sshguard.net
Aku secara pribadi lebih suka plain iptables, lebih mudah untuk custom rule aneh-aneh. Namun, semenjak debian 10 beralih ke nftables, aku lari ke firewalld. Sebab, aku belum begitu memahami nftables. Firewalld versi terakhir sudah mendukung nftables, makanya aku pakai firewalld aja.
Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. -- firewalld.org
Oleh sebab aku pakai Debian 10 dan Firewalld, maka beginilah proses instalasi dan konfirgurasi sshguard
Pertama, tentu aku install paket sshguard
apt update
apt install sshguard
Kedua, config sshguard supaya pakai backend firewalld
nano /etc/sshguard/sshguard.conf
# isinya setelah aku edit
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
# aku pakai firewalld
BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-firewalld"
# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10"
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
# Blokir selama 24 hours (60480 seconds)
BLOCK_TIME=60480
# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
# Track IP addresses selama 24 hours (60480 seconds)
DETECTION_TIME=60480
# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/etc/sshguard/whitelist
Ketiga, restart dan enable service sshguard
systemctl restart sshguard
systemctl enable sshguard
Kalau mau melihat sshguard beraksi, silakan pakai journalctl
root@wiki:/home/sumar# LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
Contoh outputnya dapat dilihat digambar
Dari gambar nampak:
...
Blocking "192.241.210.26/32" for 60480 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
...
Blocking "221.181.185.140/32" for 60480 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Itu artinya sshguard sudah berjalan sebagaimana mestinya.
Untuk cek daftar IP Address yang terblokir gunakan perintah:
root@wiki:/home/sumar# firewall-cmd --info-ipset=sshguard4
# outputnya
sshguard4
type: hash:net
options: family=inet
entries: 192.241.210.26/32 221.181.185.140/32 221.131.165.124/32 221.181.185.223/32 139.59.144.132/32 81.161.63.254/32 62.221.121.185/32
Sekali lagi konteksnya aku pakai debian 10, nftables, dan firewald.
Cool~