1a4ac8286SMatthew Dillon.\" Copyright (c) 2015 The DragonFly Project. All rights reserved. 2a4ac8286SMatthew Dillon.\" 3a4ac8286SMatthew Dillon.\" This code is derived from software contributed to The DragonFly Project 4a4ac8286SMatthew Dillon.\" by Matthew Dillon <dillon@backplane.com> 5a4ac8286SMatthew Dillon.\" 6a4ac8286SMatthew Dillon.\" Redistribution and use in source and binary forms, with or without 7a4ac8286SMatthew Dillon.\" modification, are permitted provided that the following conditions 8a4ac8286SMatthew Dillon.\" are met: 9a4ac8286SMatthew Dillon.\" 10a4ac8286SMatthew Dillon.\" 1. Redistributions of source code must retain the above copyright 11a4ac8286SMatthew Dillon.\" notice, this list of conditions and the following disclaimer. 12a4ac8286SMatthew Dillon.\" 2. Redistributions in binary form must reproduce the above copyright 13a4ac8286SMatthew Dillon.\" notice, this list of conditions and the following disclaimer in 14a4ac8286SMatthew Dillon.\" the documentation and/or other materials provided with the 15a4ac8286SMatthew Dillon.\" distribution. 16a4ac8286SMatthew Dillon.\" 3. Neither the name of The DragonFly Project nor the names of its 17a4ac8286SMatthew Dillon.\" contributors may be used to endorse or promote products derived 18a4ac8286SMatthew Dillon.\" from this software without specific, prior written permission. 19a4ac8286SMatthew Dillon.\" 20a4ac8286SMatthew Dillon.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21a4ac8286SMatthew Dillon.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22a4ac8286SMatthew Dillon.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23a4ac8286SMatthew Dillon.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24a4ac8286SMatthew Dillon.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25a4ac8286SMatthew Dillon.\" INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 26a4ac8286SMatthew Dillon.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27a4ac8286SMatthew Dillon.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28a4ac8286SMatthew Dillon.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29a4ac8286SMatthew Dillon.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30a4ac8286SMatthew Dillon.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31a4ac8286SMatthew Dillon.\" SUCH DAMAGE. 32a4ac8286SMatthew Dillon.\" 331e7ff9c9SSepherosa Ziehau.Dd September 13, 2017 34a4ac8286SMatthew Dillon.Dt SSHLOCKOUT 8 35a4ac8286SMatthew Dillon.Os 36a4ac8286SMatthew Dillon.Sh NAME 37a4ac8286SMatthew Dillon.Nm sshlockout 38a4ac8286SMatthew Dillon.Nd utility to block port 22 on preauth failures 39a4ac8286SMatthew Dillon.Sh SYNOPSIS 40*cdb47f1aSSascha Wildner.Bd -literal 41*cdb47f1aSSascha Wildner# 42*cdb47f1aSSascha Wildner# pf(4) configuration. 43*cdb47f1aSSascha Wildner# 44*cdb47f1aSSascha Wildner 45*cdb47f1aSSascha Wildner# in /etc/pf.conf 46*cdb47f1aSSascha Wildner# 47*cdb47f1aSSascha Wildnertable <lockout> persist { } 48*cdb47f1aSSascha Wildner 49*cdb47f1aSSascha Wildner# and later in /etc/pf.conf - see below 50*cdb47f1aSSascha Wildner# 51*cdb47f1aSSascha Wildnerblock in quick on $ext_if proto tcp from <lockout> to any port 22 52*cdb47f1aSSascha Wildner 53*cdb47f1aSSascha Wildner# in /etc/syslog.conf 54*cdb47f1aSSascha Wildner# 55*cdb47f1aSSascha Wildnerauth.info;authpriv.info |exec /usr/sbin/sshlockout -pf "lockout" 56*cdb47f1aSSascha Wildner 57*cdb47f1aSSascha Wildner# in root's crontab 58*cdb47f1aSSascha Wildner# 59*cdb47f1aSSascha Wildner3 3 * * * pfctl -tlockout -T expire 86400 60*cdb47f1aSSascha Wildner 61*cdb47f1aSSascha Wildner# 62*cdb47f1aSSascha Wildner# ipfw(8) configuration. 