From 2e81f9e057f598a9a9e5c2d617e3d0818005d850 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Tue, 10 May 2022 15:14:19 +0000 Subject: sshguard: T4408: Add service ssh dynamic-protection Sshguard protects hosts from brute-force attacks Can inspect logs and block "bad" addresses by threshold Auto-generate rules for nftables When service stopped all generated rules are deleted nft "type filter hook input priority filter - 10" set service ssh dynamic-protection set service ssh dynamic-protection block-time 120 set service ssh dynamic-protection detect-time 1800 set service ssh dynamic-protection threshold 30 set service ssh dynamic-protection whitelist-address 192.0.2.1 --- interface-definitions/ssh.xml.in | 72 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) (limited to 'interface-definitions/ssh.xml.in') diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in index 8edbad110..7e2512f54 100644 --- a/interface-definitions/ssh.xml.in +++ b/interface-definitions/ssh.xml.in @@ -61,6 +61,78 @@ + + + Allow dynamic protection + + + + + Block source IP in seconds. Subsequent blocks increase by a factor of 1.5 + + u32:1-65535 + Time interval in seconds for blocking + + + + + + 120 + + + + Remember source IP in seconds before reset their score + + u32:1-65535 + Time interval in seconds + + + + + + 1800 + + + + Block source IP when their cumulative attack score exceeds threshold + + u32:1-65535 + Threshold score + + + + + + 30 + + + + Source address or prefix + + ipv4 + Address to match against + + + ipv4net + IPv4 address and prefix length + + + ipv6 + IPv6 address to match against + + + ipv6net + IPv6 address and prefix length + + + + + + + + + + Allowed key exchange (KEX) algorithms -- cgit v1.2.3