How to protect SSH remote login in Fedora with SSHGuard and FirewallD

SSHGuard 2介绍了一个新的防火墙后端,使得在使用防火墙工具的Linux发行版中可以更轻松地使用。以下是您如何使用防火墙(如Fedora,CentOS,Rhel)安装和配置Sshguard。

您可以减少对SSH的脚本攻击的数量显着changing the default port number。然而,掩盖了SSH服务的位置不应该是您唯一的防御行。这是Sshwuard进来的地方:它将将重复攻击者的IP地址添加到系统防火墙上,以便在达到SSH服务之前放弃连接。

构建和安装

SSHGUARD还没有为FEDORA打包(我会看到我可以做些什么),所以你必须自己编译和安装它。幸运的是,这不是一个非常复杂的过程,所以你应该在几分钟之后在你的系统上有一个sshguard并在这个教程中运行。yabo亚博体育下载

Start by installing the build dependencies using the below command. If you’re using Ubuntu or another distribution, you’ll find the appropriateapt指挥在INSTALLfile. You can follow along in this tutorial even if you don’t use Fedora, but choose the appropriate firewall backend for your distribution.

dnf安装byacc flex gcc制作wget

Next, you need to download and uncompressed the source from the latest release tarball fromSourceForge。The example commands below downloads版本2.1, extracts it from the package, and changes the working directory to the source directory.

wget "https://sourceforge.net/projects/sshguard/files/sshguard/2.1.0/sshguard-2.1.0.tar.gz" tar -xzf sshguard-2.1.0.tar.gz cd sshguard-2.1.0/

Make sure you get the latest release version. Once you’ve got your very own copy of the source code from the release tarball, you can proceed to configure and build SSHGuard:

。/configure --prefix="/usr/local/" make

除非您看到错误消息,否则您应该准备好安装最终程序以及一些示例配置资源。需要以ryabo亚博体育下载oot用户执行以下命令,并将复制您需要的文件所需的文件:

make install cp ./examples/sshguard.conf.sample /usr/local/etc/sshguard.conf cp ./examples/sshguard.service /etc/systemd/system/

Configuring SSHGuard

示例配置文件有足够的内联文档来指导您完成所需的配置选项。您只需配置BACKENDLOGREADER选项。对于Fedora,我们将使用FireWalld作为防火墙后端和Systemd Journal作为日志阅读器。进行以下更改yabo亚博体育下载/usr/local/etc/sshguard.conf.:

BACKEND="/usr/local/libexec/sshg-fw-firewalld" LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"

所有这些journalctlswitches tells the journal to pipe out all messages from thesshdprocess with priority info or higher with basic formatting (syslog-喜欢)。

You can look through the other configuration options in the file to see if you want to make any other changes. You may want to double theredistics_time.code if you’re experiencing slow-paced brute-force attacks.

接下来,您需要在Systemd Unit Service文件中进行一个小小的更改,以解释我们在构建过程中所做的安装前缀。改变execstart.option in/etc/systemd/system/sshguard.serviceto the following:

execstart.=/usr/local/sbin/sshguard

As you’re all done configuring the systemd unit file for SSHGuard, run the following command to let systemd know that there’s a new unit file:

systemctl daemon-reload

配置防火墙区域

The FirewallD backend in SSHGuard relies on the ipset feature of iptables. Blocked attackers are added to either theSshguard4.对于IPv4或Sshguard6.for IPv6 ipsets. Additionally, SSHGuard will add a firewall rule to FirewallD that tells it to drop connections from any source IP found in either one of these ipsets.

By default, SSHGuard’s drop-rule will be added to the default FirewallD zone. Depending on your firewall zone configuration, you may want to add additional drop rules to other zones. If you only use the default上市zonethen no further configuration is needed.以下命令yabo亚博体育下载将将默认规则添加到区:

防火墙-cmd --permanent --zone =“home” -  rich-trum =“规则源ipset = sshguard4删除”防火墙-cmd -permanent --zone =“home” - 富裕 - 规则=“规则源ipset = sshguard6删除”防火墙-cmd --reload

You can inspect the blocked entries in each ipset using the following commands:

firewall-cmd --permanent --info-ipset="sshguard4" firewall-cmd --permanent --info-ipset="sshguard6"

在此示例中,您可以取消阻止阻止的攻击者10.10.1.10; using the following command:

firewall-cmd --ipset="sshguard6" --permanent --remove-entry="10.10.1.10"

Note that SSHGuard’s two ipsets are deleted when SSHGuard flushes its own firewall rules (on exit). This may cause a problem if FirewallD rules are loaded when the ipsets don’t exist yet. To work around this, you can either add the creation of these two ipsets to your permanent FirewallD configuration or you may want to take more control of SSHGuard’s FirewallD backend script. You can copy and modify thesshg-fw-firewalldscript (it’s an easy to follow bash script) and configuring theBACKEND使用自定义防火墙后端的选项。

Starting the service

Now that SSHGuard is installed and configured, you can start the service and check up on it’s status with these commands:

systemctl start sshguard systemctl status sshguard

验证它说active (running)in the output and that you don’t have any errors or warnings in the log output.

To have SSHGuard start at systemboot, run one last command:

systemctl启用sshguard.

Test and verify

此时,应安装,配置和保护机器的Sshwuard。但是你怎么能确定它在工作吗?运行以下命令以遵yabo亚博体育下载循sshd和sshguard的systemd日志日志条目:

journalctl -ef -t sshguard -t sshd

From another machine (or at least IP), try to login to the protected system over SSH using invalid credentials. On the protected system you should see log entries from both SSHGuard and SSH about the unsuccessful login attempts.

继续使用无效凭据尝试尝试,直到它停止工作,并查看日志输出。它应该说IP被阻止,并且有多长。如果您想要块持续时间超时到过期,然后继续尝试更多登录,您应该看到块时间增加一倍。

You should see login attempts tosshd和log messages from SSHGuard like “Attack from "client8.homenet.example.com" on service 100 with danger 10.” After five attacks sshguard should block the attacker with an error saying “阻止“client8.homenet.example.com”为600秒(在75秒内的3次攻击,1次滥用75秒后)

您可以重复测试并首先使用ssh -4switch and then repeat the test with thessh 6在尝试假装在受保护的系统登录时切换以验证IPv4和IPv6保护是否正常工作。

You can tweak theBLOCK_TIMEredistics_time.持续时间选择sshguard.confto your liking. Note that theBLOCK_TIMEis doubled on every subsequent block per source IP.

Reboot the system and repeat the test.

如果你不小心锁住你rself out, you can find the commands for releasing yourself from the block in the FirewallD section above.