63*cdb47f1aSSascha Wildner# 64*cdb47f1aSSascha Wildneripfw table 0 create 65*cdb47f1aSSascha Wildneripfw add deny ip from '<0>' to any 66*cdb47f1aSSascha Wildner 67*cdb47f1aSSascha Wildner# in /etc/syslog.conf 68*cdb47f1aSSascha Wildner# 69*cdb47f1aSSascha Wildnerauth.info;authpriv.info |exec /usr/sbin/sshlockout -ipfwtbl 0 70*cdb47f1aSSascha Wildner 71*cdb47f1aSSascha Wildner# in root's crontab 72*cdb47f1aSSascha Wildner# 73*cdb47f1aSSascha Wildner3 3 * * * ipfw -fq table 0 expire 86400 74*cdb47f1aSSascha Wildner.Ed 75a4ac8286SMatthew Dillon.Sh DESCRIPTION 76a4ac8286SMatthew DillonThis program is generally installed in 77a4ac8286SMatthew Dillon.Pa /etc/syslog.conf 78a4ac8286SMatthew Dillonas a pipe to parse the 79a4ac8286SMatthew Dillon.Xr sshd 8 80a4ac8286SMatthew Dillondemons error log in realtime. 81a4ac8286SMatthew DillonIn addition, a root crontab entry should generally be created to clean 8210a640f0SMatthew Dillonout stale entries in the 83ed17c172SMichael Neumann.Xr pf 4 841e7ff9c9SSepherosa Ziehauor 851e7ff9c9SSepherosa Ziehau.Xr ipfw 8 86ed17c172SMichael Neumann.Ar table 8710a640f0SMatthew Dillonat least once a day. 8810a640f0SMatthew DillonUsing expire instead of flush will maintain a rolling window of locked out 8910a640f0SMatthew DillonIPs. 9010a640f0SMatthew DillonThe 91ed17c172SMichael Neumann.Xr pf 4 921e7ff9c9SSepherosa Ziehauor 931e7ff9c9SSepherosa Ziehau.Xr ipfw 8 9410a640f0SMatthew Dillonmodule must be loaded and running with the table and rules properly 9510a640f0SMatthew Dillonconfigured. 96a4ac8286SMatthew Dillon.Pp 97a4ac8286SMatthew DillonThis program will monitor the ssh syslog output and keep track of attempts 98a4ac8286SMatthew Dillonto login to unknown users as well as preauth failures. 99ed17c172SMichael NeumannIf 5 attempts fail in any one hour period, a permanent entry is added to the 100ed17c172SMichael Neumann.Xr pf 4 1011e7ff9c9SSepherosa Ziehauor 1021e7ff9c9SSepherosa Ziehau.Xr ipfw 8 103ed17c172SMichael Neumann.Ar table 104ed17c172SMichael Neumannfor the associated IP address. 105ed17c172SMichael NeumannYou still have to add a rule to 106ed17c172SMichael Neumann.Xr pf.conf 5 1071e7ff9c9SSepherosa Ziehauor use 1081e7ff9c9SSepherosa Ziehau.Xr ipfw 8 109ed17c172SMichael Neumannto block IP addresses listed in this table. 110a4ac8286SMatthew DillonThe cron entry you create cleans the block list out typically once a day. 111a4ac8286SMatthew Dillon.Pp 112a4ac8286SMatthew DillonThis program generally limits brute-force attempts to break into a machine 113a4ac8286SMatthew Dillonvia ssh. 11410a640f0SMatthew Dillon.Pp 1151e7ff9c9SSepherosa ZiehauWhen setting up the 1161e7ff9c9SSepherosa Ziehau.Xr pf 4 1171e7ff9c9SSepherosa Ziehauor 1181e7ff9c9SSepherosa Ziehau.Xr ipfw 8 1191e7ff9c9SSepherosa Ziehaurules, 1201e7ff9c9SSepherosa Ziehaunote that the table will be filled based on failed ssh connections destined 1211e7ff9c9SSepherosa Ziehauto that particular machine. 1221e7ff9c9SSepherosa ZiehauIf the machine is acting as a router you can decide whether you want the 1231e7ff9c9SSepherosa Ziehau.Xr pf 4 1241e7ff9c9SSepherosa Ziehauor 1251e7ff9c9SSepherosa Ziehau.Xr ipfw 8 1261e7ff9c9SSepherosa Ziehaurule to lockout that suspect IP to just the machine, 1271e7ff9c9SSepherosa Ziehauor to everything it routes to. 1281e7ff9c9SSepherosa ZiehauWe usually recommend an unconditional blocking rule. 129a4ac8286SMatthew Dillon.Sh NOTICE 130a4ac8286SMatthew DillonThis program is still a work in progress. 131a4ac8286SMatthew Dillon.Sh SEE ALSO 132a4ac8286SMatthew Dillon.Xr ssh 1 , 133ed17c172SMichael Neumann.Xr pf 4 , 13440e054f9SSascha Wildner.Xr syslog.conf 5 , 1351e7ff9c9SSepherosa Ziehau.Xr ipfw 8 , 13640e054f9SSascha Wildner.Xr sshd 8 137a4ac8286SMatthew Dillon.Sh HISTORY 138a4ac8286SMatthew DillonThe 139a4ac8286SMatthew Dillon.Nm 140a4ac8286SMatthew Dillonutility first appeared in 141a4ac8286SMatthew Dillon.Dx 4.1 . 142a4ac8286SMatthew Dillon.Sh AUTHORS 143a4ac8286SMatthew Dillon.An Matthew Dillon Aq Mt dillon@backplane.com 144