alexander.schaeferdiek/knowledge-base
1
0
Fork 0
Code Activity
knowledge-base/KB/Linux/Server/SSH Guard.md

65 lines
2.3 KiB
Markdown
Raw Blame History

---
creation date: 2022-01-08
tags: [note,archlinux,linux,security,ssh,iptables,firewall]
---
`sshguard` uses netfilter of kernel (iptables).
## SSH
Disable weak ciphers by adding the following to the `sshd_config` file:
```shell
# Disable weak ciphers
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512
```
Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes`
## Setting up iptables
Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.
Ports `22` and `2222` will be monitored in this example. You can add any ssh daemon port, e.g. `10022` in addition, separated with `,`.
If you have a more complex setup and use `docker`, you probably want a `FILTERS` chain which is loading _before_ `DOCKER-USER`, and apply rules dynamically with `iptables -n` (no flush).
[sshguard on wiki.archlinux.org](https://wiki.archlinux.org/index.php/Sshguard#iptables).
Use this or have rules defined inside `/etc/iptables/{iptables,ip6tables}.rules` for IPv4 or IPv6.
```shell
# IPv4
iptables -N sshguard
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
# IPv6
ip6tables -N sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
```
Start with `systemctl enable --now sshguard` or restart afterwards with `systemctl restart sshguard` to apply or `ExecStartPre=` above in sshguard's systemd file.
```shell
ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10'
```
or create the following file and execute on every reboot with a certain, e.g. with
```shell
[Timer]
OnBootSec=1min
```
```shell
# IPv4
iptables -N sshguard && \
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
iptables-save > /etc/iptables/iptables.rules
# IPv6
ip6tables -N sshguard && \
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
ip6tables-save > /etc/iptables/ip6tables.rules
```
View git blame Copy permalink