alexander.schaeferdiek/knowledge-base
1
0
Fork 0
Code Activity
knowledge-base/KB/Linux/Server/SSH Guard.md

2.3 KiB
Raw Blame History

creation date tags
2022-01-08
note
archlinux
linux
security
ssh
iptables
firewall

sshguard uses netfilter of kernel (iptables).

SSH

Disable weak ciphers by adding the following to the sshd_config file:

# Disable weak ciphers
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

Be sure to disable password auth (PasswordAuthentication no) and set PermitRootLogin yes

Setting up iptables

Install sshguard. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.

Ports 22 and 2222 will be monitored in this example. You can add any ssh daemon port, e.g. 10022 in addition, separated with ,.

If you have a more complex setup and use docker, you probably want a FILTERS chain which is loading before DOCKER-USER, and apply rules dynamically with iptables -n (no flush).

sshguard on wiki.archlinux.org.

Use this or have rules defined inside /etc/iptables/{iptables,ip6tables}.rules for IPv4 or IPv6.

# IPv4
iptables -N sshguard
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard

# IPv6
ip6tables -N sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard

Start with systemctl enable --now sshguard or restart afterwards with systemctl restart sshguard to apply or ExecStartPre= above in sshguard's systemd file.

ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10'

or create the following file and execute on every reboot with a certain, e.g. with

[Timer]
OnBootSec=1min

# IPv4
iptables -N sshguard && \
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
iptables-save > /etc/iptables/iptables.rules

# IPv6
ip6tables -N sshguard && \
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
ip6tables-save > /etc/iptables/ip6tables.rules