[tor-relays] doc/HARDENING Draft
tor at zengers.de
tor at zengers.de
Fri Nov 28 00:50:37 UTC 2014
Hi,
On Tue, Nov 25, 2014 at 10:58:57AM -0500, Libertas wrote:
> And I agree about SSHGuard. I've had a better experience with it, and
> it generally seems like a more carefully developed and more thoroughly
> documented project. Strangely, though, most experienced sysadmins
> still use and suggest fail2ban. Maybe I'm just missing something, or
> maybe people don't know about SSHGuard.
>
I'm still wondering about the popularity of fail2ban and SSHGuard,
specially in regard to the ssh service. You can achieve almost the some
behaviour with every major firewall. See for example [1] and [2].
And for the lazy ones, my current configs:
iptables & ip6tables under linux:
# ssh incoming
# bucket: /proc/net/xt_recent/SSH - see for stats
# ipv4
iptables -N SSHSCAN
iptables -F SSHSCAN
iptables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT> -m state --state NEW -j SSHSCAN
iptables -A SSHSCAN -m recent --set --name SSH --rsource
iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j ULOG --ulog-prefix "SSH-Bruteforce iptables: "
iptables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP
iptables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT
# ipv6
ip6tables -N SSHSCAN
ip6tables -F SSHSCAN
ip6tables -A INPUT -p tcp -m tcp --dport <YOUR-SSH-PORT>8080 -m state --state NEW -j SSHSCAN
ip6tables -A SSHSCAN -m recent --set --name SSH --rsource
ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j LOG --log-prefix "SSH-Bruteforce iptables: "
ip6tables -A SSHSCAN -m recent --update --seconds 900 --hitcount 5 --name SSH --rsource -j DROP
ip6tables -A SSHSCAN -p tcp --dport <YOUR-SSH-PORT> -j ACCEPT
pf under FreeBSD:
block quick from <blacklist>
# .
# .
# .
pass in proto tcp from any to <YOUR-IP> port = <YOUR-SSH-Port flags S/SA keep state \
(max-src-conn 4, max-src-conn-rate 4/10, overload <blacklist> flush global) label "ssh: in "
You can adjust the parameters to control when a host is blacklisted and for how long.
--
regards
alex
More information about the tor-relays
mailing list