knowledge-base/KB/Linux/Server/SSH Guard, iptables.md

creation date	tags
2022-01-08	note archlinux linux security ssh iptables

SSH Guard, iptables

SSH

Disable weak ciphers by adding the following to the sshd_config file:

# Disable weak ciphers
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512

Be sure to disable password auth (PasswordAuthentication no) and set PermitRootLogin yes

iptables

Install sshguard. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.

Ports 22 and 2222 will be monitored in this example.

Also see here.

# IPv4
iptables -N sshguard
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
iptables-save > /etc/iptables/iptables.rules

# IPv6
ip6tables -N sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
ip6tables-save > /etc/iptables/ip6tables.rules

Start with systemctl enable --now sshguard or restart afterwards with systemctl restart sshguard to apply or ExecStartPre= above in sshguard's systemd file.

ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10'

or create the following file and execute on every reboot with a certain, e.g. with

[Timer]
OnBootSec=1min

# IPv4
iptables -N sshguard && \
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
iptables-save > /etc/iptables/iptables.rules

# IPv6
ip6tables -N sshguard && \
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
ip6tables-save > /etc/iptables/ip6tables.rules