If you have a remote server running some flavor of Unix or Linux 99% chances that you use SSH. The best security practice is to use an access key with password and disable password access altogether. But you end up loosing some flexibility (for some customers Putty is this utterly complex piece of software, imagine them playing with SSH keys…).
The best you can do is to enforce a better user password policy, but even so, as every password service it’s at mercy of brute force attacks. These attacks consume precious clock cycles and worst case scenario they can break a password and gain access to the system.
So, here comes SSHGuard to our rescue. It’s a pretty neat piece of software that is highly flexible and customizable to ones system, needs and paranoia level. On top of that is maintenance free and very easy to setup.
I’m using FreeBSD and the venerable (yet, very capable) IPFW firewall. The choice of the firewall is simply because it’s the one that i am more pro-efficient with.
First thing is to enable IPFW on your system. Open /etc/rc.conf and add these lines
firewall_enable="YES"
firewall_type="open"actually this setup is only to bring IPFW up, it doesn’t filter anything, all the traffic is passed trough. But if you forget the firewall_type=”open” rule and start the firewall you will be lock out, because the default is no traffic allowed… (and you win a drive to the data-center or some kind of remote rescue shell procedure).
Start IPFW
/etc/rc.d/ipfw startand check that is running
ipfw showNow, you are ready to install SSHGuard itself, very easy task
cd /usr/ports/security/sshguard-ipfw
make install cleanand enable it in /etc/rc.conf
sshguard_enable="YES"Ready? Start it
/usr/local/etc/rc.d/sshguard startStill, there is a final thing to take care. SSHGuard uses syslogd to monitor incoming (failed) logins. So, you must edit /etc/syslog.conf and uncomment (or add if it’s not there) the line that the SSHGuard port added.
auth.info;authpriv.info |exec /usr/local/sbin/sshguardAnd restart syslogd
/etc/rc.d/syslogd restartAnd now your SSH service should be bullet proof to brute force attacks. Keep safe!
UPDATE 2014-02-23
Latest versions of SSHGuard don’t use syslogd any more, it uses an internal “log sucker” that follows the logs. The default logs are “/var/log/auth.log:/var/log/maillog”, as I don’t want it to follow /var/log/mailog i override this in /etc/rc.conf with:
sshguard_watch_logs="/var/log/auth.log"UPDATE 2014-08-05
For several reasons, I have switched from IPFW to PF. So the port to install is /usr/ports/security/sshguard-pf/ and you must add this line to your /etc/pf.conf and enable PF in /etc/rc.conf
table persist then to list the blocked IPs
pfctl -t sshguard -T showto remove an IP from the list
pfctl -t sshguard -T delete aaa.bbb.ccc.dddto remove all the IPs
pfctl -t sshguard -T flushNOTE
Also going to test drive on a debian box fail2ban, and will soon post quick review and differences, drawbacks, benefits versus sshguard.