Sshguard

From Alpine Linux
Jump to: navigation, search

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.

sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

sshguard does not support custom log parsing. Check the website too see which services they support.

Installation

Sshguard can use several backends, you can see them with ls /usr/libexec/sshg-fw*. The easiest backend on Alpine is nftables. After you install sshguard, you will need to create a config file or it won't start.

apk add sshguard nftables
vi /etc/sshguard.conf
#!/bin/sh
BACKEND='/usr/libexec/sshg-fw-nft-sets'
FILES='/var/log/messages'

You can view the rules with nft list ruleset

Iptables backend

To use the iptables backend, you must first create a chain called "sshguard". Enable the iptables-service to save the rules at shutdown and reload them when booting

 iptables -A INPUT -j sshguard
 rc-update add iptables boot

You can view the rules with iptables -L