Original post is here: eklausmeier.goip.de
SSHGuard is a software to block unwanted SSH login attempts. SSHGuard has a very remarkable architecture: it has a set of independent programs doing parsing, block-indication, and actual blocking. I wrote about this in Analysis And Usage of SSHGuard. SSHGuard 2.4.3 is about 100kLines of C and shell code:
1 17 42 438 ./Makefile.am
2 123 403 3037 ./sshguard.in
3 708 2765 22860 ./Makefile.in
4 130646 622873 7655483 ./parser/attack_scanner.c
5 401 1202 11249 ./parser/attack_parser.y
6 584 2862 22115 ./parser/tests.txt
7 2061 9087 79252 ./parser/attack_parser.c
8 2 5 47 ./parser/test-sshg-parser
9 36 201 1219 ./parser/parser.h
10 56 178 1965 ./parser/attack.c
11 1035 4286 36122 ./parser/Makefile.in
12 146 366 3757 ./parser/parser.c
13 21 42 418 ./parser/Makefile.am
14 392 1959 22246 ./parser/attack_scanner.l
15 284 1276 11808 ./parser/attack_parser.h
16 25 62 425 ./fw/sshg-fw-ipset.sh
17 688 2706 23910 ./fw/Makefile.in
18 51 202 1296 ./fw/fw.h
19 38 88 574 ./fw/sshg-fw-iptables.sh
20 30 70 1089 ./fw/Makefile.am
21 36 88 586 ./fw/sshg-fw-ipfilter.sh
22 23 56 302 ./fw/sshg-fw-pf.sh
23 27 70 486 ./fw/sshg-fw-ipfw.sh
24 32 72 612 ./fw/sshg-fw.in
25 23 52 363 ./fw/sshg-fw-null.sh
26 384 1162 10702 ./fw/hosts.c
27 33 80 920 ./fw/sshg-fw-firewalld.sh
28 56 175 1147 ./fw/sshg-fw-nft-sets.sh
29 19 51 353 ./sshg-logtail
30 132 465 4383 ./blocker/sshguard_options.c
31 47 272 1673 ./blocker/sshguard_blacklist.h
32 137 605 3830 ./blocker/sshguard_whitelist.h
33 26 146 924 ./blocker/sshguard_log.h
34 129 607 3823 ./blocker/fnv.h
35 137 354 3929 ./blocker/blocklist.c
36 415 1580 14356 ./blocker/sshguard_whitelist.c
37 31 116 1097 ./blocker/attack.c
38 152 502 5019 ./blocker/sshguard_blacklist.c
39 145 670 3972 ./blocker/hash_32a.c
40 678 2598 25839 ./blocker/Makefile.in
41 45 285 1906 ./blocker/sshguard_options.h
42 302 1199 10354 ./blocker/blocker.c
43 13 19 236 ./blocker/blocklist.h
44 21 39 432 ./blocker/Makefile.am
45 30 73 646 ./common/sandbox.c
46 51 237 2163 ./common/address.h
47 41 104 1242 ./common/service_names.c
48 996 4757 31742 ./common/simclist.h
49 167 698 4909 ./common/config.h.in
50 16 31 310 ./common/sandbox.h
51 1512 5612 47636 ./common/simclist.c
52 77 441 3410 ./common/attack.h
53 143277 673891 8088612 total
The binary size is ca. 4MB for sshg-parser
:
1$ ls -l /usr/lib/sshguard
2total 4928
3-rwxr-xr-x 1 root root 34912 Jul 29 16:06 sshg-blocker*
4-rwxr-xr-x 1 root root 1532 Jul 29 16:06 sshg-fw-firewalld*
5-rwxr-xr-x 1 root root 18448 Jul 29 16:06 sshg-fw-hosts*
6-rwxr-xr-x 1 root root 1198 Jul 29 16:06 sshg-fw-ipfilter*
7-rwxr-xr-x 1 root root 1098 Jul 29 16:06 sshg-fw-ipfw*
8-rwxr-xr-x 1 root root 1181 Apr 17 2022 sshg-fw-ipset*
9-rwxr-xr-x 1 root root 1186 Jul 29 16:06 sshg-fw-iptables*
10-rwxr-xr-x 1 root root 1759 Jul 29 16:06 sshg-fw-nft-sets*
11-rwxr-xr-x 1 root root 975 Jul 29 16:06 sshg-fw-null*
12-rwxr-xr-x 1 root root 914 Jul 29 16:06 sshg-fw-pf*
13-rwxr-xr-x 1 root root 353 Jul 29 16:06 sshg-logtail*
14-rwxr-xr-x 1 root root 4630632 Jul 29 16:06 sshg-parser*
The main annoyance with SSHGuard was that sometimes it did not stop properly when stopped via systemd. During powering down one machine this is especially enerving as this increases overall downtime.
