Melindungi Debian 10 Server Pakai Sshguard Dan Firewalld

28 Januari 2021 • 3 menit untuk membaca artikel ini

Salah satu kewajiban dalam ngurus server adalah mengamankan jalur masuk ke server, yakni SSH. Salah satu cara untuk mengamankan akses SSH adalah dengan memakai sshguard. SSH guard berkeja dengan cara melakukan monitor terhadap log SSH dan melakukan tindakan pemblokiran terhadap IP yang berkali-kali gagal auth dengan memanfaatkan firewall yang ada pada system misalnya iptables, nftables, atau interface lebih tinggi yakni firewalld atau ufw.

sshguard is an intrusion prevention system that parses server logs, determines malicious activity, and uses the system firewall to block the IP addresses of malicious connections. sshguard is written in C so it does not tax an interpreter. – wiki gentoo

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf. – sshguard.net

Aku secara pribadi lebih suka plain iptables, lebih mudah untuk custom rule aneh-aneh. Namun, semenjak debian 10 beralih ke nftables, aku lari ke firewalld. Sebab, aku belum begitu memahami nftables. Firewalld versi terakhir sudah mendukung nftables, makanya aku pakai firewalld aja.

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly. – firewalld.org

Oleh sebab aku pakai Debian 10 dan Firewalld, maka beginilah proses instalasi dan konfirgurasi sshguard

Pertama, tentu aku install paket sshguard

apt update
apt install sshguard

Kedua, config sshguard supaya pakai backend firewalld

nano /etc/sshguard/sshguard.conf

# isinya setelah aku edit
#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
# aku pakai firewalld
BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-firewalld"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
# Blokir selama 24 hours (60480 seconds)
BLOCK_TIME=60480

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
# Track IP addresses selama 24 hours (60480 seconds)
DETECTION_TIME=60480

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/etc/sshguard/whitelist

Ketiga, restart dan enable service sshguard

systemctl restart sshguard
systemctl enable sshguard

Kalau mau melihat sshguard beraksi, silakan pakai journalctl

root@wiki:/home/sumar# LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

Contoh outputnya dapat dilihat digambar

SSHGuard in action

Dari gambar nampak:

...
Blocking "192.241.210.26/32" for 60480 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
...
Blocking "221.181.185.140/32" for 60480 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)

Itu artinya sshguard sudah berjalan sebagaimana mestinya.

Untuk cek daftar IP Address yang terblokir gunakan perintah:

root@wiki:/home/sumar# firewall-cmd --info-ipset=sshguard4

# outputnya
sshguard4
  type: hash:net
  options: family=inet
  entries: 192.241.210.26/32 221.181.185.140/32 221.131.165.124/32 221.181.185.223/32 139.59.144.132/32 81.161.63.254/32 62.221.121.185/32

Sekali lagi konteksnya aku pakai debian 10, nftables, dan firewald.

Cool~

Techlinuxdebian 10sshguardfirewald

Sumarsono

System Administrator
Kembali ke atas

HAproxy Dynamic Responses>>

<<Inbucket - Self Hosted Disposable Email Server