Running a public AWS instance is always asking for unexpected trouble from script kiddies and bots trying to find a vector in to compromise your server.
Sshguard (www.sshguard.net) monitors your log and alters your IPtables firewall accordingly to help keep persistent brute force attackers at bay.
1. Download the latest version from http://www.sshguard.net @ http://freshmeat.net/urls/6ff38f7dc039f95efec2859eefe17d3a
wget -O sshguard-1.5.tar.bz2
http://freshmeat.net/urls/6ff38f7dc039f95efec2859eefe17d3a
2. Unpack
tar jxvf sshguard-1.5.tar.bz2
3. Configure + Make
cd sshguard-1.5 ./configure --with-firewall=iptables make
4. Install (to /usr/local/sbin/sshguard)
sudo make install
5. /etc/init.d/sshguard (chmod 0755)
! /bin/sh
# this is a concept, elaborate to your taste
case $1 in
start)
/usr/local/sbin/sshguard -a 4 -b 5:/var/sshguard/blacklist.db -l
/var/log/auth.log &
;;
stop)
killall sshguard
;;
*)
echo "Use start or stop"
exit 1
;;
esac
6. /etc/iptables.up.rules
# Firewall *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] -N sshguard -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport http -j ACCEPT -A INPUT -p tcp --dport ftp-data -j ACCEPT -A INPUT -p tcp --dport ftp -j ACCEPT -A INPUT -p tcp --dport ssh -j sshguard -A INPUT -p udp --source-port 53 -d 0/0 -j ACCEPT -A OUTPUT -j ACCEPT -A INPUT -j DROP COMMIT # Completed
7. Read in the IPtables rules
iptables-restore < /etc/iptables.up.rules
8. Start Sshguard
mkdir /var/sshguard&&/etc/init.d/sshguard start
Verification
tail -f /var/log/auth.log
iptables -L -n
System Administration and Architecture Blog 
I prefer denyhost and at same time mentioning “Allowonly” option in ssh config to handle this issue. 🙂
Yes, this doesn’t preclude any extra defences… but sometimes the origin IP of your SSH client isn’t consistent – think non-static (DHCP) assigned address on an ADSL line, or 20+ support staff accessing AWS instances from home (where the route of your SSH won’t go over your VPN session unless you hopped from an internal trusted box).
i use fail2ban to do just this. the beauty about this app is that it can monitor multiple services/log files and be provided with regex to match hostnames and authentication failures.
failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$
action = iptables[name=SSH, port=22, protocol=tcp]
sendmail-whois[name=SSH, dest=my@email.addre.ss, sender=fail2ban@server.hostname]
works very well.
I’ll take a look at this, thanks!
I’m getting an error during the install. I config in the directory “–with-firewall=iptables” which works fine, then I go to install with “make install” and get a bunch of “Entering directory, nothing to be done for …, leaving directory” and no file is present for /etc/init.d/sshguard. I wonder why this is….
Pingback: Dealing with / preventing potentially malicious requests (AWS, Node.js) – inneka.com