As SSHGuard has this quite clean architecture where parsing and block-indication are so clearly separated, it is easy to find out what it actually tries to block.
In addition at looking at the source code of the Flex rules in parser/attack_scanner.l
I now wrote Simplified SSHGuard in less than 20 lines of Perl.
In Arch Linux you can use ssshguard.
1. Firewall preparations #
Firewall setup is similar to SSHGuard.
1# Generated by iptables-save v1.8.6 on Sun Dec 20 13:29:18 2020
2*raw
3:PREROUTING ACCEPT [207:14278]
4:OUTPUT ACCEPT [180:113502]
5COMMIT
6
7# Empty iptables rule file
8*filter
9:INPUT ACCEPT [0:0]
10:FORWARD ACCEPT [0:0]
11:OUTPUT ACCEPT [0:0]
12-A INPUT -i eth0 -p tcp --dport 22 -m set --match-set reisbauerHigh src -j DROP
13-A INPUT -i eth0 -p tcp --dport 22 -m set --match-set reisbauerLow src -j DROP
14COMMIT
The sets in ipset
are defined in file /etc/ipset.conf
and are:
1create -exist reisbauerHigh hash:net family inet hashsize 65536 maxelem 65536 counters
2create -exist reisbauerLow hash:net family inet hashsize 65536 maxelem 65536 counters
The set reisbauerLow
is not needed.
However, sometimes it is convenient to have an already defined set, to which you can swap:
1ipset swap reisbauerHigh reisbauerLow
Once you power down your machine all firewall rules and all ipset sets are lost.
On rebooting the machine you initialize iptables and ipset again.
Though, the actual set content is forgotten.
Therefore you might run a cron-job to periodically save the reisbauerHigh set to reisbauerLow and filter for the ten most used IP addresses and store them in /etc/ipset.conf
.
For example:
1$ ipset save reisbauerLow | tail -n +2 | sort -rnk7 | cut -d' ' -f1-3 | head
2add reisbauerLow 180.101.88.244
3add reisbauerLow 170.64.232.196
4add reisbauerLow 170.64.204.232
5add reisbauerLow 170.64.202.190
6add reisbauerLow 5.135.90.165
7add reisbauerLow 170.64.133.48
8add reisbauerLow 61.177.172.136
9add reisbauerLow 139.59.4.108
10add reisbauerLow 159.223.225.209
11add reisbauerLow 103.164.8.158
Above command prints the ten most offending IP addresses which can be appended to /etc/ipset.conf
via cron.
See Periodic seeding.
2. Perl code #
Similar to SSHGuard, the simplified version reads its input from journalctl
.
Certain output lines of journalctl
then trigger the blocking via ipset
.
The logic is that all unsuccessful login attempts result in an entry in an ipset, which then permanently bans that IP address from any further login attempts.
I.e., the ssh daemon no longer even sees that.
You are blocked "forever", unless:
- You reboot, because ipset's are then reset
- You specifically unblock via
ipset del reisbauerHigh <IP-address>
- You flush ipset:
ipset flush reisbauerHigh
All triggering keywords or phrases are highlighted below.
