Hi,
On Tue, Nov 25, 2014 at 10:58:57AM -0500, Libertas wrote:
And I agree about SSHGuard. I've had a better experience with it, and it generally seems like a more carefully developed and more thoroughly documented project. Strangely, though, most experienced sysadmins still use and suggest fail2ban. Maybe I'm just missing something, or maybe people don't know about SSHGuard.
I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs:
iptables & ip6tables under linux:
# ssh incoming # bucket: /proc/net/xt_recent/SSH - see for stats # ipv4 iptables -N SSHSCAN iptables -F SSHSCAN
iptables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT> -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH --rsource iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j ULOG --ulog-prefix "SSH-Bruteforce iptables: " iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP iptables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT # ipv6 ip6tables -N SSHSCAN ip6tables -F SSHSCAN
ip6tables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT>8080 -m state --state NEW -j SSHSCAN ip6tables -A SSHSCAN -m recent --set --name SSH --rsource ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j LOG --log-prefix "SSH-Bruteforce iptables: " ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP ip6tables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT
pf under FreeBSD:
block quick from <blacklist> # . # . # . pass in proto tcp from any to <YOUR-IP> port = <YOUR-SSH-Port flags S/SA keep state \ (max-src-conn 4, max-src-conn-rate 4/10, overload <blacklist> flush global) label "ssh: in "
You can adjust the parameters to control when a host is blacklisted and for how long.