Yadda Ake Toshe Hare-Haren Ƙarfin Ƙarfi na SSH Ta Amfani da SSHGUARD


SSHGuard wani buɗaɗɗen tushen daemon ne wanda ke kare runduna daga hare-haren wuce gona da iri. Yana cim ma wannan ta hanyar saka idanu da tara bayanan tsarin, gano hare-hare, da kuma toshe maharan ta amfani da ɗayan madaidaitan tacewar ta Linux: iptables, FirewallD, pf, da ipfw.

Da farko an tsara shi don samar da ƙarin kariya ga sabis na OpenSSH, SSHGuard kuma yana ba da kariya ga ayyuka da yawa kamar Vsftpd da Postfix. Yana gane tsarin log da yawa ciki har da Syslog, Syslog-ng, da fayilolin log ɗin danye.

[Za ku iya kuma son: Yadda ake Aminta da Harden OpenSSH Server]

SSHGuard yayi kama da Fail2ban kawai cewa an rubuta shi a C (An rubuta Fail2ban da Python), ya fi sauƙi, kuma yana ba da ƴan fasali.

A cikin wannan jagorar, za mu nuna yadda zaku iya shigarwa da daidaita SSHGuard don toshe hare-haren ƙarfi na SSH a cikin sabar Linux ɗin ku.

Mataki 1: Sanya SSHGuard akan Linux

Mun fara tare da shigar da SSHGuard akan Linux.

Da farko, sabunta jerin fakitin sannan a shigar da SSHGuard daga tsoffin ma'ajiyar ta amfani da mai sarrafa fakitin da ya dace.

$ sudo apt update
$ sudo apt install sshguard

Da zarar an shigar, sabis ɗin SSHGuard yana farawa ta atomatik, kuma zaku iya tabbatar da wannan ta amfani da umarnin:

$ sudo systemctl status sshguard

Don rarraba tushen RHEL kamar CentOS, Rocky, da AlmaLinux, farawa ta hanyar shigar da ma'ajin EPEL kamar yadda aka bayar a cikin umarnin da ke ƙasa.

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
OR
$ sudo dnf install epel-release

Tare da EPEL a wurin, ci gaba kuma shigar da SSHGuard ta amfani da mai sarrafa fakitin dnf.

$ sudo dnf install sshguard 

Da zarar an shigar, farawa kuma saita SSHGuard don farawa akan tsarin farawa ko sake yi.

$ sudo systemctl start sshguard
$ sudo systemctl enable sshguard

Tabbatar tabbatar da cewa SSHGuard yana gudana kamar yadda aka zata.

$ sudo systemctl status sshguard

Mataki 2: SSHGuard Kanfigareshan akan Linux

SSHGuard yana sa ido sosai akan /var/log/auth.log, /var/log/amintacce tsarin jarida, da fayilolin log-syslog-ng don gazawar yunƙurin shiga.

Ga kowane yunƙurin shiga da bai yi nasara ba, an dakatar da mai masaukin nesa na ɗan ƙayyadadden lokaci wanda, ta tsohuwa an saita shi a daƙiƙa 120. Bayan haka, lokacin dakatarwa yana ƙaruwa da kashi 1.5 tare da kowane yunƙurin shiga da bai yi nasara ba.

Lokacin da aka dakatar da masu laifi, ban da wasu sigogi an ƙayyade a cikin fayil ɗin sshguard.conf. Kuna iya samun dama ga fayil ɗin sanyi ta amfani da editan vim kamar yadda aka nuna.

$ sudo vim /etc/sshguard/sshguard.conf

A kan rabe-raben tushen RHEL, fayil ɗin saitin yana cikin hanya mai zuwa.

$ sudo vim /etc/sshguard.conf

Anan samfurin fayil ɗin sanyi ne lokacin da aka duba shi daga Ubuntu/Debian.

Bari mu mayar da hankali kan babban zaɓi.

