Page MenuHomeVyOS Platform

Add sshguard to protect against brut-forces
Open, Requires assessmentPublicFEATURE REQUEST

Description

Sshguard protects hosts from brute-force attacks
Can inspect logs and block "bad" addresses by threshold
Compatible with nftables

Auto adding tables and chains and dynamic addresses to set:

table ip sshguard {
	set attackers {
		type ipv4_addr
		flags interval
		elements = { 43.x.x.230, 81.x.x.212,
			     103.x.7x84, 194.x.x.93 }
	}

	chain blacklist {
		type filter hook input priority -10; policy accept;
		ip saddr @attackers drop
	}
}
table ip6 sshguard {
	set attackers {
		type ipv6_addr
		flags interval
	}

	chain blacklist {
		type filter hook input priority -10; policy accept;
		ip6 saddr @attackers drop
	}
}

Log

May  4 05:55:27 n1 sshd[53441]: Failed password for invalid user eagle from 43.154.x.230 port 42724 ssh2
May  4 05:55:39 n1 sshd[53447]: Invalid user rosa from 103.14x.x2.84 port 54856
May  4 05:55:39 n1 sshd[53447]: pam_unix(sshd:auth): check pass; user unknown
May  4 05:55:39 n1 sshd[53447]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.143.72.84 
May  4 05:55:39 n1 sshguard[53385]: Attack from "103.14x.x2.84" on service 100 with danger 10.
May  4 05:55:39 n1 sshguard[53385]: Attack from "103.14x.x2.84" on service 110 with danger 10.
May  4 05:55:40 n1 sshguard[53385]: Attack from "103.14x.x2.84" on service 110 with danger 10.
May  4 05:55:40 n1 sshguard[53385]: Blocking "103.14x.7x.84/32" for 360 secs (3 attacks in 1 secs, after 2 abuses over 204 secs.)

https://www.sshguard.net

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Configuration

# cat /etc/sshguard/sshguard.conf 
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=300

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/etc/sshguard/whitelist