Add following lines
BLACKLIST_FILE=2:/var/lib/sshguard/blacklist.db
WHITELIST_FILE=/etc/sshguard/whitelist

Restart the sshguard daemon to have the changes take effect:

root #/etc/init.d/sshguard restart

Troubleshooting

File '/var/log/auth.log' vanished while adding!

When starting up, sshguard reports the following error:

代码 Error message when trying to add a monitor for /var/log/auth.log
Sep 23 03:39:11 foo.bar.com sshguard[64933]: File '/var/log/auth.log' vanished while adding!

Such an error (the file path itself can be different) occurs when the target file is not available on the system. Make sure that it is created, or update the sshguard configuration to not add it for monitoring.

On a syslog-ng system with OpenRC, the following addition to syslog-ng.conf can suffice:

文件 /etc/syslog-ng/syslog-ng.confcreating auth.log file
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
 
destination authlog {file("/var/log/auth.log"); };
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
log { source(src);  filter(f_authpriv);  destination(authlog);  };

Reload the configuration for the changes to take effect:

root #rc-service syslog-ng reload

参考

外部资源

sshguard 文档 提供了进一步优化的所有信息。