  • Umarnin BACKEND yana nuna cikakken hanyar aiwatar da aikin baya. A cikin wannan misali, mun ga cewa an saita IPtables azaman tsohowar bangon bango.
  • Umarnin THRESHOLD yana toshe maharan lokacin da makin harinsu ya wuce ƙayyadaddun ƙima.
  • Zaɓin BLOCK_TIME shine adadin sakan da aka toshe maharin bayan kowane ƙoƙarin shiga da ya yi nasara. Ta hanyar tsoho, an saita wannan zuwa 120 bayan ƙoƙarin farko. Wannan yana ƙaruwa tare da kowane yunƙurin shiga da bai yi nasara ba.
  • Zaɓin DETECTION_TIME yana nufin lokacin cikin daƙiƙa guda lokacin da tsarin ya yi rajista ko tuna maharin kafin a sake saita maki.
  • Zaɓin WHITELIST_file yana nuna cikakken hanyar fayil ɗin da aka ba da izini wanda ya ƙunshi runduna waɗanda bai kamata a sanya su ba./li>

Mataki 3: Sanya SSHGuard don Toshe Hare-haren Ƙarfin Ƙarfi na SSH

Don kawar da hare-haren bama-bamai, kuna buƙatar saita kan tawul ɗin wuta masu zuwa don aiki tare da sshguard.

Idan kun shigar da UFW kuma kun kunna akan tsarin Ubuntu/Debian, gyara fayil ɗin /etc/ufw/before.rules.

$ sudo vim etc/ufw/before.rules

Ƙara layin da ke biyo baya bayan sashin ba da izinin sake dawowa sashe.

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# hand off control for sshd to sshguard
:sshguard - [0:0]
-A ufw-before-input -p tcp --dport 22 -j sshguard

Ajiye fayil ɗin kuma sake kunna UFW.

$ sudo systemctl restart ufw

Yanzu ƙoƙarin shiga uwar garken daga tsarin daban tare da bayanan da ba daidai ba kuma lura cewa za a kulle ku na daƙiƙa 120 bayan yunƙurin shiga na farko da ya gaza.

Kuna iya tabbatar da hakan ta hanyar duba fayil ɗin log.log.

$ sudo tail -f  /var/log/auth.log

Bayan ƙoƙari na log na gaba ya gaza, lokacin toshe yana ƙaruwa zuwa daƙiƙa 240, sannan 480 seconds, sannan 960 seconds, da sauransu.

Idan kuna gudana Firewalld, tabbatar da an saita shi kuma an kunna shi. Sannan aiwatar da umarni mai zuwa don kunna sshguard akan yankin da kuka fi so.

$ sudo firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard4 drop"

Don amfani da canje-canje, sake shigar da Firewalld da sshguard.

$ sudo firewall-cmd --reload
$ sudo systemctl restart sshguard

Sannan tabbatar da ka'idar kamar haka:

$ sudo firewall-cmd —-info-ipset=sshguard4

Idan har yanzu kuna amfani da Iptables, da farko, ƙirƙirar sabon tsarin sarkar don sshguard a cikin Iptables don fara toshe miyagu.

# iptables -N sshguard

Na gaba, sabunta sarkar INPUT don jagorantar zirga-zirga zuwa sshguard da toshe duk zirga-zirga daga ɓangarori masu ɓarna.

# iptables -A INPUT -j sshguard

Don toshe takamaiman tashoshin jiragen ruwa kamar SSH, POP, da IMAP daga masu cin zarafi suna gudanar da umarni:

# iptables -A INPUT -m multiport -p tcp --destination-ports 22,110,143 -j sshguard

Kuma a ƙarshe, ajiye ƙa'idar don canje-canje su fara aiki.

# iptables-save > /etc/iptables/iptables.rules

Mataki na 4: Yadda ake Batar da Masu Katange SSH

Don ba da izini ga rundunar da aka katange, kawai a saka sunan mai masaukin baki ko adireshin IP a cikin fayil ɗin whitelist wanda ke cikin:

/etc/sshguard/whitelist - Ubuntu/Debian 
/etc/sshguard.whitelist - RHEL-based distros

Bayan haka, tabbatar da sake kunna sshguard daemon da bangon bangon bango don canje-canjen da za a yi amfani da su.

A cikin wannan jagorar, mun nuna yadda zaku iya toshe harin SSH Bruteforce ta amfani da SSHGuard daemon a cikin sabar Linux. Ra'ayin ku yana maraba.