Configuring a new table for sshguard in PFhttp://sshguard.sourceforge.net/doc/setup/blockingpf.html
  1. table <sshguard> persist
  2. block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"


PF has tables: sets of addresses that together apply to the same rule. The pf installation needs a rule that blocks TCP traffic to the ssh port (or all traffic, if you prefer) from addresses that proven source of attacks.

Edit the PF configuration file, usually /etc/pf.conf:

vim /etc/pf.conf

Add this line in the table section:

table <sshguard> persist

Add this line in the packet filtering (rules) section:

block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"Replace $ext_if with your WAN interface name if needed. Omit the proto tcp and the to any port 22 segment if you want to block all the traffic from attackers (not just ssh).

Issue the new configuration:

pfctl -f /etc/pf.conf

This command will display the set of addresses blocked in the sshguard table at any time:

pfctl -Tshow -tsshguardIPv6 support

PF supports IPv4 and IPv6 addresses indifferently, so the former setup covers both families. Sshguard will automatically insert IPv6 rules when IPv6 addresses need to be blocked.

http://blog.chinaunix.net/u/28922/showart_335124.html

随着互联网Unix/Linux的服务器增加,***的***对象也从Windows转向 Unix/Linux阵营了。Unix下最常用的管理软件SSH,没有限制一个IP输入错多少次密码之后就不可以再去尝试。如果想实现这个功能,可以通过 Sshguard来实现。Sshguard可以与Pf,IPFW,netfilter/iptables等几个软件结合来实现输入密码错误多次之后禁止该 IP再访问服务器的SSH端口。

Sshguard在FreeBSD与Pf结合的安装方法如下:

  1. cd /usr/ports/security/sshguard-pf
  2. make install clean

安装好之后,只要简单地配置一下Pf就行了。
在/etc/pf.conf加入以下内容:

  1. table <sshguard> persist
  2. block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"

重载Pf的规则

  1. pfctl -f /etc/pf.conf

查看被Sshguard禁止访问的IP

  1. pfctl -Tshow -tsshguard
如何对抗ssh探测或*** HonestQiao
限制多次失败或者无效的ssh登录

介绍:

通过日志,我们时常看到有人想要拆解我们的ssh登录密码。我们现在要做的就是屏蔽这样子的***。

首先,限制ssh的登录回话:
man 5 sshd_config,可以看到如下的配置:
*   LoginGraceTime 120
       如果用户在规定的时间之内没有正确的登录,则断开。如果为0,则不限制;默认120秒

MaxStartups 10
设置同时发生的未验证的并发量,即同时可以有几个登录连接,默认为10
   也可以使用start:rate:full这样子的配置,例如:15:30:60,如果当前的登录连接数为15个,则30%被抛弃;如果达到了60个,则全部抛弃

然后,使用防火墙,限制多次失败或者无效的ssh登录。
其原理很简单,通过检查auth.log,如果一个ip登录失败达到或者超过5次,我们就认为是捣乱的。
先检查/etc/syslog.conf,看看是否存在:
auth.*                                        /var/log/auth.log
没有就加上,我们需要记录登录的日志来进行判断。

随后,我们就使用防火墙来做我们想要做得事情了。

IPFW:

[Copy to clipboard]
CODE: #!/bin/sh
if ipfw show | awk '{print $1}' | grep -q 20000 ; then
       ipfw delete 20000
fi
for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
       ipfw -q add 20000 deny tcp from $ips to any
done
cat /var/log/auth.log | grep sshd | grep "Failed" | rev   | cut -d\   -f 4 | rev | sort | uniq -c | \
( while read num ips; do
if [ $num -gt 5 ]; then
      if ! ipfw show | grep -q $ips ; then
            ipfw -q add 20000 deny tcp from $ips to any
       fi
fi
   done
)
IPF:

[Copy to clipboard]
CODE: #!/bin/sh
IFS='
'
for rules in `ipfstat -i | grep "group 20000"` ; do
   echo "$rules" | ipf -r -f -
done
for ips in `cat /var/log/auth.log | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
   echo "block in quick from $ips to any group 20000" | ipf -f -
done
cat /var/log/auth.log | grep sshd | grep "Failed" | rev   | cut -d\   -f 4 | rev | sort | uniq -c | \
( while read num ips; do
if [ $num -gt 5 ]; then
       if ! ipfstat -i | grep $ips ; then
            echo "block in quick from $ips to any group 20000" | ipf -f -
   fi
fi
done
)
PF:

[Copy to clipboard]
CODE: #!/bin/sh
pfctl -t ssh-violations -T flush
for ips in `cat /var/log/authlog | grep sshd | grep "Illegal" | awk '{print $10}' | uniq -d` ; do
   pfctl -t ssh-violations -T add $ips
done
cat /var/log/authlog | grep sshd | grep "Failed" | rev   | cut -d\   -f 4 | rev | sort | uniq -c | \
( while read num ips; do
if [ $num -gt 5 ]; then
      if ! pfctl -s rules | grep -q $ips ; then
            pfctl -t ssh-violations -T add $ips
       fi
fi
   done
)
PF还需要如下设置:
/etc/pf.conf

[Copy to clipboard]
CODE: table <ssh-violations> persist file "/etc/ssh-violations"
...
block drop in from <ssh-violations> to any
然后设置crontab:

[Copy to clipboard]
CODE: */1 *    *    *    *    root /operator/sshd-fwscan.sh
好了,现在可以自己测试一下子。
注意,测试不要把自己搞定了啊,呵呵!

注意IPFW和IPF之中的2000,根据你自己的实际情况设定规则号或者组号。

把SSH的端口改了,然后装上portsentry,把22端口打开,只要他一扫描你的22端口立马让他进黑名单!

原文地址:http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins

原文版权声明:
# Copyright (c) 2004,2005 RPTN.Net,
# Copyright (c) 2005 DaveG.ca,
# Copyright (c) 2006 Bob (kba at ats32.ru)
# You may use this code under the GPL, version 2 or newer.
# Updates for IPF by Sasha.by

原文地址 http://bbs.chinaunix.net/viewthread.php?tid=847704&extra=page%3D7