- blog.up-link.ro - https://blog.up-link.ro -

SSH Security: How To Block SSH Brute Force Attacks with SSHGuard

SSHGuard monitors logging activity and reacts to attacks by blocking their source IP addresses. sshguard has born for protecting SSH servers from the today's widespread brute force attacks, and evolved to an extensible log supervisor for blocking attacks to applications in real-time.

SSHGuard is given log messages in its standard input. By means of a parser, it decides whether an entry is normal activity or attack. After a number of attacks, the IP address is blocked with the firewall.

These are the available blocking backends:

1. SSHGuard installation

To install SSHGuard under FreeBSD, OpenBSD, enter:

Packet Filter support:

make install clean -C /usr/ports/security/sshguard-pf

IP FILTER support:

make install clean -C /usr/ports/security/sshguard-ipfilter

IPFW support:

make install clean -C /usr/ports/security/sshguard-ipfw

To install SSHGuard under Debian, Ubuntu (netfilter/iptables), enter:

sudo apt-get install sshgurad

To install SSHGuard under CentOS, Fedora, RHEL (netfilter/iptables), enter:

yum install sshgurad

2. SSHguard backend configuration

How To Set Up SSHGuard with OpenBSD's Packet Filter (PF)

The Packet Filter (PF) configuration needs a rule that blocks TCP traffic to the SSH port from addresses that proven source of attacks.

Edit the PF configuration file, usually /etc/pf.conf:

vi /etc/pf.conf

Add the line in the table section

table <sshguard> persist

and the following line in the packet filtering rules:

block in quick on $ext_if proto tcp from any to any port 22 label "ssh bruteforce"

Replace $ext_if with your WAN interface name if needed.

To reload the pf configuration, enter:

pfctl -f /etc/pf.conf

To display the set of addresses blocked in the SSHguard table at any time, enter:

pfctl -T show -t sshguard

How To Set Up SSHGuard with IP Filter

IPFilter is configured by a rules file, usually /etc/ipf.rules.

It is your role to rule locate a suitable position in which SSHGuard can include rules in this file. If you have a pass-all rule for sshguard, it must stay after this block. Then, insert this block where you want SSHGuard rules to be wrapped:

##sshguard-begin##
##sshguard-end##

SSHGuard will insert and withdraw rules within this block for blocking and releasing attacker addresses, then run ipf for reloading the chain.

You can get the set of addresses blocked by SSHGuard at any time by reading the ipf configuration file itself: they are listed inside the sshguard block delimiters.

How To Set Up SSHGuard with IPFW

SSHGuard adds blocking rules with IDs from 55000 to 55050 by default. If a pass rule appears before these, it is applied because IPFW runs a first-match-win policy.

If you have an allow policy higher than 55050 in your IPFW chain, move it to a lower priority.

To display the set of addresses blocked bySSHGuard at any time:

ipfw list | awk '{ if($1 >= 55000 && $1 <= 55050) print $5 }'

How To Set Up SSHGuard with netfilter/iptables

You have to create a new chain in which SSHGuard will append blocking rules:

# IPv4 support:
iptables -N sshguard
# IPv6 support:
ip6tables -N sshguard

Update the INPUT chain to also pass the traffic to the SSHGuard chain at the very end of its processing:

# block abusers for SSH , IPv4 and IPv6
iptables -A INPUT -p tcp --dport 22 -j sshguard
ip6tables -A INPUT -p tcp --dport 22 -j sshguard

Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.

NOTE: When rebooting, most systems reset the firewall configuration by default. To preserve your configuration, you usually use the iptables-save and iptables-restore utilities. However, each Linux distribution has its own "right way".

How To Set Up SSHGuard with TCP wrappers

TCP Wrappers decide when to accept or reject connections based on a user-provided file, typically /etc/hosts.allow. Through its "hosts" firewall back-end,SSHGuard can manipulate this file by dynamically adding and removing rules for addresses that are found abusing any service monitored.

This backend requires no configuration, just make sure to create the /etc/hosts.allow file if it does not exist.

When SSHGuard starts with the hosts back-end, it creates a special block in the hosts.allow file, enclosed in a ##sshguard## pair. When an address is blocked, SSHGuard puts inside this block a DENY rule, so that all libwrap-enabled programs will reject connections from that address.

While running, SSHGuard's block in /etc/hosts.allow will contain rules saying "Deny connections from this list of hosts, to ALL services"; these will look some like this:

##sshguard##
ALL : 10.1.2.3 11.5.4.3 : DENY
##sshguard##