- edited description
Feature : block by services
Hi,
I would like to puprose a new feature for sshguard : block only on the service attacked.
This could be very usefull for many cases.
I have made some test, and it is really easy to get it working.
I just add an optional mode in the conf file :
-
default mode : block all services
-
service mode : block service by service
I will be able to submit a PR for that if it could be a new feature for sshguard.
Regards.
Josh_
Comments (9)
-
reporter -
How did you get this working? SSHGuard will add a block in a firewall table for whole addresses, not ports.
-
reporter this is because SSHGuard only track the sshg_address,
but if we change it to track attack_t, it is really really easy to track the adresse and/or the service.
Exemple of case : As it, if server A is connected to server B to provide services like OpenVPN, FTP, EXIM, SSH, etc... If the support team open ssh from A to B and fail password, all services are not blocked at the same time.
This patch works to me : https://redmine.pfsense.org/attachments/download/2690/sshguad_by_service_filtering.patch ( i purpose it to pfSense because they miss something in their system).
But the one i can submit here is a little better.
-
I see. Could you show your changes in sshg-fw-*? fw_block and fw_release would need to be modified for all firewalls, but that might make it a worthwhile option to add.
-
reporter you talk about BACKENDS ?
If so, we need to do better example for this, i haven't for now. But the user need to personalize them, obv.
But, if we provide a backend that create 1 rule by service, it works good, isn't ?
-
reporter for later use, we can add option to group services in regard of a rule... i think about it since few days, but i dont know how is the best we can do....
-
reporter Hi Kevin,
I just finish a version wich is working and need to be tested more : https://bitbucket.org/JoshuaSign/sshguard/commits/0a769bec804e2bbebe3cdd8aece1cac91d3af5bf?at=sshguard_featured
As i need some feature we talk about, and others, i finaly add all of them in this.
The mains changes :
-
add SERVICES_MONITORING variable in config to set a list of services to monitor.
-
add SERVICES_DISTINCT variable in config to block/release attacker ip service by service.
-
add OFFENDERS_FILE variable in config to save an reload offenders list when sshguard stop/start
-
add FORGIVE_TIME variable in config to purge offenders list and dont keep them forever.
-
add DEBUG variable in config (more friendly to use)
-
using services names instead of numbers for end user for config, logs and firewall (using x-macros)
-
changes in sshg-fw-iptables.sh and sshg-fw-pf.sh to be able to work with "services distinct" mode
Others little changes :
-
change LOGREADER example command line with a better default path for journalctl and -n0 to avoid older attack hit on sshguard restarts
-
remove iptables prestart from examples/sshguard.service
-
add log string when realease an attacker
-
add PFSENSE signature with a better regexp than the first : tested ok
-
and sshg-fw-pfsense_2.4.4.sh example because it is fully tested and works good
-
fix FILENAME regexp from attack_scanner.l : add the underscore '_' into charset list
TODO :
-
sandbox is disabled because we need to fix how to deal with files in sandboxed env. eg: when pid file must be unlinked or offenders list saved.
-
need changes for others firewalls scripts and the /etc/hosts.allow mode (or maybe remove this feature, somebody really use it?)
-
need to add version in sshg-blocker (the version is only in the bash script).
-
try to upgrade to simclist 1.5 or 1.6 (better performances improvements).
-
certainly many others things...
I use a new version number to differenciate versions in my tests.
Maybe i do some horrbles mistakes in the code, or most probably novice errors, so be carefull about it.
This code works like a charm on Linux Debian 9 and pfSense 2.4.4_2 on FreeBSD 11.2-RELEASE-p6.
I hope you'll can use at least a parts of it.
Josh_
-
-
Thanks for the submission. I'll take a look, along with the rest of your patches, soon.
-
reporter Hi,
For information, i just add a commit for multiple detection fix and others minors fixes
https://bitbucket.org/JoshuaSign/sshguard/commits/93cbef4b667f8b8872b7678ec4ab29a021afbd6a
CHANGES :
-
move witelist detection after the service monitoring detection
-
better service name loging string construction for attack detection
-
switch LOG_INFO to LOG_DEBUG for "host in whitelist" and "attack on not monitored service" messages
-
fix multiple detections for the same attack by considering "a same attack" is withing the same second.
