Re: Minimize sshd log clutter/spam from unauthenticated connections

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 18.03.23 14:19, Philipp Marek wrote:
I guess you might find fail2ban useful.

It scans logfiles (like /var/log/sshd.log), and when it sees too many authentication failures from an IP address (or network range) it can issue commands to drop any further attempts via a firewall.

By having it read its own logfile it's possible to have repeated offenders be cut out for longer and longer time spans.

https://www.fail2ban.org/wiki/index.php/Main_Page
https://supine.com/posts/2012/08/fail2ban-monitoring-itself-recursively/

Thanks for the suggestion. I've looked into solutions like fail2ban in the past, but have decided for a simpler approach. On some Linux hosts I use the following nftables rules (commented and stripped for clarity):

table inet filter {
	# set of IP addresses that have successfully authenticated
	# filled via, e.g., the following /root/.ssh/rc (simple example without error handling):
	# `nft add element inet filter sshauth { ${SSH_CONNECTION%% *} timeout 4h }`
	set sshauth {
		type ipv4_addr
		flags timeout, dynamic
	}

	# set of IP addresses (or rather /24 subnets, see below) that have
	# established new TCP connections to SSHD
	set sshlimit {
		type ipv4_addr
		flags timeout, dynamic
	}

	chain input {
		type filter hook input priority 0; policy drop;

		# accept new connections from IP addresses that have authenticated before
		ip saddr @sshauth tcp dport 22 ct state new counter accept
		# accept new connections from all other addresses with significant rate
		# limit on /24 subnet
		ip protocol tcp tcp dport 22 ct state new add @sshlimit { ip saddr & 255.255.255.0 timeout 1h limit rate 2/hour } counter accept

		# accept established connections and reject the rest (whatever exceeds
		# above rate limit)
		ct state { established, related } accept
		meta pkttype unicast ip protocol tcp counter reject with tcp reset
	}
}

The result is similar to fail2ban in that it aggressively limits any repeat connections that do not authenticate successfully. Albeit with a significantly smaller attack surface and configuration effort. The trick to make it usable despite the 2/hour connection limit is to manually fill the set sshauth either via an .ssh/rc file (will only work for root) or by parsing the ssh log and adding IP addresses that authenticate successfully.

Best regards,
Carsten

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux