使用sshguard保护OpenSSH服务器

你是不是因为自己的SSH服务器受到攻击而烦恼？现在好了，有了sshguard，你就可以安枕无忧了，虽然它现在依然处于beta版本，但是它的性能一点也不差。 

Are you concerned about brute force dictionary attacks on SSH? Given the popularity of these attacks, you should be. sshguard is a new tool to help protect against such attacks. Although it is still in beta stage, it appears to work well.

OpenSSH provides a secure alternative to clear-text logins used by first-generation network protocols like Telnet and FTP. But it's not enough simply to use SSH instead of Telnet -- you have to use it wisely. If you use weak passwords with SSH, a brute force dictionary attack will reveal your secrets as easily as if your password were sent in clear text.

sshguard protects you from brute force attacks on port 22. It watches SSH login attempts and inserts a rule in your firewall to block the IP addresses of attackers. By default, sshguard will block an attacker (insert a rule in the firewall to block the attacker's IP address) after four unsuccessful attempts within a 20-minute period. Blocked IP addresses are allowed past the firewall again after a random interval of between 7 and 10.5 minutes.

Installation

Here's how to install sshguard on a typical Linux system. Download the latest version and decompress it with the command tar xjf sshguard-0.9.tar.bz2. From there the installation instructions vary by platform, so peruse the README you'll find in the sshguard-0.9 directory, even if you're following the instructions here.

To compile sshguard, enter the command python scons.py -Q FIREWALLTYPE=iptables. Once it's compiled, install it by running as root the command python scons.py -Q FIREWALLTYPE=iptables install.

About the author

Michele Mazzucchi, a 24-year-old IT consultant and graduate student from Italy, says he created sshguard because "none of the tools available were good enough for me: not cross-firewall, or too intrusive into the system, or poorly reliable, or combinations of these." In the future he plans to add things like: more firewall back ends (such as remote appliances) support for hostnames in log entries instead of simple IP addresses context-free "attack" specifications Michele says he is looking for people to help package the project for the most popular platforms. He is doing the FreeBSD port himself, but he needs use help with packaging for Debian, Gentoo, Fedora, and others. You can contact him via the project homepage.

There are still three things you need to do before sshguard is ready to use. First, create a new dynamic rule for sshguard for iptables. Enter these commands as root:

iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard

Now make sure sshguard learns of login attempts. There's more than one way to do this (see the README), but let's try what the developers say is the easiest, most efficient way, by using the tail command:

tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard &

You'll want to make the tail command survive a reboot. On a single-user system like mine, you can add the command to the .bashrc file in your home directory. For multi-user systems, consult your local sysadmin.

Lastly, since sshguard needs to be able to tell iptables to add and drop dynamic rules, it needs permission to do so. Use the chmod command to make the program run as root:

chmod +s /usr/local/sbin/sshguard

Does it work?

Now you're ready to test the program. Restart sshd with the command sudo /usr/sbin/sshd, then use SSH to log into your test machine from another machine. That login attempt will, if the installation has gone correctly, kick start sshguard into action. Verify that it has by entering the following command and checking for an instance of sshguard running. It should look something like this:

ps ax |grep sshguard
27729 pts/1  Sl   0:00 /usr/local/sbin/sshguard

I tested from another machine on my LAN, purposely entering an invalid password at each prompt. After four such attempts, I could no longer reach the sshguarded desktop box from the machine I was testing on, just as advertised. A few minutes later, I could once again try to log in. The dynamic blocking rules for iptables appeared to work just as they should.

 如果您对本文有任何疑问或者建议，请到讨论区发表您的意见: >> 论坛入口 <<

上一页12 下一页

上一篇：使用DVL Linux练习Linux安全攻防   下一篇：Linux下安装和使用杀毒软件AntiVir

【文章评论】 【收藏本文】 【推荐好友】 【打印本文】 【我要投稿】 【论坛讨论】