1.\" Copyright (c) 2015 The DragonFly Project. All rights reserved. 2.\" 3.\" This code is derived from software contributed to The DragonFly Project 4.\" by Matthew Dillon <dillon@backplane.com> 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in 14.\" the documentation and/or other materials provided with the 15.\" distribution. 16.\" 3. Neither the name of The DragonFly Project nor the names of its 17.\" contributors may be used to endorse or promote products derived 18.\" from this software without specific, prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25.\" INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, 26.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 28.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 30.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.Dd September 13, 2017 34.Dt SSHLOCKOUT 8 35.Os 36.Sh NAME 37.Nm sshlockout 38.Nd utility to block port 22 on preauth failures 39.Sh SYNOPSIS 40.Cd # 41.Cd # pf(4) configuration. 42.Cd # 43.Pp 44.Cd # in /etc/pf.conf 45.Cd # 46.Cd table <lockout> persist { } 47.Pp 48.Cd # and later in /etc/pf.conf - see below 49.Cd # 50.Cd block in quick on $ext_if proto tcp from <lockout> to any port 22 51.Pp 52.Cd # in /etc/syslog.conf 53.Cd # 54.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout -pf "lockout" 55.Pp 56.Cd # in root's crontab 57.Cd # 58.Cd 3 3 * * * pfctl -tlockout -T expire 86400 59.Pp 60.Cd # 61.Cd # ipfw(8) configuration. 62.Cd # 63.Cd ipfw table 0 create 64.Cd ipfw add deny ip from '<0>' to any 65.Pp 66.Cd # in /etc/syslog.conf 67.Cd # 68.Cd auth.info;authpriv.info |exec /usr/sbin/sshlockout -ipfwtbl 0 69.Pp 70.Cd # in root's crontab 71.Cd # 72.Cd 3 3 * * * ipfw -fq table 0 expire 86400 73.Sh DESCRIPTION 74This program is generally installed in 75.Pa /etc/syslog.conf 76as a pipe to parse the 77.Xr sshd 8 78demons error log in realtime. 79In addition, a root crontab entry should generally be created to clean 80out stale entries in the 81.Xr pf 4 82or 83.Xr ipfw 8 84.Ar table 85at least once a day. 86Using expire instead of flush will maintain a rolling window of locked out 87IPs. 88The 89.Xr pf 4 90or 91.Xr ipfw 8 92module must be loaded and running with the table and rules properly 93configured. 94.Pp 95This program will monitor the ssh syslog output and keep track of attempts 96to login to unknown users as well as preauth failures. 97If 5 attempts fail in any one hour period, a permanent entry is added to the 98.Xr pf 4 99or 100.Xr ipfw 8 101.Ar table 102for the associated IP address. 103You still have to add a rule to 104.Xr pf.conf 5 105or use 106.Xr ipfw 8 107to block IP addresses listed in this table. 108The cron entry you create cleans the block list out typically once a day. 109.Pp 110This program generally limits brute-force attempts to break into a machine 111via ssh. 112.Pp 113When setting up the 114.Xr pf 4 115or 116.Xr ipfw 8 117rules, 118note that the table will be filled based on failed ssh connections destined 119to that particular machine. 120If the machine is acting as a router you can decide whether you want the 121.Xr pf 4 122or 123.Xr ipfw 8 124rule to lockout that suspect IP to just the machine, 125or to everything it routes to. 126We usually recommend an unconditional blocking rule. 127.Sh NOTICE 128This program is still a work in progress. 129.Sh SEE ALSO 130.Xr ssh 1 , 131.Xr pf 4 , 132.Xr syslog.conf 5 , 133.Xr ipfw 8 , 134.Xr sshd 8 135.Sh HISTORY 136The 137.Nm 138utility first appeared in 139.Dx 4.1 . 140.Sh AUTHORS 141.An Matthew Dillon Aq Mt dillon@backplane.com 142