Setting up SSHGuard against NFTABLES

blacklistd | fail2ban | sshguard

Install

debian / ubuntu

make sure backports are enabled

grep backports /etc/apt/sources.list
apt update
apt install sshguard nftables

slackware

sbopkg -s sshguard
sbopkg -i sshguard

ls -lF /etc/rc.d/rc.sshguard
chmod +x /etc/rc.d/rc.sshguard

ls -lF /usr/libexec/sshg-fw-nft-sets
ls -lF /var/lib/sshguard/enemies # not yet?
ls -lF /etc/friends # not yet?

cp -i /usr/doc/sshguard-2.4.2/examples/sshguard.conf.sample /etc/sshguard.conf

source

see sshguard-source

Setup

# debian / ubuntu
cd /etc/sshguard/

# slackware & source
cd /etc/

mv -i sshguard.conf sshguard.conf.dist
grep -vE '^#|^$' sshguard.conf.dist > sshguard.conf.clean
grep -vE '^#|^$' sshguard.conf.dist > sshguard.conf
vi sshguard.conf

# package
BACKEND="/usr/libexec/sshg-fw-nft-sets"

# source
BACKEND="/usr/local/libexec/sshg-fw-nft-sets"

logs-based

securing SSHD, Postfix/SASL and Dovecot/IMAP

# debian / ubuntu
ls -lF /var/log/auth.log /var/log/daemon.log /var/log/mail.log /var/log/messages /var/log/syslog

FILES="/var/log/auth.log /var/log/daemon.log /var/log/mail.log /var/log/messages /var/log/syslog"

# slackware & source
ls -lF /var/log/messages /var/log/syslog /var/log/maillog /var/log/secure

FILES="/var/log/messages /var/log/syslog /var/log/maillog /var/log/secure"

systemd-based

LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat"

whitelist tuning

eventually whitelist yourself and other sysadmin workstations

avoid false-positives from the start

# package
ls -lF /usr/share/doc/sshguard/examples/whitelistfile.example

vi /etc/friends

127.0.0.0/8
::1/128

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

however you might prefer to keep handle internal networks as non-trusted and spot attackers from within.

Ready to go

enable at boot time

systemd

systemctl status nftables # no need to enable
systemctl status sshguard # enabled already

#systemctl restart nftables
systemctl restart sshguard

slackware & source

no need for nohup here

vi /etc/rc.d/rc.inet1

    # rc.inet2 disabled
    /etc/rc.d/rc.sshd start

echo starting sshguard
rm -f /var/run/sshguard.pid

# package
/usr/sbin/sshguard >> /var/log/sshguard.log 2>&1 &

# source
/usr/local/sbin/sshguard >> /var/log/sshguard.log 2>&1 &

Operations

    tail -F /var/log/messages /var/log/syslog /var/log/auth.log

status

pgrep -a sshguard
    ps auxfww | grep sshguard | grep -vE 'grep|tail'

check the black list

cd /var/log/
grep Attack *log
cat /var/lib/sshguard/enemies
    nft list ruleset

stop

    pkill sshguard

also see https://github.com/pbraun9/slackbuilds/blob/master/sshguard/rc.sshguard

Acceptance

check that not only SSH gets handled, but also e.g. Postfix SASL

cd /var/log/

# debian / ubuntu
grep Attack auth.log | grep -v SSH

Additional notes

start from scratch

start with a fresh list of filtered hosts

rm -f /var/lib/sshguard/enemies
rc.sshguard restart
nft list ruleset

handy scripts

vi RESTART-SSHGUARD

#!/bin/bash

echo killing sshguard
pkill sshguard
sleep 1

if [[ -z `pgrep sshguard` ]]; then
    echo starting sshguard
    rm -f /var/run/sshguard.pid
    /usr/local/sbin/sshguard >> /var/log/sshguard.log 2>&1 &
    sleep 1
    pgrep -a sshguard
else
    echo ERROR: sshguard is still running
    pgrep -a sshguard
fi

chmod +x RESTART-SSHGUARD

Troubleshooting

that was too fast

==> /var/log/auth.log <==
May 10 15:44:15 sd-78836 sshguard[2030709]: 46.148.40.162: unblocking after 177 secs
May 10 15:44:15 sd-78836 sshguard[2030709]: 46.148.40.183: unblocking after 167 secs
May 10 15:44:15 sd-78836 sshguard[2030709]: 46.148.40.157: unblocking after 163 secs

==> tune THRESHOLD BLOCK_TIME DETECTION_TIME

Resources

https://wiki.archlinux.org/title/Sshguard

https://wiki.gentoo.org/wiki/Sshguard

How do I start sshguard at boot? https://www.sshguard.net/faq.html#sshguard-start-at-boot

How to Install and Use SSHGuard on Ubuntu 20.04 https://vitux.com/how-to-install-and-use-sshguard-on-ubuntu-20-04/ –> ufw -j ?

whitelist

https://en.wikipedia.org/wiki/Private_network

filters

https://web.archive.org/web/20160908055836/http://www.sshguard.net/docs/terminology/#attack

https://web.archive.org/web/20170222154636/http://www.sshguard.net/support/attacks/submit/


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun