Minimize sshd log clutter/spam from unauthenticated connections
Carsten Andrich
carsten.andrich at tu-ilmenau.de
Sun Mar 19 02:08:29 AEDT 2023
On 18.03.23 14:19, Philipp Marek wrote:
> I guess you might find fail2ban useful.
>
> It scans logfiles (like /var/log/sshd.log), and when it sees too many
> authentication failures from an IP address (or network range) it can
> issue commands to drop any further attempts via a firewall.
>
> By having it read its own logfile it's possible to have repeated
> offenders be cut out for longer and longer time spans.
>
> https://www.fail2ban.org/wiki/index.php/Main_Page
> https://supine.com/posts/2012/08/fail2ban-monitoring-itself-recursively/
Thanks for the suggestion. I've looked into solutions like fail2ban in
the past, but have decided for a simpler approach. On some Linux hosts I
use the following nftables rules (commented and stripped for clarity):
table inet filter {
# set of IP addresses that have successfully authenticated
# filled via, e.g., the following /root/.ssh/rc (simple example without error handling):
# `nft add element inet filter sshauth { ${SSH_CONNECTION%% *} timeout 4h }`
set sshauth {
type ipv4_addr
flags timeout, dynamic
}
# set of IP addresses (or rather /24 subnets, see below) that have
# established new TCP connections to SSHD
set sshlimit {
type ipv4_addr
flags timeout, dynamic
}
chain input {
type filter hook input priority 0; policy drop;
# accept new connections from IP addresses that have authenticated before
ip saddr @sshauth tcp dport 22 ct state new counter accept
# accept new connections from all other addresses with significant rate
# limit on /24 subnet
ip protocol tcp tcp dport 22 ct state new add @sshlimit { ip saddr & 255.255.255.0 timeout 1h limit rate 2/hour } counter accept
# accept established connections and reject the rest (whatever exceeds
# above rate limit)
ct state { established, related } accept
meta pkttype unicast ip protocol tcp counter reject with tcp reset
}
}
The result is similar to fail2ban in that it aggressively limits any
repeat connections that do not authenticate successfully. Albeit with a
significantly smaller attack surface and configuration effort. The trick
to make it usable despite the 2/hour connection limit is to manually
fill the set sshauth either via an .ssh/rc file (will only work for
root) or by parsing the ssh log and adding IP addresses that
authenticate successfully.
Best regards,
Carsten
More information about the openssh-unix-dev
mailing list