|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
sshguard
Context
I open up ssh to internett, so I can login from outside my house, to my server at home. I have added a strong sshkey, and disabled login with password. I have added a bruteforce part to my pf.conf from : https://home.nuug.no/~peter/pf/en/bruteforce.html But I still see login attempt from external user in my /var/log/authlog So I installed sshgurad Code:
pkg_add sshguard Code:
table <sshguard> persist block in proto tcp from <sshguard> And on a more meta level, does program like sshguard strengthen or weaken the security. Should not a -b 15000 key be strong enough in it self? Another service running, increase risk from errors or backdoors in program. But on a more psychological term, it anoys me to se login attempts from hostile user again and again, and it clutter my /var/log/authlog. |
|
|||
Quote:
Quote:
|
|
|||
Found a website from 2016, sshguard on OpenBSD
https://www.rtate.se/technology/bsd/...d-OpenBSD.html I hope it work now, I added : Code:
mkdir -p /var/db/sshguard/ touch /var/db/sshguard/whitelist.db rcctl set sshguard flags -a 5 -l /var/log/authlog -p 14400 -w /var/db/sshguard/whitelist.db rcctl restart sshguard Last edited by psypro; 17th January 2017 at 08:34 PM. |
|
|||
Anybody got it working?
Code:
rcctl ls on sshguard Code:
pfctl -T show -t brutefroce Code:
pfctl -T show -t sshguard I have triede running sshguard in debuging mode, by coping attack signature examples from sshguard.org, I have goten sshguard to show "dangerous" (it find attack signature) still noe changes were made to pf.conf sshguard table. I wonder is the problem ? shhguard cant influense pf.conf sshguard table sshguard cant read /var/log/authlog (openbsd log, seems more complex then simple exsamples given at sshguard.org, what version of syslog is this?) Last edited by psypro; 20th January 2017 at 11:19 PM. |
|
|||
I think i found the error.
sshguard only work if there is login failures. With no password login, there is no login failure, only alot of disconnected in logs. If I enable password login for sshd, I get sshguard to block. |
|
||||
To my understanding this is not a best practice.
Q: What is the purpose of running sshd(8) with password authentication disabled? A: Prevent password login. Q: What are the odds of success of a password authentication attack on sshd() when password authentication is disabled? A: Zero. There is no chance of success. Q: What is the purpose of using sshguard? A: To block attackers. Q: What is the value of blocking attackers who have a zero chance of success? A: It keeps them out of my logs. That is the only value. Q: What is the impact of enabling password authentication? A: It allows password login. Q: What are the odds of a successful password authentication attack on sshd() when password authentication is enabled? A: Greater than zero. There is a chance of success. Q: What are the odds of a provisioning error in PF or in sshguard? Or a runtime failure of sshguard? A: Greater than zero. There is a chance of a provisioning error, or of sshguard not running at the time of an attack. Last edited by jggimi; 25th January 2017 at 03:37 PM. Reason: typo |
|
||||
I'll clarify my comment above.
Prior to implementing sshguard, you disabled password authentication. It was impossible for a password attack to succeed. But sshguard wasn't blocking password attacks, so you enabled password authentication. This gives sshguard something to do, but ... this gives your attackers an opportunity to succeed. Here is an analogy: Let us pretend that you have a large, walk in safe guarding valuable items, such as those used in banks. There are very complex locks on the safe, with timers and complex keys that only you have. The door is very thick, and it cannot be drilled through or otherwise broken into.Yes, you have given your dog something to do. But why add a low-security door to your safe? Give the dog to someone else who does not have a safe. |
|
|||
Thank you jiggim, you are right.
This time I had understood this before you told me, but I understand from what I had written one could be in doubt. a) I have enforced no password login, only with key b) It bothers me to see so many Chinese ip trying to get in. c) I am quit disappointed in sshguard failing to ban these. d) It could in the further be found a critical security bug in OpenSSH, if these Chinese ip where blocked buy pf, they would not reach OpenSSH. e) You are right in Theory, 100 % secure with key, but I think in reality bugs exist, and therefor it would be better if attacker where stopped at the firewall, rather then the service. |
|
|||
Yes, for 5 minutes.
Password login is disabled, only enabled to learn how sshguard works. Jiggim, what are your toughs on stopping attacker at firewall vs at service? |
|
|||
If you must block the bad actors, it's not that hard to write a cron job to scan your logs for what you want and add them to the table yourself.
I just do it manually for the satisfaction. Each day, if I feel annoyed, I grep | cut | whatever and pass it to pfctl. Gone. Easily automated, even in close to real-time with cron if you want. You can also find chinese IP lists and just block them wholesale right off the bat. I have had mixed success with this. Either the list is incomplete or wrong, or attacks come from everywhere anyway. That's the nature of a botnet. Or you could learn to trust ssh, as you seem to implicitly trust pf, and just let it go. |
|
||||
You can reduce the amount of failed-attack messages in your logs with PF stateful tracking options. You can also reduce the number of authentication attempts for any connected session with sshd_config(5) MaxAuthTries. If you set that to 1, for example, a failed attempt will disconnect the session. An attacker who reconnects to attack again may then be blocked by stateful tracking rules. My public facing servers always have these three options set in sshd_config.: Code:
PasswordAuthentication no ChallengeResponseAuthentication no MaxAuxTries 1 Last edited by jggimi; 25th January 2017 at 08:00 PM. Reason: too many words |
|
|||
Trust
Not knowing the various code paths, I can't answer the question of whether disable password login && sshguard is meaningfully more secure than either alone.
But enabling password login in order to see blocked attempts is rather like looking for an exterminator whose work will ensure that you actually see dead termites. I don't know that there is any drawback to running both. But unless you don't trust the logs to show SUCCESSFUL login attempts, I see no value in configuring so as to guarantee that you will see failures. |
|
|||
I had the same problem with attempts from all over the world.
Since our/my needs were to allow only US based ip's into ssh (actually more restricted than that) we created a table of US cidr's and made that entry into pf.conf to filter some noise out of the system. If the attempt was not from a US ip then it was dropped first. Of course you then must update that file occasionally. Speed was not affected as pf searches table files rapidly.. |
|
||||
Quote:
I cannot see a valid "password required" use-case, if the end-user can be instructed to use a more secure authentication method. And that is the only thing stopping safer authentication. Even in situations where private credentials (key or cert) cannot be used, other authentications are better than passwords. I carried a one-time-pad in my wallet for use with S/Key, for example. I know there are admins who like to enable root password authentication on a freshly installed system in order to then leave the console and provision it from elsewhere. But they don't need to. For example, the admin could include an authorized_keys file in a siteXX.tgz file set, or just download it from a network location prior to departing the console. Last edited by jggimi; 26th January 2017 at 03:19 PM. Reason: clarity, typo, and siteXX referral |
|
||||
I recently set up a server where I am the only user, and the only ssh connections will ever be from an OpenBSD laptop.
I elected to use Passive Operating System Fingerprinting as an access control mechanism. The purpose is not security - instead it is to keep the logs relatively clean and clear. I am still using stateful tracking, and am using public key authentication with passphrase as the only allowed authentication method. Last edited by jggimi; 29th January 2017 at 01:43 PM. Reason: clarity |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sshguard and packet filter | sputnik | OpenBSD Security | 0 | 18th April 2009 02:11 PM |
sshguard+pf | sputnik | OpenBSD Security | 0 | 17th April 2009 03:43 PM |