I’ve already talked about fail2ban and logcheck, 2 tools that can scan your logs and do actions, based on rules that you can give/modify, usually modify your iptables rules to stop active attacks against your server or simply send you a warning if some thing is found in the logs.
Today we’ll see a similar tool, sshguard, it is different from the other two in that it is written in C, so it’s uses less memory and CPU while running, but still achiving the same results.
So what does sshguard do?
The short version is: it receives log messages, it detects when a networked service has been abused based on them, and blocks the address of who abused it; after some time, it releases the blocking.
The full version is: sshguard runs on a machine as a small daemon, and receives log messages (in a number of ways, e.g. from syslog). When it determines that address X did something bad to service Y, it fires a rule in the machine’s firewall (one of the many supported) for blocking X.
Sshguard keeps X blocked for some time, then releases it automatically.
Please note that despite of his name sshguard detects attacks for many services out of the box, not only SSH but also several ftpds, Exim and dovecot. It can operate all the major firewalling systems, and features support for IPv6, whitelisting, suspension, and log message authentication
Sshguard is distributed under the permissive BSD license: you can use, modify and redistribute the software, at your own risk, for any use, including commercial, provided that you retain the original copyright notice you find in it. The software is distributed in the main repository of the most used GNU/Linux distributions and for some *BSD system, but you can also download the sources from their downlaod page.
To install it on Debian (or other .deb distributions like Ubuntu) just run from a terminal:
sudo aptitude install sshguard
Setup and configuration
Sshguard interfaces to the system in two points:
- the logging system (how sshguard receives log messages to monitor)
- the firewall (how sshguard blocks naughty addresses)
Since version 1.5, sshguard comes with the Log Sucker. With the Log Sucker, SSHGuard fetches log entries proactively, and handles transparently events like rotated log files and files disappearing and reappearing.
In the official documentation page there are instructions for many different firewalls, i’ll follow the instructions for netfilter/iptables.
sshguard does not have a configuration file. All configuration that has to be done is creating a chain named “sshguard” in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
# for regular IPv4 support: iptables -N sshguard # if you want IPv6 support as well: ip6tables -N sshguard
Now update the INPUT chain so it can pass all the traffic to sshguard, specify with –dport all the ports of services that you want to protect with sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely:
# block any traffic from abusers iptables -A INPUT -j sshguard ip6tables -A INPUT -j sshguard -- or -- # block abusers only for SSH, FTP, POP, IMAP services (use "multiport" module) iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
# iptables -F # iptables -X # iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT # iptables -N sshguard # iptables -A INPUT -j sshguard # /etc/rc.d/iptables save
And that’s all you need to do to have a basic installation of sshguard up and running, it will help you to have your ssh, ftp and other daemons a bit more secure.