sshguard

Alternative à fail2ban pour protéger son accès ssh à la bruteforce.

→ https://linuxiac.com/how-to-secure-ssh-server-with-sshguard/

apt install sshguard

Fichier de config par défaut /etc/sshguard/sshguard.conf

#### REQUIRED CONFIGURATION #### 
# Full path to backend executable (required, no default) 
BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets" 
 
# Shell command that provides logs on standard output. (optional, no default) 
# Example 1: ssh and sendmail from systemd journal: 
LOGREADER="LANG=C journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10" 
 
#### OPTIONS #### 
# Block attackers when their cumulative attack score exceeds THRESHOLD. 
# Most attacks have a score of 10. (optional, default 30) 
THRESHOLD=30 
 
# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. 
# Subsequent blocks increase by a factor of 1.5. (optional, default 120) 
BLOCK_TIME=120 
 
# Remember potential attackers for up to DETECTION_TIME seconds before 
# resetting their score. (optional, default 1800) 
DETECTION_TIME=1800 
 
# IP addresses listed in the WHITELIST_FILE are considered to be 
# friendlies and will never be blocked. 
WHITELIST_FILE=/etc/sshguard/whitelist

Par défaut, dans cette config, sshguard utilise les commandes nft pour bloquer les ips, voici comment voir ce qui a été bloqué

nft list table sshguard
table ip sshguard {
        set attackers {
                type ipv4_addr
                flags interval
                elements = { 45.78.219.211, 45.78.219.217,
                             45.78.227.4, 79.104.0.82,
                             103.86.180.10, 115.112.66.197,
                             154.91.170.52, 193.46.255.33,
                             193.46.255.99 }
        }

        chain blacklist {
                type filter hook input priority filter - 10; policy accept;
                ip saddr @attackers drop
        }
}