1.\" Copyright (c) 2015 The DragonFly Project. All rights reserved. 2.\" 3.\" This code is derived from software contributed to The DragonFly Project 4.\" by Matthew Dillon <dillon@backplane.com> 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in 14.\" the documentation and/or other materials provided with the 15.\" distribution. 16.\" 3. Neither the name of The DragonFly Project nor the names of its 17.\" contributors may be used to endorse or promote products derived 18.\" from this software without specific, prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25.\" INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 26.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.Dd September 13, 2017 34.Dt SSHLOCKOUT 8 35.Os 36.Sh NAME 37.Nm sshlockout 38.Nd utility to block port 22 on preauth failures 39.Sh SYNOPSIS 40.Cd # 41.Cd # pf(4) configuration. 42.Cd # 43.Pp 44.Cd # in /etc/pf.conf 45.Cd # 46.Cd table <lockout> persist { } 47.Pp 48.Cd # and later in /etc/pf.conf - see below 49.Cd # 50.Cd block in quick on $ext_if proto tcp from <lockout> to any port 22 51.Pp 52.Cd # in /etc/syslog.conf 53.Cd # 54.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout -pf "lockout" 55.Pp 56.Cd # in root's crontab 57.Cd # 58.Cd 3 3 * * * pfctl -tlockout -T expire 86400 59.Pp 60.Pp 61.Cd # 62.Cd # ipfw(8) configuration. 63.Cd # 64.Cd ipfw table 0 create 65.Cd ipfw add deny ip from '<0>' to any 66.Pp 67.Cd # in /etc/syslog.conf 68.Cd # 69.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout -ipfwtbl 0 70.Pp 71.Cd # in root's crontab 72.Cd # 73.Cd 3 3 * * * ipfw -fq table 0 expire 86400 74.Sh DESCRIPTION 75This program is generally installed in 76.Pa /etc/syslog.conf 77as a pipe to parse the 78.Xr sshd 8 79demons error log in realtime. 80In addition, a root crontab entry should generally be created to clean 81out stale entries in the 82.Xr pf 4 83or 84.Xr ipfw 8 85.Ar table 86at least once a day. 87Using expire instead of flush will maintain a rolling window of locked out 88IPs. 89The 90.Xr pf 4 91or 92.Xr ipfw 8 93module must be loaded and running with the table and rules properly 94configured. 95.Pp 96This program will monitor the ssh syslog output and keep track of attempts 97to login to unknown users as well as preauth failures. 98If 5 attempts fail in any one hour period, a permanent entry is added to the 99.Xr pf 4 100or 101.Xr ipfw 8 102.Ar table 103for the associated IP address. 104You still have to add a rule to 105.Xr pf.conf 5 106or use 107.Xr ipfw 8 108to block IP addresses listed in this table. 109The cron entry you create cleans the block list out typically once a day. 110.Pp 111This program generally limits brute-force attempts to break into a machine 112via ssh. 113.Pp 114When setting up the 115.Xr pf 4 116or 117.Xr ipfw 8 118rules, 119note that the table will be filled based on failed ssh connections destined 120to that particular machine. 121If the machine is acting as a router you can decide whether you want the 122.Xr pf 4 123or 124.Xr ipfw 8 125rule to lockout that suspect IP to just the machine, 126or to everything it routes to. 127We usually recommend an unconditional blocking rule. 128.Sh NOTICE 129This program is still a work in progress. 130.Sh SEE ALSO 131.Xr ssh 1 , 132.Xr pf 4 , 133.Xr syslog.conf 5 , 134.Xr ipfw 8 , 135.Xr sshd 8 136.Sh HISTORY 137The 138.Nm 139utility first appeared in 140.Dx 4.1 . 141.Sh AUTHORS 142.An Matthew Dillon Aq Mt dillon@backplane.com 143