--- creation date: 2022-01-08 tags: [note,archlinux,linux,security,ssh,iptables,firewall] --- `sshguard` uses netfilter of kernel (iptables). ## SSH Disable weak ciphers by adding the following to the `sshd_config` file: ```shell # Disable weak ciphers KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512 MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512 ``` Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes` ## Setting up iptables Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules. Ports `22` and `2222` will be monitored in this example. You can add any ssh daemon port, e.g. `10022` in addition, separated with `,`. If you have a more complex setup and use `docker`, you probably want a `FILTERS` chain which is loading _before_ `DOCKER-USER`, and apply rules dynamically with `iptables -n` (no flush). [sshguard on wiki.archlinux.org](https://wiki.archlinux.org/index.php/Sshguard#iptables). ```shell # IPv4 iptables -N sshguard iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard iptables-save > /etc/iptables/iptables.rules # IPv6 ip6tables -N sshguard ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard ip6tables-save > /etc/iptables/ip6tables.rules ``` Start with `systemctl enable --now sshguard` or restart afterwards with `systemctl restart sshguard` to apply or `ExecStartPre=` above in sshguard's systemd file. ```shell ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10' ``` or create the following file and execute on every reboot with a certain, e.g. with ```shell [Timer] OnBootSec=1min ``` ```shell # IPv4 iptables -N sshguard && \ iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \ iptables-save > /etc/iptables/iptables.rules # IPv6 ip6tables -N sshguard && \ ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \ ip6tables-save > /etc/iptables/ip6tables.rules ```