「公開しているRaspberryPiにちょっかいを出してくる怪しい奴らを蹴るためにBan4ipをインストールした」の令和最新版的な内容です

What’s SSHGuard

SSHGuardとは

sshguard は SSH などのサービスをブルートフォース攻撃から守るためのサービスで、fail2ban と似ています。  
sshguard は他の2つと違って C で書かれており、軽量かつシンプルです。コアの機能は同等ながら機能は抑えめに作られています。  
sshguard は同じようなツールが持っている、ログ解析による 脆弱性 から攻撃されることは (ほとんど、または絶対に) ありません。  

by ArchWiki:Sshguard

今回はufwと組み合わせてみる

ufwについては「ufwをインストールして使ってみた」あたりを参考に進めていく

┌─╼ [~]
└────╼ $ sudo ufw allow ssh
┌─╼ [~]
└────╼ $ sudo ufw allow from 192.168.100.0/24 to any app samba
┌─╼ [~]
└────╼ $ sudo systemctl restart ufw
┌─╼ [~]
└────╼ $ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere
Samba                      ALLOW       192.168.100.0/24
22/tcp (v6)                ALLOW       Anywhere (v6)

このサーバーにはたまたまsambaをインストールしてあったので、ローカルからのみsambaを許可しておいた

SSHGuardの設定

┌─╼ [~]
└────╼ $ sudo apt install sshguard
┌─╼ [~]
└────╼ $ sudo nano /etc/ufw/before.rules

「# allow all on loopback」セクションの直後に次の行を追加しておく

:sshguard - [0:0]
-A ufw-before-input -p tcp --dport 22 -j sshguard

SSHGuardを有効化して、ufwを再起動する

┌─╼ [~]
└────╼ $ sudo systemctl enable sshguard
┌─╼ [~]
└────╼ $ sudo systemctl start sshguard
┌─╼ [~]
└────╼ $ sudo systemctl restart ufw

SSHGuardの設定を変更するには/etc/sshguard/sshguard.confを編集する
ホワイトリストは/etc/sshguard/whitelist

動作確認

/var/log/auth.logに記録されているようなので、数十分もすればログが溜まってくる

┌─╼ [~]
└────╼ $ cat /var/log/auth.log | grep Blocking
Aug  7 12:58:43 microserver sshguard[798]: Blocking "94.102.61.20/32" for 120 secs (4 attacks in 2 secs, after 1 abuses over 2 secs.)
Aug  7 12:58:44 microserver sshguard[798]: Blocking "61.177.173.36/32" for 960 secs (3 attacks in 1 secs, after 4 abuses over 130642 secs.)
Aug  7 13:02:25 microserver sshguard[798]: Blocking "192.241.221.145/32" for 120 secs (4 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 13:03:43 microserver sshguard[798]: Blocking "61.177.173.53/32" for 1920 secs (3 attacks in 1 secs, after 5 abuses over 127243 secs.)
Aug  7 13:23:07 microserver sshguard[798]: Blocking "114.33.222.62/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 13:23:14 microserver sshguard[798]: Blocking "167.99.119.168/32" for 120 secs (4 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 13:25:57 microserver sshguard[798]: Blocking "212.174.62.41/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 13:30:34 microserver sshguard[798]: Blocking "61.177.173.48/32" for 7680 secs (3 attacks in 1 secs, after 7 abuses over 204099 secs.)
Aug  7 13:37:03 microserver sshguard[798]: Blocking "61.177.172.184/32" for 240 secs (3 attacks in 1 secs, after 2 abuses over 89235 secs.)
Aug  7 13:37:57 microserver sshguard[798]: Blocking "114.35.42.13/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 13:41:21 microserver sshguard[798]: Blocking "61.177.173.53/32" for 3840 secs (3 attacks in 1 secs, after 6 abuses over 129501 secs.)
Aug  7 14:03:50 microserver sshguard[798]: Blocking "61.177.173.39/32" for 3840 secs (3 attacks in 1 secs, after 6 abuses over 198273 secs.)
Aug  7 14:09:09 microserver sshguard[798]: Blocking "125.115.183.127/32" for 120 secs (4 attacks in 2 secs, after 1 abuses over 2 secs.)
Aug  7 14:10:01 microserver sshguard[798]: Blocking "61.177.172.98/32" for 15360 secs (3 attacks in 1 secs, after 8 abuses over 206276 secs.)
Aug  7 14:35:03 microserver sshguard[798]: Blocking "61.177.173.37/32" for 1920 secs (3 attacks in 1 secs, after 5 abuses over 209954 secs.)
Aug  7 14:37:23 microserver sshguard[798]: Blocking "61.177.173.47/32" for 3840 secs (3 attacks in 1 secs, after 6 abuses over 210100 secs.)
Aug  7 14:40:44 microserver sshguard[798]: Blocking "61.177.172.87/32" for 1920 secs (3 attacks in 1 secs, after 5 abuses over 119355 secs.)
Aug  7 15:11:01 microserver sshguard[798]: Blocking "61.177.173.39/32" for 7680 secs (3 attacks in 1 secs, after 7 abuses over 202304 secs.)
Aug  7 15:29:24 microserver sshguard[798]: Blocking "122.116.47.83/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 16:06:29 microserver sshguard[798]: Blocking "45.61.185.251/32" for 61440 secs (3 attacks in 1 secs, after 10 abuses over 217492 secs.)
Aug  7 16:32:32 microserver sshguard[798]: Blocking "208.67.106.88/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 220376 secs.)
Aug  7 16:47:23 microserver sshguard[798]: Blocking "112.167.228.121/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 17:13:58 microserver sshguard[798]: Blocking "43.138.107.194/32" for 120 secs (3 attacks in 0 secs, after 1 abuses over 0 secs.)
Aug  7 17:37:35 microserver sshguard[798]: Blocking "45.75.53.79/32" for 120 secs (4 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 17:42:38 microserver sshguard[798]: Blocking "46.252.26.158/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 17:44:52 microserver sshguard[798]: Blocking "46.252.26.158/32" for 240 secs (3 attacks in 1 secs, after 2 abuses over 135 secs.)
Aug  7 17:49:14 microserver sshguard[798]: Blocking "46.252.26.158/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 397 secs.)
Aug  7 17:57:24 microserver sshguard[798]: Blocking "46.252.26.158/32" for 960 secs (3 attacks in 1 secs, after 4 abuses over 887 secs.)
Aug  7 18:54:45 microserver sshguard[798]: Blocking "211.250.4.137/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 19:01:04 microserver sshguard[798]: Blocking "61.177.173.40/32" for 240 secs (3 attacks in 1 secs, after 2 abuses over 103609 secs.)
Aug  7 19:35:25 microserver sshguard[798]: Blocking "141.98.10.157/32" for 122880 secs (3 attacks in 1 secs, after 11 abuses over 216319 secs.)
Aug  7 20:04:37 microserver sshguard[798]: Blocking "61.177.173.44/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 170963 secs.)
Aug  7 20:07:59 microserver sshguard[798]: Blocking "147.182.135.41/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 20:35:55 microserver sshguard[798]: Blocking "61.177.173.44/32" for 960 secs (3 attacks in 1 secs, after 4 abuses over 172841 secs.)
Aug  7 21:55:45 microserver sshguard[798]: Blocking "175.193.210.239/32" for 240 secs (3 attacks in 1 secs, after 2 abuses over 95168 secs.)
Aug  7 22:05:25 microserver sshguard[798]: Blocking "46.252.26.153/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Aug  7 22:07:49 microserver sshguard[798]: Blocking "46.252.26.153/32" for 240 secs (3 attacks in 1 secs, after 2 abuses over 145 secs.)
Aug  7 22:12:06 microserver sshguard[798]: Blocking "46.252.26.153/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 402 secs.)
Aug  7 22:12:50 microserver sshguard[798]: Blocking "61.177.173.36/32" for 1920 secs (3 attacks in 1 secs, after 5 abuses over 163888 secs.)
Aug  7 22:13:19 microserver sshguard[798]: Blocking "61.177.173.52/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 157953 secs.)
Aug  7 22:20:49 microserver sshguard[798]: Blocking "46.252.26.153/32" for 960 secs (3 attacks in 1 secs, after 4 abuses over 925 secs.)