DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default sshguard

Context
I open up ssh to internett, so I can login from outside my house, to my server at home.
I have added a strong sshkey, and disabled login with password.
I have added a bruteforce part to my pf.conf from : https://home.nuug.no/~peter/pf/en/bruteforce.html

But I still see login attempt from external user in my /var/log/authlog

So I installed sshgurad
Code:
pkg_add sshguard
and added sshgurad table to my pf.conf

Code:
table <sshguard> persist
block in proto tcp from <sshguard>
But how can i verify it is working? is it configured out of the box, or do I need to tell it manually to read /var/log/authlog.

And on a more meta level, does program like sshguard strengthen or weaken the security. Should not a -b 15000 key be strong enough in it self? Another service running, increase risk from errors or backdoors in program. But on a more psychological term, it anoys me to se login attempts from hostile user again and again, and it clutter my /var/log/authlog.
Reply With Quote
  #2   (View Single Post)  
Old 16th January 2017
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

Quote:
Originally Posted by psypro
But how can i verify it is working? is it configured out of the box, or do I need to tell it manually to read /var/log/authlog.
Haven't used it, but you can check if the table has anything in it: pfctl -t sshguard -T show

Quote:
Originally Posted by psypro
And on a more meta level, does program like sshguard strengthen or weaken the security. Should not a -b 15000 key be strong enough in it self? Another service running, increase risk from errors or backdoors in program. But on a more psychological term, it anoys me to se login attempts from hostile user again and again, and it clutter my /var/log/authlog.
I don't think it's necessary beyond the psychological effect. I hate seeing these attempts, too. Pretty sure almost none of these attempts are trying keys anyway, only known or simple passwords. So they can try as many times as they want, it'll never let them in. Maybe it'll prevent a DOS if there is a bug in ssh where failed attempts cause CPU load, or a crash, or something, but I don't worry about that too much. PF could have the same problem, or a web server, or a mail server, or a local app just doing it's thing.
Reply With Quote
  #3   (View Single Post)  
Old 16th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by psypro View Post
...But how can i verify it is working? is it configured out of the box, or do I need to tell it ...
I do not have sshguard installed, but with the -L option of pkg_info(1) I can see it has a both a man page and an OpenBSD-specific README:
Code:
$ pkg_info -L sshguard
Information for https://ftp5.usa.openbsd.org/pub/OpenBSD/snapshots/packages/amd64/sshguard-1.5p1.tgz

Files:
/usr/local/man/man8/sshguard.8
/usr/local/sbin/sshguard
/usr/local/share/doc/pkg-readmes/sshguard-1.5p1
/etc/rc.d/sshguard


$
I do not have the man page, but it may answer your provisioning questions.
Quote:
And on a more meta level, does program like sshguard strengthen or weaken the security.
Just like TronDD, I don't think this makes any significant change in your security. It just blocks these attackers to keep them out of your logs. You have already done the most important thing: you disabled password authentication.
Reply With Quote
  #4   (View Single Post)  
Old 17th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Found a website from 2016, sshguard on OpenBSD

https://www.rtate.se/technology/bsd/...d-OpenBSD.html

I hope it work now, I added :

Code:
mkdir -p /var/db/sshguard/
touch /var/db/sshguard/whitelist.db
rcctl set sshguard flags -a 5 -l /var/log/authlog -p 14400 -w /var/db/sshguard/whitelist.db
rcctl restart sshguard

Last edited by psypro; 17th January 2017 at 08:34 PM.
Reply With Quote
  #5   (View Single Post)  
Old 20th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Anybody got it working?

Code:
rcctl ls on
sshguard
I got 2x tables in pf.conf

Code:
pfctl -T show -t brutefroce
Gives a list over ip

Code:
pfctl -T show -t sshguard
An empty list, 0 hits

I have triede running sshguard in debuging mode, by coping attack signature examples from sshguard.org, I have goten sshguard to show "dangerous" (it find attack signature) still noe changes were made to pf.conf sshguard table.
I wonder is the problem ?
shhguard cant influense pf.conf sshguard table
sshguard cant read /var/log/authlog (openbsd log, seems more complex then simple exsamples given at sshguard.org, what version of syslog is this?)

