1
0
Fork 0
knowledge-base/KB/Linux/Server/SSH Guard, iptables.md

61 lines
2 KiB
Markdown

---
creation date: 2022-01-08
tags: [note,archlinux,linux,security,ssh,iptables]
---
## SSH
Disable weak ciphers by adding the following to the `sshd_config` file:
```shell
# Disable weak ciphers
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512
MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms ssh-rsa,rsa-sha2-256,rsa-sha2-512
```
Be sure to disable password auth (`PasswordAuthentication no`) and set `PermitRootLogin yes`
## iptables
Install `sshguard`. To function properly, add a chain for it (ipv4 and ipv6). Don't forget to restart docker daemon if services don't work properly. Docker manipulates firewall rules.
Ports `22` and `2222` will be monitored in this example.
Also see [here](https://wiki.archlinux.org/index.php/Sshguard#iptables).
```shell
# IPv4
iptables -N sshguard
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
iptables-save > /etc/iptables/iptables.rules
# IPv6
ip6tables -N sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard
ip6tables-save > /etc/iptables/ip6tables.rules
```
Start with `systemctl enable --now sshguard` or restart afterwards with `systemctl restart sshguard` to apply or `ExecStartPre=` above in sshguard's systemd file.
```shell
ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10'
```
or create the following file and execute on every reboot with a certain, e.g. with
```shell
[Timer]
OnBootSec=1min
```
```shell
# IPv4
iptables -N sshguard && \
iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
iptables-save > /etc/iptables/iptables.rules
# IPv6
ip6tables -N sshguard && \
ip6tables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \
ip6tables-save > /etc/iptables/ip6tables.rules
```