💾 Archived View for tsqrl.xyz › gemlog › 2022-03-24_sshlockout-on-openbsd.gmi captured on 2023-06-16 at 16:14:04. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-04-28)
-=-=-=-=-=-=-
You best protect ya neck
sshlockout is similar to fail2ban: you can use it to block IP addresses attempting to brute-force ssh.
With sshlockout, we collect repeated failed auth attempts from syslogd and tell the pf firewall to block those IPs.
Note: All commands run as root.
pkg_add sshlockout
Create an in-memory table named "lockout" and block ssh attempts from IPs in that table.
table <lockout> persist { }
block in log quick on egress proto tcp from <lockout> to port ssh
pfctl -f /etc/pf.conf
Log auth attempts to the sshlockout command, which will write the IPs of repeat-offenders to the pf table.
auth.info;authpriv.info | exec /usr/bin/doas -n /usr/local/sbin/sshlockout -pf lockout
kill -HUP $(cat /var/run/syslog.pid)
Allow the syslog user to run sshlockout as root.
permit nopass _syslogd as root cmd /usr/local/sbin/sshlockout
Clear the lockout table once a day.
3 3 * * * pfctl -t lockout -T expire 86400
To check if it's working, you'll see that sshlockout is mentioned in the auth log.
tail -f /var/log/auth.og
And, you can see the IPs in the lockout table:
pfctl -t lockout -T show
To get a count of IPs:
pfctl -t lockout -T show | wc -l
If you want to see the pflog in real time:
pflog -n -e -ttt -i pflog0
To disallow password login, edit /etc/ssh/sshd_config:
PasswordAuthentication no
Restart sshd
rcctl restart sshd
Note: this change will likely make it so that sshlockout is unnecessary in the first place, making this less "fun"