Last edited by psypro; 20th January 2017 at 11:19 PM.
Reply With Quote
  #6   (View Single Post)  
Old 25th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

I think i found the error.

sshguard only work if there is login failures.
With no password login, there is no login failure, only alot of disconnected in logs.
If I enable password login for sshd, I get sshguard to block.
Reply With Quote
  #7   (View Single Post)  
Old 25th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by psypro View Post
If I enable password login for sshd, I get sshguard to block.
To my understanding this is not a best practice.

Q: What is the purpose of running sshd(8) with password authentication disabled?
A: Prevent password login.

Q: What are the odds of success of a password authentication attack on sshd() when password authentication is disabled?
A: Zero. There is no chance of success.

Q: What is the purpose of using sshguard?
A: To block attackers.

Q: What is the value of blocking attackers who have a zero chance of success?
A: It keeps them out of my logs. That is the only value.

Q: What is the impact of enabling password authentication?
A: It allows password login.

Q: What are the odds of a successful password authentication attack on sshd() when password authentication is enabled?
A: Greater than zero. There is a chance of success.

Q: What are the odds of a provisioning error in PF or in sshguard? Or a runtime failure of sshguard?
A: Greater than zero. There is a chance of a provisioning error, or of sshguard not running at the time of an attack.

Last edited by jggimi; 25th January 2017 at 03:37 PM. Reason: typo
Reply With Quote
  #8   (View Single Post)  
Old 25th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'll clarify my comment above.

Prior to implementing sshguard, you disabled password authentication. It was impossible for a password attack to succeed. But sshguard wasn't blocking password attacks, so you enabled password authentication. This gives sshguard something to do, but ... this gives your attackers an opportunity to succeed.

Here is an analogy:
Let us pretend that you have a large, walk in safe guarding valuable items, such as those used in banks. There are very complex locks on the safe, with timers and complex keys that only you have. The door is very thick, and it cannot be drilled through or otherwise broken into.

But you also have a guard dog. And you keep the dog inside the safe, where he has nothing to do. You decide to add another door to your safe, so that the dog will no longer be bored. This door is made of wood, and can be broken into. And you add an inexpensive combination lock on the outside. People outside constantly try the door's knob, and rattle the lock. Your dog barks, and the people leave. For now.
Yes, you have given your dog something to do. But why add a low-security door to your safe? Give the dog to someone else who does not have a safe.
Reply With Quote
  #9   (View Single Post)  
Old 25th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Thank you jiggim, you are right.

This time I had understood this before you told me, but I understand from what I had written one could be in doubt.

a) I have enforced no password login, only with key

b) It bothers me to see so many Chinese ip trying to get in.

c) I am quit disappointed in sshguard failing to ban these.

d) It could in the further be found a critical security bug in OpenSSH, if these Chinese ip where blocked buy pf, they would not reach OpenSSH.

e) You are right in Theory, 100 % secure with key, but I think in reality bugs exist, and therefor it would be better if attacker where stopped at the firewall, rather then the service.
Reply With Quote
Old 25th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It's your system, you control it. You can do whatever you want with it. But your fear of password attacks has caused you to enable password attacks.
Reply With Quote
Old 25th January 2017
psypro psypro is offline
Package Pilot
 
Join Date: Mar 2016
Location: Continent:Europe
Posts: 156
Default

Yes, for 5 minutes.
Password login is disabled, only enabled to learn how sshguard works.

Jiggim, what are your toughs on stopping attacker at firewall vs at service?
Reply With Quote
Old 25th January 2017
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

If you must block the bad actors, it's not that hard to write a cron job to scan your logs for what you want and add them to the table yourself.

I just do it manually for the satisfaction. Each day, if I feel annoyed, I grep | cut | whatever and pass it to pfctl. Gone. Easily automated, even in close to real-time with cron if you want.

