[tor-relays] doc/HARDENING Draft

tor at zengers.de tor at zengers.de
Fri Nov 28 00:50:37 UTC 2014 

Hi,

On Tue, Nov 25, 2014 at 10:58:57AM -0500, Libertas wrote:
> And I agree about SSHGuard. I've had a better experience with it, and
> it generally seems like a more carefully developed and more thoroughly
> documented project. Strangely, though, most experienced sysadmins
> still use and suggest fail2ban. Maybe I'm just missing something, or
> maybe people don't know about SSHGuard.
> 
I'm still wondering about the popularity of fail2ban and SSHGuard,
specially in regard to the ssh service. You can achieve almost the some
behaviour with every major firewall. See for example [1] and [2].

And for the lazy ones, my current configs:

iptables & ip6tables under linux:

# ssh incoming
# bucket: /proc/net/xt_recent/SSH - see for stats
# ipv4
iptables -N SSHSCAN
iptables -F SSHSCAN

iptables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT> -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH --rsource
iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j ULOG --ulog-prefix "SSH-Bruteforce iptables: "
iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP
iptables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT
# ipv6
ip6tables -N SSHSCAN
ip6tables -F SSHSCAN

ip6tables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT>8080 -m state --state NEW -j SSHSCAN
ip6tables -A SSHSCAN -m recent --set --name SSH --rsource
ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j LOG --log-prefix "SSH-Bruteforce iptables: "
ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP
ip6tables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT


pf under FreeBSD:

block quick from <blacklist>
# .
# .
# .
pass in proto tcp from any to <YOUR-IP> port = <YOUR-SSH-Port  flags S/SA keep state \
(max-src-conn 4, max-src-conn-rate 4/10, overload <blacklist> flush global) label "ssh: in "


You can adjust the parameters to control when a host is blacklisted and for how long.

-- 
regards
 alex

More information about the tor-relays mailing list