SSHguard & IPFW

[Ian Smith]

On Thu, 1 Oct 2015 08:52:47 +0200, Nino J wrote:
 > On Wed, Sep 30, 2015 at 7:58 PM, Ian Smith <smithi at nimnet.asn.au> wrote:
 > 
 > >
 > > I'm more paranoid and only allow addresses in a table to access sshd's
 > > port, with a couple of roaming users who need to check mail to update
 > > their IP before login .. but this is great news for sshguard users.
 > >
 > >
 > It's not necessarily paranoid. It depends on your risk assessment. I'm
 > primarily defending against bruteforce attacks and sshguard effectively
 > solves that. If I were concerned about possible vulnerability in sshd that
 > would allow an attacker to bypass the login process or crash sshd on a
 > machine where ssh access is critical, restricting access to known IPs only
 > would be a perfectly reasonable solution.

Well I'm not as concerned about sshd vulnerabilities as I am about lots 
of superfluous logging from (usually) oft-repeated drive-by attempts on 
port 22, often across all 6 IPs of a /29.  And yes, I prefer using port 
22, despite the relief that using alternative ports does offer, mainly 
to keep things simple for users.  This way, all other hosts attempting 
connections to port 22 simply vanish.

 > On a side note, if I understood correctly, you're modifying IPFW rules
 > based on a user successfully checking mail, basically a sort of
 > port-knocking? Or I totally misinterpreted? :)

Yes, but not modifying the ruleset, just adding addresses to table(22).

This is done from a 5-minutely cron running a script that parses pop.log 
for successful mailchecks by specified users from their nominated ISP/s, 
adding their IP address with current timestamp to the table.  Users know 
the drill and it's worked without drama since 2007, although there's now 
only one such login user (apart from me :) remaining in our little club.

Horses for courses; sshguard is surely a useful approach for hosts with 
more users, where maintaining my ad-hoc solution would be more arduous.

cheers, Ian