This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.
Please visit our production wiki at https://wiki.gentoo.org
sshguard
Warning: Display title "sshguard" overrides earlier display title "Sshguard".
sshguard è un sistema di prevenzione delle intrusioni che analizza i log del server, determina le attività dannose e utilizza il firewall di sistema per bloccare gli indirizzi IP delle connessioni malevole. sshguard è scritto in C quindi non necessita di un interprete.
Come funziona
sshguard è un semplice demone che setaccia in continuazione uno o più file di log. Esso analizza i log che i demoni inviano in caso di tentativi di accesso non riusciti e poi blocca ogni ulteriore tentativo da quelle connessioni aggiornando il firewall del sistema.
Rispetto a quello che può suggerire il nome, sshguard non funziona solo con log di SSH. Esso supporta anche molti sistemi di mail nonché alcuni FTP. Una lista completa di servizi supportati è disponibile sul sshguard.net sito
Installazione
Emerge
installa app-admin/sshguard:
root #
emerge --ask app-admin/sshguard
Also make sure that net-firewall/iptables is installed and used as the system firewall. At the time of writing, sshguard does not yet support net-firewall/nftables.
root #
emerge --ask net-firewall/iptables
Maggiori informazioni riguardo l'uso e la configurazione di IPtables possono essere trovati nel IPtables article.
Configurazione
Preparare il firewall
When sshguard blocks any malicious users (by blocking their IP addresses), it will use the sshguard chain.
Prepare the chain, and make sure it is also triggered when new incoming connections are detected:
root #
iptables -N sshguard
root #
iptables -A INPUT -j sshguard
Osservare i file log
The basic idea behind sshguard is that the administrator passes on the log file(s) to watch as options to the application - there is no native sshguard configuration file.
On Gentoo, the options can be best configured in the /etc/sshguard.conf file:
/etc/sshguard.conf
Configuring sshguard to read /var/log/messages and /var/log/auth.log# Full path to backend executable (required, no default) BACKEND="/usr/libexec/sshg-fw-iptables" # Space-separated list of log files to monitor. (optional, no default) FILES="/var/log/messages /var/log/auth.log" # How many problematic attempts trigger a block THRESHOLD=10 # Blocks last at least 24 hours (60480 seconds) BLOCKTIME=60480 # Track IP addresses for 24 hours (60480 seconds) DETECTION_TIME=60480 # IPv6 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 128) IPV6_SUBNET=64 # IPv4 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 32) IPV4_SUBNET=24 # Full path to PID file (optional, no default) PID_FILE=/run/sshguard.pid
Make sure that the log files are accessible for the runtime user that sshguard uses.
Servizi
OpenRC
Have sshguard be started by default by adding it to the default runlevel, and then start it:
root #
rc-update add sshguard default
root #
rc-service sshguard start
Blacklisting hosts
With the blacklisting option after a number of abuses the IP address of the attacker or a IP subnet will be blocked permanently. The blacklist will be loaded at each startup and extended with new entries during operation. sshguard inserts a new address after it exceeded a threshold of abuses.
Blacklisted addresses are never scheduled to be released (allowed) again.
To enable blacklisting, create an appropriate directory and file:
root #
mkdir -p /var/lib/sshguard
root #
touch /var/lib/sshguard/blacklist.db
While defining a blacklist it is important to exclude trusted IP networks and hosts in a whitelist.
To enable whitelisting, create an appropriate directory and file:
root #
mkdir -p /etc/sshguard
root #
touch /etc/sshguard/whitelist
The whitelist has to include the loopback interface, and should have at least 1 IP trusted network f.e. 192.0.2.0/24.
/etc/sshguard/whitelist
Whitelisting trusted networks127.0.0.0/8 ::1/128 192.0.2.0/24
The 192.0.2.0/24 entry has to be adjusted to fit the own needs.
Add the BLACKLIST_FILE and WHITELIST_FILE file to the configuration:
/etc/conf.d/sshguard
Configuring sshguard to blacklist abusersBACKEND="/usr/libexec/sshg-fw-iptables" FILES="/var/log/auth.log" THRESHOLD=10 BLOCK_TIME=43200 DETECTION_TIME=604800 IPV4_SUBNET=24 IPV6_SUBNET=64 PID_FILE=/run/sshguard.pid # Add following lines BLACKLIST_FILE=10:/var/lib/sshguard/blacklist.db WHITELIST_FILE=/etc/sshguard/whitelist
Restart the sshguard daemon to have the changes take effect:
root #
/etc/init.d/sshguard restart
Risoluzione dei problemi
File '/var/log/auth.log' vanished while adding!
When starting up, sshguard reports the following error:
Sep 23 03:39:11 foo.bar.com sshguard[64933]: File '/var/log/auth.log' vanished while adding!
Such an error (the file path itself can be different) occurs when the target file is not available on the system. Make sure that it is created, or update the sshguard configuration to not add it for monitoring.
On a syslog-ng system with OpenRC, the following addition to syslog-ng.conf can suffice:
/etc/syslog-ng/syslog-ng.conf
creating auth.log filelog { source(src); destination(messages); }; log { source(src); destination(console_all); }; destination authlog {file("/var/log/auth.log"); }; filter f_auth { facility(auth); }; filter f_authpriv { facility(auth, authpriv); }; log { source(src); filter(f_authpriv); destination(authlog); };
Reload the configuration for the changes to take effect:
root #
rc-service syslog-ng reload
Vedi anche
- Iptables, per installare e configurare iptables su Gentoo
Risorse esterne
La documentazione sshguard fornisce tutte le informazioni necessarie per ottimizzare ulteriormente l'applicazione.