- changed status to open
Remote SSHGuard
Feature request/enhancement: Remote SSHGuard
Maybe this already exists and I just haven’t found it. Imagine: hub-and-spoke design for sshguard where the hub is actually a router (running Linux, FreeBSD, etc). It has the actual packet filter (iptables, ipfw, pf, et al) running on it. The “spokes” are all the servers behind that router who are monitoring their own /var/log files and then sending a message to the router to block a bad guy.
At that point, the bad actor can’t attack any of the servers under the router’s umbrella. And this is all without the router needing to (somehow) monitor another server’s log files.
Thoughts?
Comments (21)
-
-
reporter Remote syslogging is definitely one way to accomplish this; for smaller server counts it’ll actually work fine. One thing you’d rather not do is overwhelm your router (and its local storage) with syslog messages. That said, I’ll experiment with the idea and see how it works.
Consider the agent idea if you could, though.
-
reporter Follow-up: the remote syslog trick seems to work fine. Have already caught some bad actors that way, and the router’s ipfw table 22 (I’m using FreeBSD) got updated accordingly.
-
It sounds like we’d have a good solution if your syslog didn’t have to log messages to a file. What about a named pipe?
-
reporter What about a named pipe?
On the router? Something like this in the /etc/syslog.conf:
+fqdn-of-server *.* | exec /usr/local/sbin/sshguard-command
? Something like that?
-
No, that’s something we got rid of, because when syslogd periodically restarts with SIGHUP due to newsyslogd, it would send SIGHUP to SSHGuard.
I was thinking of something like mkfifo /path/to/fifo, and then syslogd would log to the FIFO, and SSHGuard would have that FIFO in FILES. I haven’t tested this setup yet, so you might want to test locally before you try this on the router.
-
reporter I tried the fifo idea, but syslog seemed to barf on it. Interesting idea though.
-
reporter Update: I got the syslogd to start while referencing the fifo file, by making sure there was a
tail -f
running against it. IOW: something reading from it. However, I’m not seeing any log messages being written to it while watching thetail -f
output. So whatever syslog messages my server is sending to the router are apparently being eaten.Quite possible I have no idea what I’m doing here.
-
reporter OK, the issue appears to be buffering. I think, with the help of a buddy, I sledge-hammered it into submission. The
/etc/syslog.conf
file entry:+server.fqdn *.* |exec stdbuf -o0 -i0 cat > /var/log/ssh.fifo
And then I put
/var/log/ssh.fifo
into the sshguard.conf file. It’s too early to know whether it’ll catch another bad actor, but I’m going to keep an eye on it. -
reporter I had said buddy try to pummel my server with invalid ssh connections and he couldn’t trip off the filtering. That implies to me that even with the buffering issue solved, the remote logging to a FIFO isn’t working. I’ll revert to a flat file for the time being.
-
Thanks for investigating. Why don’t you log to a flat file for now, and I’ll try to figure out what’s going on.
When we figure this out, I’ll add this remote syslog use case to the manual.
-
reporter There appears to be another challenge, and it’s how
ipfw
is using the table. After going back to the flat file, buddy beat on server again and his source was immediately put in table 22. Butipfw
isn’t blocking on it. It continued to let him pound on my server. So apparently table 22 is there, but not activated? Something like that. Any guidance? -
If it ends up in table 22, then things are working from SSHGuard’s side. Can you double check your firewall ruleset (
ipfw show
), and make sure there is a rule blocking table 22, and it’s not being superseded by another match? If you’re still having trouble, feel free to paste youripfw show
here.
-
reporter It’s not in the ‘show’ command. I’m pretty sure the table just isn’t being referenced, and I forget my
ipfw
CLI to block it. -
reporter ipfw add 5000 reset ip from table(22) to any
That’s what I needed.
-
Ah ha, yes! That’s from the
sshguard-setup(7)
man page. -
reporter Yeah, I was half hoping the pkg installation would have done that. Silly me. Given it’s a runtime, I’ll need to add that line to an /etc/rc file of some variety I assume.
-
How do you enable ipfw in your rc.conf? If you have a custom ruleset, you can directly edit that. If you use firewall_type, you should edit the appropriate section in /etc/rc.firewall. Unfortunately, there’s isn’t sort of a
ipfw.d
folder where you can drop ipfw configuration. -
reporter Fair question. I use
ipfw
only as a "block stuff that someone else tells me about" sort of thing.pf
is my router's standard filter because it's vastly more configurable (and confusing! heh). Soipfw
starts "open" in/etc/rc.conf
and I have a local daemon running (an agent) that takes messages from my MX server. That MX server, when it gets pestered by spammer MTAs, finally says “ENOUGH!” and sends the message to the router saying “block this idiot from reaching anything on port 25”.That list starts at 0 and builds organically over time. Much the same way the sshguard list builds. If you’re curious at all about the process, I’ve blogged it all while the
spamilter
developer, Neal Horman and I worked through it:
https://www.jasonvanpatten.com/category/server/spam/
The “Blocking Spammers at the Router” is the most recent and it’s what I was hoping to accomplish with sshguard as well.
Adding the lines to
/etc/firewall.rc
should be easy enough. -
Just curious, if you use pf as your main filter, have you considered the pf SSHGuard backend? PF also has tables, SSHGuard can add to pf tables (see the sshguard-setup man page).
-
reporter Thanks for the suggestion; I think I’d rather continue using
pf
to protect the network (allow certain stuff, deny ip any any) and lean intoipfw
to block specific things, if that makes sense.
- Log in to comment
That's an interesting idea, and certainly one that makes a lot of sense in similar setups. What about enabling remote syslog on the 'spokes', logging to the central syslogd and router, and running a single central SSHGuard on the router?