linux poison RSS
linux poison Email

Protects Networked Hosts from Brute Force Attacks - Sshguar

Sshguard is a small program that monitors services running on your machine from the log files. When it detects that someone is doing something bad to a service, sshguard blocks the IP address of the bad guy with a firewall rule.

Sshguard Log support:
Sshguard interprets log messages with several formats:
 * syslog
 * syslog-ng
 * metalog
 * multilog
 * raw log
It can monitor multiple log files at once, and handles log rotation and temporary log files automatically. Its powerful grammar-based parser makes it straightforward to support several formats and services without increasing complexity.
Sshguard service support:
Sshguard protects many services out of the box:
 * sshd
 * Sendmail
 * Exim
 * dovecot
 * Cucipop
 * UWimap (imap, pop)
 * vsftpd
 * proftpd
 * pure-ftpd
 * FreeBSD ftpd

Sshguard firewall support:
Sshguard operates all the major firewalling systems around:
 * PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
 * netfilter/iptables (Linux)
 * IPFIREWALL/ipfw (FreeBSD, Mac OS X)
 * IPFILTER (FreeBSD, NetBSD, Solaris)
 * IBM AIX's firewall
 * tcpd's hosts.allow (boxes without a network-layer firewall)
Sshguard optimizes each blocking backend to squeeze all the firewall's capabilities.

Sshguard Installation:
Open the terminal and type following command to install Sshguard:
sudo apt-get install sshguard
Sshguard Setup and configuration:
sshguard does not have a configuration file. All configuration that has to be done is creating a chain named “sshguard” in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
# for regular IPv4 support:
iptables -N sshguard
# if you want IPv6 support as well:
ip6tables -N sshguard
Update the INPUT chain to also pass the traffic to the SSHGuard chain at the very end of its processing:
# block abusers for SSH , IPv4 and IPv6
iptables -A INPUT -p tcp --dport 22 -j sshguard
ip6tables -A INPUT -p tcp --dport 22 -j sshguard
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.

If you were to reboot your machine right now, your iptables configuration would disappear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.


Post a Comment

Related Posts with Thumbnails