- changed status to open
Remote SSHGuard
Issue #136
open
Feature request/enhancement: Remote SSHGuard
Maybe this already exists and I just haven’t found it. Imagine: hub-and-spoke design for sshguard where the hub is actually a router (running Linux, FreeBSD, etc). It has the actual packet filter (iptables, ipfw, pf, et al) running on it. The “spokes” are all the servers behind that router who are monitoring their own /var/log files and then sending a message to the router to block a bad guy.
At that point, the bad actor can’t attack any of the servers under the router’s umbrella. And this is all without the router needing to (somehow) monitor another server’s log files.
Thoughts?
Comments (21)
-
-
reporter
Remote syslogging is definitely one way to accomplish this; for smaller server counts it’ll actually work fine. One thing you’d rather not do is overwhelm your router (and its local storage) with syslog messages. That said, I’ll experiment with the idea and see how it works.
Consider the agent idea if you could, though.
-
reporter
Follow-up: the remote syslog trick seems to work fine. Have already caught some bad actors that way, and the router’s ipfw table 22 (I’m using FreeBSD) got updated accordingly.
-
It sounds like we’d have a good solution if your syslog didn’t have to log messages to a file. What about a named pipe?
-
reporter
What about a named pipe?
On the router? Something like this in the /etc/syslog.conf:
+fqdn-of-server *.* | exec /usr/local/sbin/sshguard-command? Something like that?
-
No, that’s something we got rid of, because when syslogd periodically restarts with SIGHUP due to newsyslogd, it would send SIGHUP to SSHGuard.
I was thinking of something like mkfifo /path/to/fifo, and then syslogd would log to the FIFO, and SSHGuard would have that FIFO in FILES. I haven’t tested this setup yet, so you might want to test locally before you try this on the router.
-
reporter
I tried the fifo idea, but syslog seemed to barf on it. Interesting idea though.
-
reporter
Update: I got the syslogd to start while referencing the fifo file, by making sure there was a
tail -frunning against it. IOW: something reading from it. However, I’m not seeing any log messages being written to it while watching thetail -foutput. So whatever syslog messages my server is sending to the router are apparently being eaten.Quite possible I have no idea what I’m doing here.
-
reporter
OK, the issue appears to be buffering. I think, with the help of a buddy, I sledge-hammered it into submission. The
/etc/syslog.conffile entry:+server.fqdn *.* |exec stdbuf -o0 -i0 cat > /var/log/ssh.fifoAnd then I put
/var/log/ssh.fifointo the sshguard.conf file. It’s too early to know whether it’ll catch another bad actor, but I’m going to keep an eye on it. -
reporter
I had said buddy try to pummel my server with invalid ssh connections and he couldn’t trip off the filtering. That implies to me that even with the buffering issue solved, the remote logging to a FIFO isn’t working. I’ll revert to a flat file for the time being.
-
Thanks for investigating. Why don’t you log to a flat file for now, and I’ll try to figure out what’s going on.
When we figure this out, I’ll add this remote syslog use case to the manual.
-
reporter
There appears to be another challenge, and it’s how
ipfwis using the table. After going back to the flat file, buddy beat on server again and his source was immediately put in table 22. Butipfwisn’t blocking on it. It continued to let him pound on my server. So apparently table 22 is there, but not activated? Something like that. Any guidance? -
If it ends up in table 22, then things are working from SSHGuard’s side. Can you double check your firewall ruleset (
ipfw show), and make sure there is a rule blocking table 22, and it’s not being superseded by another match? If you’re still having trouble, feel free to paste youripfw showhere.
-
reporter
It’s not in the ‘show’ command. I’m pretty sure the table just isn’t being referenced, and I forget my
ipfwCLI to block it. -
reporter
ipfw add 5000 reset ip from table(22) to anyThat’s what I needed.
-
Ah ha, yes! That’s from the
sshguard-setup(7)man page. -
reporter
Yeah, I was half hoping the pkg installation would have done that. Silly me. Given it’s a runtime, I’ll need to add that line to an /etc/rc file of some variety I assume.
-
How do you enable ipfw in your rc.conf? If you have a custom ruleset, you can directly edit that. If you use firewall_type, you should edit the appropriate section in /etc/rc.firewall. Unfortunately, there’s isn’t sort of a
ipfw.dfolder where you can drop ipfw configuration. -
reporter
Fair question. I use
ipfwonly as a "block stuff that someone else tells me about" sort of thing.pfis my router's standard filter because it's vastly more configurable (and confusing! heh). Soipfwstarts "open" in/etc/rc.confand I have a local daemon running (an agent) that takes messages from my MX server. That MX server, when it gets pestered by spammer MTAs, finally says “ENOUGH!” and sends the message to the router saying “block this idiot from reaching anything on port 25”.That list starts at 0 and builds organically over time. Much the same way the sshguard list builds. If you’re curious at all about the process, I’ve blogged it all while the
spamilterdeveloper, Neal Horman and I worked through it:
https://www.jasonvanpatten.com/category/server/spam/
The “Blocking Spammers at the Router” is the most recent and it’s what I was hoping to accomplish with sshguard as well.
Adding the lines to
/etc/firewall.rcshould be easy enough. -
Just curious, if you use pf as your main filter, have you considered the pf SSHGuard backend? PF also has tables, SSHGuard can add to pf tables (see the sshguard-setup man page).
-
reporter
Thanks for the suggestion; I think I’d rather continue using
pfto protect the network (allow certain stuff, deny ip any any) and lean intoipfwto block specific things, if that makes sense.
- Log in to comment
That's an interesting idea, and certainly one that makes a lot of sense in similar setups. What about enabling remote syslog on the 'spokes', logging to the central syslogd and router, and running a single central SSHGuard on the router?