Skip to content

Create Linux Firewall Rule Related to SSH Automatically against BruteForce

Notifications You must be signed in to change notification settings

luna-negra/guardia

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation

guardia

- Introduction
- Version
- Support OS
- Installation
- How to Use
- Uninstallation

Introduction

If you have a linux machine connected to Internet, you may see various attempt to SSH access from anywhere in this planet. May you thought "I want to prevent these unauthorized person not to connect my machine never again".

However, we are not able to make firewall rules manually because there are so many failed ssh access logs in a day and there would be also false log caused by authorized user who just missing to type 'b' at the end of the password.

I, who loves linux, experienced the same situation. Therefore, I made a simple software 'guardia' to create linux firewall rules in response to the so called 'intruders' who try to the brute force attack.

'guardia' reacts in real time when the intruder excess the number of max_try SSH connection attempt. When 'guardia' detected suspicious behavior, it will block the remote ip by creating an applying drop rule on active firewall zones. In addition, 'guardia' have a function to send syslog of blocked ip and evidences. You can easily integrate these information from multiple linux machine, by sending syslog to one device which gathers logs such as log-server.

If you worried about that you are blocked by 'guardia' because you forget the password or mistype the key, do not worry. In 'guardia' you can register your host ip and username as a whitelist. Once whitelist recognise your username and access ip, you can try access to your machine unlimitedly with whitelist information without being blocked.


Architecture

image


Version

Beta Test Version
version release date ref derived version
0.1.2_beta N/A beta: test version, the latest N/A
0.1.1_beta N/A beta: test version N/A

Support OS

You can use 'guardia' with,

  • CentOS 8 Stream (X86)
  • Ubuntu 23.04 (amd64)

Installation

Download 'guardia' repository on your linux_machine
git clone https://github.com/luna-negra/guardia

The command above makes you to have the latest version of 'guardia'. You can see the guardia folder on your path. That folder contains rpm and deb files.

Install 'guardia' package

Install 'guardia' package with command 'rpm' or 'dpgk'

[ centos 8 Stream ]

rpm -i guardia-0.1.2_beta-1.el8.x86_64.rpm

[ ubuntu 23.04 ]

dpkg -l guardia-0.1.2_beta-1.amd64.deb

After installing package successfully, 'guardia' service daemon will be started and enabled. You can check it by using command below.

systemctl status guardia
systemctl is-enabled guardia

How To Use

Once 'guardia' daemon has started, 'guardia' watches all ssh access by referencing sshd daemon's log. Although you don't have to do many things except below.

1. Control Service Daemon

Controlling Service Daemon Controlling 'guardia' Daemon is common on both ubuntu 23.04 and centos 8 stream
  • Start Daemon
systemctl start guardia
  • Restart Daemon
systemctl restart guardia
  • Stop Daemon
systemctl stop guardia
  • Check Status Daemon
systemctl status guardia

2. Get or Change Configs

Command to Check Config

You can see the config value by using command 'guardia get'

guardia get [option]

[ options ]

option description returned value
q_size set the capacity of built-in log queue.
Default is 30
integer between 10 ~ 200
ip set the endpoint ip
where you want to send syslog.
IP version 4
without prefix or subnet. [x.x.x.x]
port set the endpoint port
where you want to send syslog.
514 or not a well known-port (1024 ~)
protocol set the protocol(tcp/udp) to send syslog 'udp'
* This version only support udp
zone set the firewall zone where the drop rule will be applied. [active_zone_name1,active_zone_name2...]
max_try Max try number of access attempt to block unauthorized connections integer between 1~10
whitelist whitelist with searching keyword in prompt - ip and username string with whitelist search result
log_level set the 'guardia' log level. 'info' or 'debug'
Command to Change Config
If you change the config or reset config, please restart guardia service.

You can change 'guardia' config values by using command 'guardia put'````

guardia put [option] [value]

(1) q_size

'q_size' is the capacity of queue which is contained on the built-in 'guardia' module. This queue stores ssh log of both failure and success temporarily.

Default is set as 30. You can set this value in range between 30 and 200. If the installed 'guardia' miss some unauthorized access due to the massive attack, increase this value.

example) guardia put q_size 100

(2) ip

'ip' is a ip address of remote host where you want to send syslog.

Default is '127.0.0.1'. You can set the ip with ipv4 only without prefix or subnet. If the [value] is not match ipv4 format, config would not be changed.

example) guardia put ip 192.168.1.1

(3) port

'port' is a port number of remote host where you want to send syslog.

Default is 514, basic syslog port number. You can change this value as 514 or not in range of well known port number.

example) guardia put port 1514

(4) protocol

'protocol' is the method of sending syslog. Default is 'udp'.

Be Advised that 'tcp' protocol is not supported now. you can only use 'udp'

example) guardia put protocol udp

(5) zone

'zone' means that the active zone where the newly created firewall rules will be applied. Default is 'default' and new rich rule will be stored on all active zone.

This value does not accept non-active zone. Therefore, if you want to set this value with non-active zone, change the zone status as active before set this config.

[value] must be capsuled by square bracket [].

example1) guardia put zone [internal, public]
example2) guardia put zone [internal]
example3) guardia put zone []                  # This means 'default'

(6) max_try

'max_try' is the limitation number that 'guardia' accepts unauthorized access for each host. if one remote host fail to connect ssh with attempts excess this value, 'guardia' immediately block the remote host.

Default is 3 and you can set this value between 1 and 5

example) guardia put max_try 3

(7) log_level

'guardia' support log at '/var/log/guardia/guardia.log'. You can set the log level of 'guardia' by selecting one of 'info' and 'debug'.

Default is 'info'. If you want to see the detail information of SSH access, please set this value as 'debug'

example) guardia put log_level debug

(8) whitelist

'whitelist' makes you access without worries about mistyping or forgetting password. Whitelist is composed of ip address and username. Even though you try to access SSH excess the number of max_try, 'guardia' will not block you if you use whitelisted username from the host with whitelisted ip address.

One whitelist does not affect the others, so you have to register each whitelist manually, if you want to register multiple username with one ip address. [value] must be one of 'add' and 'remove'

example1) guardia put whitelist add        # add whitelist
example2) guardia put whitelist remove     # remove whitelist

You can reach input message if you type one of commands above. Register of remove whitelist information by inputting ip address and username. If you type username that not exist in local machine, whitelist will not be registered.

Config Reset
If you change the config or reset config, please restart guardia service.

You can make all configs as factory-reset form with command below.

guardia init

This will make config file as a form of when installation was finished.


Uninstallation

Uninstall 'guardia' package

[ CentOS 8 Stream ]

rpm -e guardia

[ Ubuntu 23.04 ]

dpkg --purge guardia

About

Create Linux Firewall Rule Related to SSH Automatically against BruteForce

Topics

Resources

Stars

Watchers

Forks