Duplicate detections problem :
Mar 3 00:43:30 sshguard 77997 Blocking "36.66.203.23/32" for 300 secs on service SSH (3 attacks in 0 secs, after 1 abuses over 0 secs.) Mar 3 00:43:30 sshguard 77997 Attack from "36.66.203.23" on service SSH with danger 10. // DUPLICATE DETECTION Mar 3 00:43:30 sshd 88039 Disconnected from invalid user jm 36.66.203.23 port 57458 [preauth] Mar 3 00:43:30 sshd 88039 Received disconnect from 36.66.203.23 port 57458:11: Bye Bye [preauth] Mar 3 00:43:30 sshguard 77997 Attack from "36.66.203.23" on service SSH with danger 10. // DUPLICATE DETECTION Mar 3 00:43:30 sshd 88039 Failed password for invalid user jm from 36.66.203.23 port 57458 ssh2 Mar 3 00:43:30 sshguard 77997 Attack from "36.66.203.23" on service SSH with danger 10. // GOOD DETECTION Mar 3 00:43:30 sshd 88039 Invalid user jm from 36.66.203.23 port 57458
After this fix it looks better :
Mar 3 00:44:24 sshd 98353 Fssh_packet_write_wait: Connection from invalid user sg 103.82.101.44 port 41729: Permission denied [preauth] Mar 3 00:44:24 sshd 98353 Failed password for invalid user sg from 103.82.101.44 port 41729 ssh2 Mar 3 00:44:24 sshd 98353 user NOUSER login class [preauth] Mar 3 00:44:24 sshguard 38265 Blocking "103.82.101.44/32" for 120 secs on service SSH (2 attacks in 446 secs, after 1 abuses over 446 secs.) Mar 3 00:44:24 sshguard 38265 Attack from "103.82.101.44" on service SSH with danger 10. // GOOD DETECTION Mar 3 00:44:24 sshd 98353 Invalid user sg from 103.82.101.44 port 41729 Mar 3 00:36:58 sshd 60741 Disconnected from invalid user aq 103.82.101.44 port 43036 [preauth] Mar 3 00:36:58 sshd 60741 Received disconnect from 103.82.101.44 port 43036:11: Bye Bye [preauth] Mar 3 00:36:58 sshd 60741 Failed password for invalid user aq from 103.82.101.44 port 43036 ssh2 Mar 3 00:36:58 sshd 60741 user NOUSER login class [preauth] Mar 3 00:36:58 sshguard 38265 Attack from "103.82.101.44" on service SSH with danger 10. // GOOD DETECTION Mar 3 00:36:58 sshd 60741 Invalid user aq from 103.82.101.44 port 43036
NOTE :
- I revert score to 10 here https://bitbucket.org/sshguard/sshguard/commits/ae268b7105b6#Lsrc/parser/attack_parser.yT240
I read the https://bitbucket.org/sshguard/sshguard/issues/77/false-positive-in-connection-closed issue and i'm not agree with Sam. If someone is probing my server, he should be considered as an offender, otherwise i must add him to whitelist. Note that many signatures that sshguard detects are only probes. Sam Darwin's problem sound like a personnal disign problem, he should whitelist the host, imho.
Also, if you need to probe ssh service, the bot that probes should login in to be sure that ssh works, and avoid the problem of attack detection.
But Sam's issue 77 it is not a duplicate of :
-
https://bitbucket.org/sshguard/sshguard/issues/53/lower-log-verbosity-for-whitelist-hit : which was a log level problem.
-
https://bitbucket.org/sshguard/sshguard/issues/83/false-positives : which is the problem i fix above considering same attack if in the same second
-
https://bitbucket.org/sshguard/sshguard/issues/95/ssh-connect-double-count : which is a duplicate of issue 83 : multiple detection
TODO :
-
make log verbosity more configurable
-
make attack dangerousness configurable
Regards.
Josh_
-
- Log in to comment