Remote SSHGuard

Create issue
Issue #136 open
Jason Van Patten created an issue

Feature request/enhancement: Remote SSHGuard

Maybe this already exists and I just haven’t found it. Imagine: hub-and-spoke design for sshguard where the hub is actually a router (running Linux, FreeBSD, etc). It has the actual packet filter (iptables, ipfw, pf, et al) running on it. The “spokes” are all the servers behind that router who are monitoring their own /var/log files and then sending a message to the router to block a bad guy.

At that point, the bad actor can’t attack any of the servers under the router’s umbrella. And this is all without the router needing to (somehow) monitor another server’s log files.

Thoughts?

Comments (21)

  1. Kevin Zheng
    • changed status to open

    That's an interesting idea, and certainly one that makes a lot of sense in similar setups. What about enabling remote syslog on the 'spokes', logging to the central syslogd and router, and running a single central SSHGuard on the router?

  2. Jason Van Patten reporter

    Remote syslogging is definitely one way to accomplish this; for smaller server counts it’ll actually work fine. One thing you’d rather not do is overwhelm your router (and its local storage) with syslog messages. That said, I’ll experiment with the idea and see how it works.

    Consider the agent idea if you could, though. 🙂

  3. Jason Van Patten reporter

    Follow-up: the remote syslog trick seems to work fine. Have already caught some bad actors that way, and the router’s ipfw table 22 (I’m using FreeBSD) got updated accordingly.

  4. Kevin Zheng

    It sounds like we’d have a good solution if your syslog didn’t have to log messages to a file. What about a named pipe?

  5. Jason Van Patten reporter

    What about a named pipe?

    On the router? Something like this in the /etc/syslog.conf:

    +fqdn-of-server
    *.*   | exec /usr/local/sbin/sshguard-command
    

    ? Something like that?

  6. Kevin Zheng

    No, that’s something we got rid of, because when syslogd periodically restarts with SIGHUP due to newsyslogd, it would send SIGHUP to SSHGuard.

    I was thinking of something like mkfifo /path/to/fifo, and then syslogd would log to the FIFO, and SSHGuard would have that FIFO in FILES. I haven’t tested this setup yet, so you might want to test locally before you try this on the router.

  7. Jason Van Patten reporter

    Update: I got the syslogd to start while referencing the fifo file, by making sure there was a tail -f running against it. IOW: something reading from it. However, I’m not seeing any log messages being written to it while watching the tail -f output. So whatever syslog messages my server is sending to the router are apparently being eaten.

    Quite possible I have no idea what I’m doing here. 🙂

  8. Jason Van Patten reporter

    OK, the issue appears to be buffering. I think, with the help of a buddy, I sledge-hammered it into submission. The /etc/syslog.conf file entry:

    +server.fqdn
    *.*                        |exec stdbuf -o0 -i0 cat > /var/log/ssh.fifo
    

    And then I put /var/log/ssh.fifo into the sshguard.conf file. It’s too early to know whether it’ll catch another bad actor, but I’m going to keep an eye on it.

  9. Jason Van Patten reporter

    I had said buddy try to pummel my server with invalid ssh connections and he couldn’t trip off the filtering. That implies to me that even with the buffering issue solved, the remote logging to a FIFO isn’t working. I’ll revert to a flat file for the time being.

  10. Kevin Zheng

    Thanks for investigating. Why don’t you log to a flat file for now, and I’ll try to figure out what’s going on.

    When we figure this out, I’ll add this remote syslog use case to the manual.

  11. Jason Van Patten reporter

    There appears to be another challenge, and it’s how ipfw is using the table. After going back to the flat file, buddy beat on server again and his source was immediately put in table 22. But ipfw isn’t blocking on it. It continued to let him pound on my server. So apparently table 22 is there, but not activated? Something like that. Any guidance?

  12. Kevin Zheng

    If it ends up in table 22, then things are working from SSHGuard’s side. Can you double check your firewall ruleset (ipfw show), and make sure there is a rule blocking table 22, and it’s not being superseded by another match? If you’re still having trouble, feel free to paste your ipfw show here.

  13. Jason Van Patten reporter

    It’s not in the ‘show’ command. I’m pretty sure the table just isn’t being referenced, and I forget my ipfw CLI to block it.

  14. Jason Van Patten reporter

    Yeah, I was half hoping the pkg installation would have done that. Silly me. Given it’s a runtime, I’ll need to add that line to an /etc/rc file of some variety I assume.

  15. Kevin Zheng

    How do you enable ipfw in your rc.conf? If you have a custom ruleset, you can directly edit that. If you use firewall_type, you should edit the appropriate section in /etc/rc.firewall. Unfortunately, there’s isn’t sort of a ipfw.d folder where you can drop ipfw configuration.

  16. Jason Van Patten reporter

    Fair question. I use ipfw only as a "block stuff that someone else tells me about" sort of thing. pf is my router's standard filter because it's vastly more configurable (and confusing! heh). So ipfw starts "open" in /etc/rc.conf and I have a local daemon running (an agent) that takes messages from my MX server. That MX server, when it gets pestered by spammer MTAs, finally says “ENOUGH!” and sends the message to the router saying “block this idiot from reaching anything on port 25”.

    That list starts at 0 and builds organically over time. Much the same way the sshguard list builds. If you’re curious at all about the process, I’ve blogged it all while the spamilter developer, Neal Horman and I worked through it:

    https://www.jasonvanpatten.com/category/server/spam/

    The “Blocking Spammers at the Router” is the most recent and it’s what I was hoping to accomplish with sshguard as well.

    Adding the lines to /etc/firewall.rc should be easy enough.

  17. Kevin Zheng

    Just curious, if you use pf as your main filter, have you considered the pf SSHGuard backend? PF also has tables, SSHGuard can add to pf tables (see the sshguard-setup man page).

  18. Jason Van Patten reporter

    Thanks for the suggestion; I think I’d rather continue using pf to protect the network (allow certain stuff, deny ip any any) and lean into ipfw to block specific things, if that makes sense.

  19. Log in to comment