-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsshguard
82 lines (50 loc) · 2.64 KB
/
sshguard
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
### =========================================
### About sshguard
### =========================================
Install the sshguard package.
sshguard works by monitoring /var/log/auth.log, syslog-ng or the systemd journal for failed login attempts.
The ban is then logged to syslog and ends up in /var/log/auth.log, or the systemd journal, if systemd is being used.
To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
You must configure a firewall to be used with sshguard in order for blocking to work. Like iptables.
### =========================================
### About iptables
### =========================================
iptables is a systemd service and is started accordingly.
However, the service won't start unless it finds an /etc/iptables/iptables.rules file,
which is not provided by the Arch iptables package.
So to start the service for the first time:
$ touch /etc/iptables/iptables.rules
or
$ cp /etc/iptables/empty.rules /etc/iptables/iptables.rules
Then start the iptables.service unit.
As with other services, if you want iptables to be loaded automatically on boot, you must enable it.
$ systemctl enable iptables
$ systemctl start iptables
After adding rules via command-line the configuration file is not changed automatically,
you have to save it manually:
$ iptables-save > /etc/iptables/iptables.rules
If you edit the configuration file manually, you have to reload iptables.
Or you can load it directly through iptables:
$ iptables-restore < /etc/iptables/iptables.rules
### =================================================
### Setup sshguard with iptables (a systemd service)
### =================================================
1. Create a new chain for iptables and sshguard
$ iptables -N sshguard
$ iptables -A INPUT -p tcp --dport 22 -j sshguard
$ iptables-save > /etc/iptables/iptables.rules
2. Reload iptables service
$ systemctl reload iptables
3. Enable and start the sshguard.service.
# NOTE: The provided systemd unit uses a blacklist located at
# /var/db/sshguard/blacklist.db and pipes journalctl into sshguard for monitoring.
$ systemctl enable sshguard.service
$ systemctl start sshguard.service
### =================================================
### Debugging and Errors
### =================================================
Probably you have updated the kernel but never rebooted the system...
### =======================================================================
### How can I view all the addresses that sshguard has blocked to iptables?
### =======================================================================
$ sudo iptables -nvL sshguard