The best you can do is to enforce a better user password policy, but even so, as every password service it’s at mercy of brute force attacks. These attacks consume precious clock cycles and worst case scenario they can break a password and gain access to the system.
So, here comes SSHGuard to our rescue. It’s a pretty neat piece of software that is highly flexible and customizable to ones system, needs and paranoia level. On top of that is maintenance free and very easy to setup.
I’m using FreeBSD and the venerable (yet, very capable) IPFW firewall. The choice of the firewall is simply because it’s the one that i am more pro-efficient with.
First thing is to enable IPFW on your system. Open /etc/rc.conf and add these lines
firewall_enable="YES"
firewall_type="open"
actually this setup is only to bring IPFW up, it doesn’t filter anything, all the traffic is passed trough. But if you forget the firewall_type=”open” rule and start the firewall you will be lock out, because the default is no traffic allowed… (and you win a drive to the data-center or some kind of remote rescue shell procedure).
Start IPFW
/etc/rc.d/ipfw start
and check that is running
ipfw show
Now, you are ready to install SSHGuard itself, very easy task
cd /usr/ports/security/sshguard-ipfw
make install clean
and enable it in /etc/rc.conf
sshguard_enable="YES"
Ready? Start it
/usr/local/etc/rc.d/sshguard start
Still, there is a final thing to take care. SSHGuard uses syslogd to monitor incoming (failed) logins. So, you must edit /etc/syslog.conf and uncomment (or add if it’s not there) the line that the SSHGuard port added.
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
And restart syslogd
/etc/rc.d/syslogd restart
And now your SSH service should be bullet proof to brute force attacks. Keep safe!
UPDATE 2014-02-23
Latest versions of SSHGuard don’t use syslogd any more, it uses an internal “log sucker” that follows the logs. The default logs are “/var/log/auth.log:/var/log/maillog”, as I don’t want it to follow /var/log/mailog i override this in /etc/rc.conf with:
sshguard_watch_logs="/var/log/auth.log"
UPDATE 2014-08-05
For several reasons, I have switched from IPFW to PF. So the port to install is /usr/ports/security/sshguard-pf/ and you must add this line to your /etc/pf.conf and enable PF in /etc/rc.conf
table persist
then to list the blocked IPs
pfctl -t sshguard -T show
to remove an IP from the list
pfctl -t sshguard -T delete aaa.bbb.ccc.ddd
to remove all the IPs
pfctl -t sshguard -T flush
NOTE
Also going to test drive on a debian box fail2ban, and will soon post quick review and differences, drawbacks, benefits versus sshguard.