1#!/bin/perl -W
2# Simplified version of SSHGuard with just Perl and ipset
3
4use strict;
5my ($ip, %B);
6my %whiteList = ( '192.168.0' => 1 );
7
8open(F,'-|','/usr/bin/journalctl -afb -p info -n1 -t sshd -t sshd-session -o cat') || die("Cannot read from journalctl");
9
10while (<F>) {
11 if (/Failed password for (|invalid user )(\s*\w*) from (\d+\.\d+\.\d+\.\d+)/) { $ip = $3; }
12 elsif (/authentication failure; .+rhost=(\d+\.\d+\.\d+\.\d+)/) { $ip = $1; }
13 elsif (/Disconnected from (\d+\.\d+\.\d+\.\d+) port \d+ \[preauth\]/) { $ip = $1; }
14 elsif (/Unable to negotiate with (\d+\.\d+\.\d+\.\d+)/) { $ip = $1; }
15 elsif (/(Connection closed by|Disconnected from) (\d+\.\d+\.\d+\.\d+) port \d+ \[preauth\]/) { $ip = $2; }
16 elsif (/Unable to negotiate with (\d+\.\d+\.\d+\.\d+) port \d+/) { $ip = $1; }
17 else { next; }
18
19 #print "Blocking $ip\n";
20 next if (defined($B{$ip})); # already blocked
21 next if (defined($whiteList{ substr($ip,0,rindex($ip,'.')) })); # in white-list
22
23 $B{$ip} = 1;
24 `ipset -quiet add -exist reisbauerHigh $ip/32 `;
25}
26
27close(F) || die("Cannot close pipe to journalctl");
Wait, isn't that more than 20 lines of code?
Yes, but if you remove comments and empty lines, drop the close()
, which is not strictly needed, then you come out at below 20 lines of source code, including configuration.
The whiteList
hash variable contains all those class C networks, which you do not want to block, even if the passwords are given wrong multiple times.
Adding class C addresses to %whitelist
should be obvious.
For example:
1my %whiteList = ( '10.0.0' => 1, '192.168.0' => 1, '192.168.178' => 1 );
3. Starting and stopping #
Starting and stopping via systemd is 100% same as SSHGuard. systemd script is stored here:
/etc/systemd/system/multi-user.target.wants/sshguard.service
The systemd script is as below:
1[Unit]
2Description=Simplified SSHGuard - blocks brute-force login attempts
3After=iptables.service
4After=ip6tables.service
5After=libvirtd.service
6After=firewalld.service
7After=nftables.service
8
9[Service]
10ExecStart=/usr/sbin/ssshguard
11Restart=always
12
13[Install]
14WantedBy=multi-user.target
4. Periodic seeding #
Below Perl script can be run every few hours to save the current set of IP addresses and store them in /etc/ipset.conf
.
1#!/bin/perl -W
2# The top most IP addresses from reisbauerLow+High are retained in reisbauerLow,
3# or more exact, every ipset which blocked more than 99 packets.
4# This program must be run as root: ipset command needs this privilege
5#
6# Command line argument:
7# -m minimum number of packets blocked so far, default is 100
8
9
10use strict;
11
12use Getopt::Std;
13my %opts = ('m' => 100);
14getopts('m:',\%opts);
15my $minBlock = defined($opts{'m'}) ? $opts{'m'} : 100;
16my @F;
17
18open(F,'-|','/bin/ipset save -sorted') || die("Cannot read from ipset");
19
20print "create -exist reisbauerHigh hash:net family inet hashsize 65536 maxelem 65536 counters\n";
21print "create -exist reisbauerLow hash:net family inet hashsize 65536 maxelem 65536 counters\n";
22
23while (<F>) {
24 next if (! /^add reisbauer/);
25 chomp;
26
27 @F = split(/ /);
28 if ($minBlock > 0) {
29 next if ($#F < 6);
30 next if ($F[4] < $minBlock);
31 }
32 printf("add -exist reisbauerLow %s\n",$F[2]);
33}
34
35close(F) || die("Cannot close pipe to ipset");