1.\" Copyright (c) 2015 The DragonFly Project. All rights reserved. 2.\" 3.\" This code is derived from software contributed to The DragonFly Project 4.\" by Matthew Dillon <dillon@backplane.com> 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in 14.\" the documentation and/or other materials provided with the 15.\" distribution. 16.\" 3. Neither the name of The DragonFly Project nor the names of its 17.\" contributors may be used to endorse or promote products derived 18.\" from this software without specific, prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25.\" INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 26.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.Dd January 1, 2015 34.Dt SSHLOCKOUT 8 35.Os 36.Sh NAME 37.Nm sshlockout 38.Nd utility to block port 22 on preauth failures 39.Sh SYNOPSIS 40.Pp 41(/etc/pf.conf) 42.Cd table <lockout> persist { } 43.Pp 44(and later in /etc/pf.conf - see below) 45.Cd block in quick on $ext_if proto tcp from <lockout> to any port 22 46.Cd block in quick on $ext_if proto tcp from <lockout> to any port 22 47.Pp 48(/etc/syslog.conf) 49.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout -pf "lockout" 50.Pp 51(root crontab) 52.Cd 3 3 * * * pfctl -tlockout -T expire 86400 53.Sh DESCRIPTION 54This program is generally installed in 55.Pa /etc/syslog.conf 56as a pipe to parse the 57.Xr sshd 8 58demons error log in realtime. 59In addition, a root crontab entry should generally be created to clean 60out stale entries in the 61.Xr pf 4 62.Ar table 63at least once a day. 64Using expire instead of flush will maintain a rolling window of locked out 65IPs. 66The 67.Xr pf 4 68module must be loaded and running with the table and rules properly 69configured. 70.Pp 71This program will monitor the ssh syslog output and keep track of attempts 72to login to unknown users as well as preauth failures. 73If 5 attempts fail in any one hour period, a permanent entry is added to the 74.Xr pf 4 75.Ar table 76for the associated IP address. 77You still have to add a rule to 78.Xr pf.conf 5 79to block IP addresses listed in this table. 80The cron entry you create cleans the block list out typically once a day. 81.Pp 82This program generally limits brute-force attempts to break into a machine 83via ssh. 84.Pp 85When setting up the PF rules, note that the table will be filled based on 86failed ssh connections destined to that particular machine. If the machine 87is acting as a router you can decide whether you want the PF rule to lockout 88that suspect IP to just the machine, or to everything it routes to. We 89usually recommend an unconditional blocking rule. 90.Sh NOTICE 91This program is still a work in progress. 92.Sh SEE ALSO 93.Xr ssh 1 , 94.Xr pf 4 , 95.Xr syslog.conf 5 , 96.Xr sshd 8 97.Sh HISTORY 98The 99.Nm 100utility first appeared in 101.Dx 4.1 . 102.Sh AUTHORS 103.An Matthew Dillon Aq Mt dillon@backplane.com 104