SSHGuard est une alternative légère à fail2ban, écrite en langage C, pour bloquer les attaques SSH.
D'après le site Internet (https://www.sshguard.net/) :
SSHGuard monitors system log files and journal logs. It can work with multiple log sources.
SSHGuard parses logs for recognized attacks.
SSHGuard blocks repeat attackers using one of many firewall backends.
Installer le paquet avec :
pkg inst sshguard
Dans le fichier de configuration /usr/local/etc/sshguard.conf
:
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
BACKEND="/usr/local/libexec/sshg-fw-pf" ### for use with pf firewall
# Space-separated list of log files to monitor. (optional, no default)
FILES="/var/log/auth.log /var/log/maillog /var/log/messages"
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=10
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=300
# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=3600
# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=128
# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=32
#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!
# Full path to PID file (optional, no default)
PID_FILE=/var/run/sshguard.pid
# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/usr/local/etc/sshguard.whitelist # <<< add at least one of your IPs to this file
Dans /etc/pf.conf
(à la fin) :
################ Tables ####################################
table <sshguard> persist
################ Filtering #################################
# Rules that work with sshguard-pf:
block drop in log quick on $int_if inet from <sshguard> to any
Dans /etc/rc.conf
:
#################################### Remote access (sshd) ######################################
sshd_enable="YES"
#Watchdog for remote access: this requires pf, pflog & sshguard to be installed/configured
sshguard_enable="YES"
Lancer le service avec :
service sshguard start
Dans /var/log/messages
, vous devriez bientôt voir apparaître des entrées comme celles-ci :
May 14 17:52:00 local syslogd: last message repeated 1 times
May 14 17:54:01 local sshguard[91990]: Attack from "31.133.98.25" on service SSH with danger 10.
May 14 17:56:01 local sshd[59049]: fatal: Timeout before authentication for 31.133.98.25 port 60526
May 15 01:23:40 local sshguard[91990]: Attack from "82.66.142.245" on service SSH with danger 2.
May 15 01:24:59 local syslogd: last message repeated 1 times
May 15 04:07:51 local sshguard[91990]: Attack from "82.66.142.245" on service SSH with danger 2.
May 15 04:08:43 local syslogd: last message repeated 1 times
May 15 04:08:49 local syslogd: last message repeated 2 times
May 15 04:09:33 local sshguard[91990]: Attack from "82.66.142.245" on service SSH with danger 10.
Pour afficher la liste des adresses bannies :
pfctl -t sshguard -T show
Ce document a été publié le 2024-05-15 10:06:35. (Dernière mise à jour : 2024-05-15 16:08:06.)