Search:  
Gentoo Wiki

HOWTO_sshdfilter

Image:OpenSSH-logo.png

SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH

edit

Introduction

This is a basic howto on how to prevent bruteforce attacks on sshd using sshdfilter. sshdfilter executes sshd itself, and so blocks can be initiated instantly (the program is constantly monitoring the log messages produced by sshd). It also logs all attempts and a supplied Logwatch script can give you periodical summaries. If it discovers an attack attempt (by default, one attempt to log on with an invalid username, or three attempts to log on with a valid username), it creates an iptables rule which blocks the IP address of the attacker from connecting to the sshd port.

Note: This article assumes you have OpenSSH installed and iptables (HOWTO Iptables for newbies) is working.

Install

An ebuild is available in bug# 120764 on bugs.gentoo.org. Remember to pick the latest version (at the moment 1.5.5). Download the ebuild and place it in you portage overlay folder. (see HOWTO Installing 3rd Party Ebuilds) There is also a contributed patch called gentoo.partconf, which should be added to files/. Then unmask sshdfilter and finally it sshdfilter using emerge -avu sshdfilter.

Creating the iptables chain

This is now handled by the ebuild. Simply run emerge --config sshdfilter to generate and save the needed iptables. Edit /etc/sshdfilterrc to suit your needs: nano -w /etc/sshdfilterrc.

Creating sshdfilter initscript

There is no init-script created for sshdfilter, so you'll have to create one yourself. What I did was to copy the sshd initscript and edit it to start sshdfilter instead of sshd:

Code:
 cp /etc/init.d/sshd /etc/init.d/sshdfilter
 nano -w /etc/init.d/sshdfilter

Change from:

File: /etc/init.d/sshdfilter
SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshd}

To:

File: /etc/init.d/sshdfilter
SSHD_BINARY=${SSHD_BINARY:-/usr/sbin/sshdfilter}

Starting sshdfilter daemon

First we need to stop sshd and prevent it from starting on the next boot: /etc/init.d/sshd stop && rc-update del sshd. Now we will start sshdfilter and add it to the default runlevel: /etc/init.d/sshdfilter start && rc-update add sshdfilter default.

Summary

To check if everything works as planned: cat /var/log/messages | grep sshdfilt. You should see something like:

Jan 23 00:26:30 ande sshdfilt[10365]: sshdfilter 1.4.2 starting up, running sshd proper

When sshdfilter blocks an IP, you will see something like this in /var/log/messages:

Jan  4 00:01:02 ande sshdfilt[27447]: Illegal user name, instant block of 133.62.174.215
Retrieved from "http://www.gentoo-wiki.info/SSH/sshdfilter"

Last modified: Tue, 09 Sep 2008 22:43:00 +0000 Hits: 12,486