You can also find chinese IP lists and just block them wholesale right off the bat. I have had mixed success with this. Either the list is incomplete or wrong, or attacks come from everywhere anyway. That's the nature of a botnet.

Or you could learn to trust ssh, as you seem to implicitly trust pf, and just let it go.
Reply With Quote
Old 25th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default



You can reduce the amount of failed-attack messages in your logs with PF stateful tracking options.

You can also reduce the number of authentication attempts for any connected session with sshd_config(5) MaxAuthTries. If you set that to 1, for example, a failed attempt will disconnect the session. An attacker who reconnects to attack again may then be blocked by stateful tracking rules.

My public facing servers always have these three options set in sshd_config.:
Code:
PasswordAuthentication no
ChallengeResponseAuthentication no
MaxAuxTries 1
Challenge/Response on OpenBSD is S/Key one-time-pad authentication. At one time I used S/Key with SSH clients on public kiosks or borrowed workstations. (See skey(1), skeyinit(1), and skey(5) for details.)

Last edited by jggimi; 25th January 2017 at 08:00 PM. Reason: too many words
Reply With Quote
Old 26th January 2017
girarde girarde is offline
Fdisk Soldier
 
Join Date: Nov 2010
Location: NW FL
Posts: 75
Default Trust

Not knowing the various code paths, I can't answer the question of whether disable password login && sshguard is meaningfully more secure than either alone.

But enabling password login in order to see blocked attempts is rather like looking for an exterminator whose work will ensure that you actually see dead termites.

I don't know that there is any drawback to running both. But unless you don't trust the logs to show SUCCESSFUL login attempts, I see no value in configuring so as to guarantee that you will see failures.
Reply With Quote
Old 26th January 2017
frcc frcc is offline
Don't Worry Be Happy!
 
Join Date: Jul 2011
Location: hot,dry,dusty,rainy,windy,straight winds, tornado,puts the fear of God in you-Texas
Posts: 335
Default

I had the same problem with attempts from all over the world.
Since our/my needs were to allow only US based ip's into ssh (actually more restricted than that)
we created a table of US cidr's and made that entry into pf.conf to filter some noise out of the system.
If the attempt was not from a US ip then it was dropped first.
Of course you then must update that file occasionally. Speed was not affected as pf searches table files rapidly..
Reply With Quote
Old 26th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by girarde View Post
..I can't answer the question of whether disable password login && sshguard is meaningfully more secure than either alone.
Indeed. If I had a use-case that required password authentication -- I would consider sshguard as one of my risk mitigations. But risk would not be eliminated.

I cannot see a valid "password required" use-case, if the end-user can be instructed to use a more secure authentication method. And that is the only thing stopping safer authentication.

Even in situations where private credentials (key or cert) cannot be used, other authentications are better than passwords. I carried a one-time-pad in my wallet for use with S/Key, for example.

I know there are admins who like to enable root password authentication on a freshly installed system in order to then leave the console and provision it from elsewhere. But they don't need to. For example, the admin could include an authorized_keys file in a siteXX.tgz file set, or just download it from a network location prior to departing the console.

Last edited by jggimi; 26th January 2017 at 03:19 PM. Reason: clarity, typo, and siteXX referral
Reply With Quote
Old 29th January 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I recently set up a server where I am the only user, and the only ssh connections will ever be from an OpenBSD laptop.

I elected to use Passive Operating System Fingerprinting as an access control mechanism.

The purpose is not security - instead it is to keep the logs relatively clean and clear. I am still using stateful tracking, and am using public key authentication with passphrase as the only allowed authentication method.

Last edited by jggimi; 29th January 2017 at 01:43 PM. Reason: clarity
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
sshguard and packet filter sputnik OpenBSD Security 0 18th April 2009 02:11 PM
sshguard+pf sputnik OpenBSD Security 0 17th April 2009 03:43 PM


All times are GMT. The time now is 04:09 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick