hawking's weblog
quark! quark! beware the quantum duck!March 11, 2007 Archives
2007-03-11
sshguard
There are many tools to prevent SSH
brute force attacks. My favourite is sshguard. First of all it's
not a script, it's written in C and it's pretty easy to
configure.
For those who are interested I wrote an ebuild for it, it's in sunrise overlay right now.
As a short tutorial here is how I configured it. First you need to make syslog-ng call sshguard in case of an authentication failure. Adding these lines to syslog-ng.conf would do it:
For efficiency make sure sshd doesn't use DNS when logging IP addresses. This can be done by adding
Last but not least we need the iptables configuration to make sshguard work. First create a new chain called sshguard. Then pass all SSH traffic to this chain:
All done :-)
For those who are interested I wrote an ebuild for it, it's in sunrise overlay right now.
As a short tutorial here is how I configured it. First you need to make syslog-ng call sshguard in case of an authentication failure. Adding these lines to syslog-ng.conf would do it:
destination sshguardproc { program("/usr/sbin/sshguard"); };
filter sshd { facility(authpriv) and match(ssh); };
log { source(src); filter(sshd); destination(sshguardproc); };
For efficiency make sure sshd doesn't use DNS when logging IP addresses. This can be done by adding
UseDNS noto /etc/ssh/sshd_config.
Last but not least we need the iptables configuration to make sshguard work. First create a new chain called sshguard. Then pass all SSH traffic to this chain:
iptables -N sshguard iptables -A INPUT -p tcp --dport 22 -j sshguard
All done :-)
![[Furl]](/images/buttons/furl.png){kind=small}