Minimize sshd log clutter/spam from unauthenticated connections

Carsten Andrich carsten.andrich at tu-ilmenau.de
Sun Mar 19 02:08:29 AEDT 2023 

On 18.03.23 14:19, Philipp Marek wrote:
> I guess you might find fail2ban useful.
>
> It scans logfiles (like /var/log/sshd.log), and when it sees too many 
> authentication failures from an IP address (or network range) it can 
> issue commands to drop any further attempts via a firewall.
>
> By having it read its own logfile it's possible to have repeated 
> offenders be cut out for longer and longer time spans.
>
> https://www.fail2ban.org/wiki/index.php/Main_Page
> https://supine.com/posts/2012/08/fail2ban-monitoring-itself-recursively/

Thanks for the suggestion. I've looked into solutions like fail2ban in 
the past, but have decided for a simpler approach. On some Linux hosts I 
use the following nftables rules (commented and stripped for clarity):

table inet filter {
	# set of IP addresses that have successfully authenticated
	# filled via, e.g., the following /root/.ssh/rc (simple example without error handling):
	# `nft add element inet filter sshauth { ${SSH_CONNECTION%% *} timeout 4h }`
	set sshauth {
		type ipv4_addr
		flags timeout, dynamic
	}

	# set of IP addresses (or rather /24 subnets, see below) that have
	# established new TCP connections to SSHD
	set sshlimit {
		type ipv4_addr
		flags timeout, dynamic
	}

	chain input {
		type filter hook input priority 0; policy drop;

		# accept new connections from IP addresses that have authenticated before
		ip saddr @sshauth tcp dport 22 ct state new counter accept
		# accept new connections from all other addresses with significant rate
		# limit on /24 subnet
		ip protocol tcp tcp dport 22 ct state new add @sshlimit { ip saddr & 255.255.255.0 timeout 1h limit rate 2/hour } counter accept

		# accept established connections and reject the rest (whatever exceeds
		# above rate limit)
		ct state { established, related } accept
		meta pkttype unicast ip protocol tcp counter reject with tcp reset
	}
}

The result is similar to fail2ban in that it aggressively limits any 
repeat connections that do not authenticate successfully. Albeit with a 
significantly smaller attack surface and configuration effort. The trick 
to make it usable despite the 2/hour connection limit is to manually 
fill the set sshauth either via an .ssh/rc file (will only work for 
root) or by parsing the ssh log and adding IP addresses that 
authenticate successfully.

Best regards,
Carsten

More information about the openssh-unix-dev mailing list