Tuesday, December 6, 2011

SSHGuard - Block SSH Brute Force Attacks

SSHGuard monitors logging activity and reacts to attacks by blocking their source IP addresses. sshguard has born for protecting SSH servers from the today's widespread brute force attacks, and evolved to an extensible log supervisor for blocking attacks to applications in real-time.
SSHGuard is given log messages in its standard input. By means of a parser, it decides whether an entry is normal activity or attack. After a number of attacks, the IP address is blocked with the firewall.
These are the available blocking backends:
  • SSHGuard with PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
  • SSHGuard with IP FILTER (FreeBSD, NetBSD, Solaris)
  • SSHGuard with IPFW (FreeBSD, Mac OS X)
  • SSHGuard with netfilter/iptables (Linux)
  • SSHGuard with TCP wrappers / hosts.allow (almost any UNIX system)
1. SSHGuard installation
To install SSHGuard under FreeBSD, OpenBSD, enter:

Packet Filter support:
1make install clean -C /usr/ports/security/sshguard-pf
IP FILTER support:
1make install clean -C /usr/ports/security/sshguard-ipfilter
IPFW support:
1make install clean -C /usr/ports/security/sshguard-ipfw
To install SSHGuard under Debian, Ubuntu (netfilter/iptables), enter:
1sudo apt-get install sshgurad
To install SSHGuard under CentOS, Fedora, RHEL (netfilter/iptables), enter:
1yum install sshgurad
2. SSHguard backend configuration
How To Set Up SSHGuard with OpenBSD's Packet Filter (PF)
The Packet Filter (PF) configuration needs a rule that blocks TCP traffic to the SSH port from addresses that proven source of attacks.
Edit the PF configuration file, usually /etc/pf.conf:
vi /etc/pf.conf
Add the line in the table section
1table persist
and the following line in the packet filtering rules:
1block in quick on $ext_if proto tcp from any to any port 22 label "ssh bruteforce"
Replace $ext_if with your WAN interface name if needed.
To reload the pf configuration, enter:
1pfctl -f /etc/pf.conf
To display the set of addresses blocked in the SSHguard table at any time, enter:
1pfctl -T show -t sshguard
How To Set Up SSHGuard with IP Filter
IPFilter is configured by a rules file, usually /etc/ipf.rules.
It is your role to rule locate a suitable position in which SSHGuard can include rules in this file. If you have a pass-all rule for sshguard, it must stay after this block. Then, insert this block where you want SSHGuard rules to be wrapped:
SSHGuard will insert and withdraw rules within this block for blocking and releasing attacker addresses, then run ipf for reloading the chain.
You can get the set of addresses blocked by SSHGuard at any time by reading the ipf configuration file itself: they are listed inside the sshguard block delimiters.
How To Set Up SSHGuard with IPFW
SSHGuard adds blocking rules with IDs from 55000 to 55050 by default. If a pass rule appears before these, it is applied because IPFW runs a first-match-win policy.
If you have an allow policy higher than 55050 in your IPFW chain, move it to a lower priority.
To display the set of addresses blocked bySSHGuard at any time:
1ipfw list | awk '{ if($1 >= 55000 && $1 <= 55050) print $5 }'
How To Set Up SSHGuard with netfilter/iptables
You have to create a new chain in which SSHGuard will append blocking rules:
# IPv4 support:
iptables -N sshguard
# IPv6 support:
ip6tables -N sshguard
Update the INPUT chain to also pass the traffic to the SSHGuard chain at the very end of its processing:
# block abusers for SSH , IPv4 and IPv6
iptables -A INPUT -p tcp --dport 22 -j sshguard
ip6tables -A INPUT -p tcp --dport 22 -j sshguard
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.
NOTE: When rebooting, most systems reset the firewall configuration by default. To preserve your configuration, you usually use the iptables-save and iptables-restore utilities. However, each Linux distribution has its own "right way".
How To Set Up SSHGuard with TCP wrappers
TCP Wrappers decide when to accept or reject connections based on a user-provided file, typically /etc/hosts.allow. Through its "hosts" firewall back-end,SSHGuard can manipulate this file by dynamically adding and removing rules for addresses that are found abusing any service monitored.
This backend requires no configuration, just make sure to create the /etc/hosts.allow file if it does not exist.
When SSHGuard starts with the hosts back-end, it creates a special block in the hosts.allow file, enclosed in a ##sshguard## pair. When an address is blocked, SSHGuard puts inside this block a DENY rule, so that all libwrap-enabled programs will reject connections from that address.
While running, SSHGuard's block in /etc/hosts.allow will contain rules saying "Deny connections from this list of hosts, to ALL services"; these will look some like this:

No comments: