Hi, On Tue, Nov 25, 2014 at 10:58:57AM -0500, Libertas wrote: > And I agree about SSHGuard. I've had a better experience with it, and > it generally seems like a more carefully developed and more thoroughly > documented project. Strangely, though, most experienced sysadmins > still use and suggest fail2ban. Maybe I'm just missing something, or > maybe people don't know about SSHGuard. > I'm still wondering about the popularity of fail2ban and SSHGuard, specially in regard to the ssh service. You can achieve almost the some behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs: iptables & ip6tables under linux: # ssh incoming # bucket: /proc/net/xt_recent/SSH - see for stats # ipv4 iptables -N SSHSCAN iptables -F SSHSCAN iptables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT> -m state --state NEW -j SSHSCAN iptables -A SSHSCAN -m recent --set --name SSH --rsource iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j ULOG --ulog-prefix "SSH-Bruteforce iptables: " iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP iptables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT # ipv6 ip6tables -N SSHSCAN ip6tables -F SSHSCAN ip6tables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT>8080 -m state --state NEW -j SSHSCAN ip6tables -A SSHSCAN -m recent --set --name SSH --rsource ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j LOG --log-prefix "SSH-Bruteforce iptables: " ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP ip6tables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT pf under FreeBSD: block quick from <blacklist> # . # . # . pass in proto tcp from any to <YOUR-IP> port = <YOUR-SSH-Port flags S/SA keep state \ (max-src-conn 4, max-src-conn-rate 4/10, overload <blacklist> flush global) label "ssh: in " You can adjust the parameters to control when a host is blacklisted and for how long. -- regards alex _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
