blacklistd | fail2ban | sshguard
some kind of a Host-based Intrusion Prevention System
make sure backports
are enabled
grep backports /etc/apt/sources.list
apt update apt install sshguard nftables
sbopkg -s sshguard sbopkg -i sshguard ls -lF /etc/rc.d/rc.sshguard chmod +x /etc/rc.d/rc.sshguard ls -lF /usr/libexec/sshg-fw-nft-sets ls -lF /var/lib/sshguard/enemies # not yet? ls -lF /etc/friends # not yet? cp -i /usr/doc/sshguard-2.4.2/examples/sshguard.conf.sample /etc/sshguard.conf
see sshguard-source
# debian / ubuntu cd /etc/sshguard/ # slackware & source cd /etc/ mv -i sshguard.conf sshguard.conf.dist grep -vE '^#|^$' sshguard.conf.dist > sshguard.conf.clean grep -vE '^#|^$' sshguard.conf.dist > sshguard.conf vi sshguard.conf # debian12 BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets" # package BACKEND="/usr/libexec/sshg-fw-nft-sets" # source BACKEND="/usr/local/libexec/sshg-fw-nft-sets"
securing SSHD, Postfix/SASL and Dovecot/IMAP
# debian / ubuntu ls -lF /var/log/auth.log /var/log/daemon.log /var/log/mail.log /var/log/messages /var/log/syslog FILES="/var/log/auth.log /var/log/daemon.log /var/log/mail.log /var/log/messages /var/log/syslog" # slackware & source ls -lF /var/log/messages /var/log/syslog /var/log/maillog /var/log/secure FILES="/var/log/messages /var/log/syslog /var/log/maillog /var/log/secure"
#LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat" LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10" # https://en.wikipedia.org/wiki/Syslog # SYSLOG_FACILITY=2
eventually whitelist yourself and other sysadmin workstations
avoid false-positives from the start
# package ls -lF /usr/share/doc/sshguard/examples/whitelistfile.example vi /etc/friends 127.0.0.0/8 ::1/128 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
however you might prefer to keep handle internal networks as non-trusted and spot attackers from within.
enable at boot time
systemctl status nftables # no need to enable systemctl status sshguard # enabled already #systemctl restart nftables systemctl restart sshguard
no need for nohup
here
vi /etc/rc.d/rc.inet1 # rc.inet2 disabled /etc/rc.d/rc.sshd start echo starting sshguard rm -f /var/run/sshguard.pid # package /usr/sbin/sshguard >> /var/log/sshguard.log 2>&1 & # source /usr/local/sbin/sshguard >> /var/log/sshguard.log 2>&1 &
tail -F /var/log/messages /var/log/syslog /var/log/auth.log
status
pgrep -a sshguard ps auxfww | grep sshguard | grep -vE 'grep|tail'
check the black list
cd /var/log/ grep Attack *log cat /var/lib/sshguard/enemies nft list ruleset
stop
pkill sshguard
also see https://github.com/pbraun9/slackbuilds/blob/master/sshguard/rc.sshguard
check that not only SSH gets handled, but also e.g. Postfix SASL
cd /var/log/ # debian / ubuntu grep Attack auth.log | grep -v SSH
start with a fresh list of filtered hosts
rm -f /var/lib/sshguard/enemies rc.sshguard restart nft list ruleset
vi RESTART-SSHGUARD #!/bin/bash echo killing sshguard pkill sshguard sleep 1 if [[ -z `pgrep sshguard` ]]; then echo starting sshguard rm -f /var/run/sshguard.pid /usr/local/sbin/sshguard >> /var/log/sshguard.log 2>&1 & sleep 1 pgrep -a sshguard else echo ERROR: sshguard is still running pgrep -a sshguard fi chmod +x RESTART-SSHGUARD
that was too fast
==> /var/log/auth.log <== May 10 15:44:15 sd-78836 sshguard[2030709]: 46.148.40.162: unblocking after 177 secs May 10 15:44:15 sd-78836 sshguard[2030709]: 46.148.40.183: unblocking after 167 secs May 10 15:44:15 sd-78836 sshguard[2030709]: 46.148.40.157: unblocking after 163 secs
==> tune THRESHOLD BLOCK_TIME DETECTION_TIME
https://wiki.archlinux.org/title/Sshguard
https://wiki.gentoo.org/wiki/Sshguard
How do I start sshguard at boot? https://www.sshguard.net/faq.html#sshguard-start-at-boot
How to Install and Use SSHGuard on Ubuntu 20.04 https://vitux.com/how-to-install-and-use-sshguard-on-ubuntu-20-04/ –> ufw -j ?
https://en.wikipedia.org/wiki/Private_network
https://web.archive.org/web/20160908055836/http://www.sshguard.net/docs/terminology/#attack
https://web.archive.org/web/20170222154636/http://www.sshguard.net/support/attacks/submit/