From 048ccb09d12047436a83b8576a5209073bf15af5 Mon Sep 17 00:00:00 2001 From: Koen Kooi Date: Thu, 3 Sep 2015 19:39:16 +0200 Subject: sshguard 1.6.1+git: add recipe SSHguard protects hosts from brute-force attacks against SSH and other services. This recipe uses iptables as blocker backend and journald as log backend. When it's working it will look like this in syslog: Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). And the iptable rules: root@soekris:~# iptables -L sshguard --line-numbers Chain sshguard (1 references) num target prot opt source destination 1 DROP all -- hn.kd.ny.adsl anywhere 2 DROP all -- 61.182.15.194 anywhere 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere Signed-off-by: Koen Kooi Signed-off-by: Martin Jansa --- .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++ .../sshguard/sshguard/sshguard-journalctl | 2 + .../sshguard/sshguard/sshguard.service | 12 ++++++ .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++ 4 files changed, 100 insertions(+) create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall new file mode 100644 index 0000000000..b6833681ec --- /dev/null +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall @@ -0,0 +1,48 @@ +#!/bin/sh + +# +# Function that enables firewall +# +do_enable_firewall() +{ + # creating sshguard chain + iptables -N sshguard 2> /dev/null + ip6tables -N sshguard 2> /dev/null + # block traffic from abusers + iptables -I INPUT -j sshguard 2> /dev/null + ip6tables -I INPUT -j sshguard 2> /dev/null +} +# +# Function that disables firewall +# +do_disable_firewall() +{ + # flushes list of abusers + iptables -F sshguard 2> /dev/null + ip6tables -F sshguard 2> /dev/null + # removes sshguard firewall rules + iptables -D INPUT -j sshguard 2> /dev/null + ip6tables -D INPUT -j sshguard 2> /dev/null + # removing sshguard chain + iptables -X sshguard 2> /dev/null + ip6tables -X sshguard 2> /dev/null +} + +case "$1" in + enable) + do_enable_firewall + ;; + disable) + do_disable_firewall + ;; + restart) + do_disable_firewall + do_enable_firewall + ;; + *) + exit 1 + ;; +esac + +exit 0 + diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl new file mode 100644 index 0000000000..e7c615b95c --- /dev/null +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl @@ -0,0 +1,2 @@ +#!/bin/sh +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@" diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service new file mode 100644 index 0000000000..e2590fadda --- /dev/null +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service @@ -0,0 +1,12 @@ +[Unit] +Description=SSHGuard +After=network.service + +[Service] +PIDFile=/run/sshguard.pid +ExecStartPre=/usr/lib/sshguard/firewall enable +ExecStopPost=/usr/lib/sshguard/firewall disable +ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid + +[Install] +WantedBy=multi-user.target diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb new file mode 100644 index 0000000000..04435e82fa --- /dev/null +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb @@ -0,0 +1,38 @@ +SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services." + +LICENSE = "ISC" +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d" + +PV = "1.6.1+git${SRCPV}" + +SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789" +SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \ + file://firewall \ + file://sshguard.service \ + file://sshguard-journalctl \ + " + +S = "${WORKDIR}/git" + +DEPENDS = "flex-native" + +inherit autotools-brokensep systemd + +EXTRA_OECONF += " --with-firewall=iptables \ + --with-iptables=${sbindir}/iptables \ + " + +do_install_append() { + install -d ${D}${libdir}/sshguard + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard + + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service +} + +FILES_${PN} += "${systemd_unitdir}" +RDEPENDS_${PN} += "iptables" -- cgit 1.2.3-korg