diff --git a/.gitattributesdb b/.gitattributesdb index 527b014..0b96a5e 100644 --- a/.gitattributesdb +++ b/.gitattributesdb @@ -11,7 +11,7 @@ ZXRjLy5naXRpZ25vcmU= 1758049461 1757611781 root:root 0644 - - ZXRjL2FwYWNoZTIvLmdpdGlnbm9yZQ== 1757775950 1757775932 root:root 0644 - - ZXRjL2FwYWNoZTIvaHR0cGQuY29uZg== 1758045891 1757785514 root:root 0644 - - ZXRjL2FwYWNoZTIvc2l0ZXMuZC9jb3JlLnNsYWNrd2FyZS51ay5uZXQuY29uZg== 1758045929 1757785113 root:root 0644 - - -ZXRjL2NvbmYuZC8uZ2l0aWdub3Jl 1757609410 1757609410 root:root 0644 - - +ZXRjL2NvbmYuZC8uZ2l0aWdub3Jl 1758050750 1757609410 root:root 0644 - - ZXRjL2NvbmYuZC9ib290bWlzYw== 1757591865 1757591865 root:root 0644 - - ZXRjL2NvbmYuZC9ub2RlLWV4cG9ydGVy 1757592526 1757592526 root:root 0644 - - ZXRjL2NvbmYuZC9zYW1iYQ== 1757592912 1757592912 root:root 0644 - - @@ -63,6 +63,8 @@ ZXRjL3NoYWRvdy5ncGc= 1757599010 1757599010 root:root 0644 - - ZXRjL3NzaC8uZ2l0aWdub3Jl 1757606957 1757606957 root:root 0644 - - ZXRjL3NzaC9zc2hfY29uZmln 1757606630 1757606630 root:root 0644 - - ZXRjL3NzaC9zc2hkX2NvbmZpZw== 1757606896 1757606896 root:root 0644 - - +ZXRjL3NzaGd1YXJkLmNvbmY= 1758050700 1758050700 root:root 0644 - - +ZXRjL3NzaGd1YXJkLndoaXRlbGlzdA== 1758050235 1758050235 root:root 0644 - - ZXRjL3N1ZG9lcnMuZC9kZWZhdWx0cw== 1757599359 1757599359 root:root 0640 - - ZXRjL3N1ZG9lcnMuZC9yb290LWFjY2Vzcw== 1757600157 1757600157 root:root 0640 - - aG9tZS8uZ2l0aWdub3Jl 1757762052 1757762052 root:root 0644 - - diff --git a/etc/conf.d/.gitignore b/etc/conf.d/.gitignore index 4a340c7..c739a86 100644 --- a/etc/conf.d/.gitignore +++ b/etc/conf.d/.gitignore @@ -21,6 +21,7 @@ /ntpd /rdate /seedrng +/sshguard /staticroute /swap /swclock diff --git a/etc/sshguard.conf b/etc/sshguard.conf new file mode 100644 index 0000000..8dedc93 --- /dev/null +++ b/etc/sshguard.conf @@ -0,0 +1,54 @@ +#!/bin/sh +# sshguard.conf -- SSHGuard configuration + +# Full path to backend executable (required, no default) +BACKEND="/usr/libexec/sshg-fw-iptables" + +# Space-separated list of log files to monitor. (optional, no default) +FILES="/var/log/core.slackware.uk.net/auth" + +# Shell command that provides logs on standard output. (optional, no default) +# Example 1: ssh and sendmail from systemd journal: +#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat" +# Example 2: ssh from os_log (macOS 10.12+) +#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'" + +# Block attackers when their cumulative attack score exceeds THRESHOLD. +# Most attacks have a score of 10. (optional, default 30) +THRESHOLD=10 + +# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. +# Subsequent blocks increase by a factor of 1.5. (optional, default 120) +BLOCK_TIME=86400 + +# Remember potential attackers for up to DETECTION_TIME seconds before +# resetting their score. (optional, default 1800) +DETECTION_TIME=28800 + +# Size of IPv6 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128) +IPV6_SUBNET=128 + +# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32) +IPV4_SUBNET=32 + +# Full path to PID file (optional, no default) +PID_FILE=/run/sshguard.pid + +# Colon-separated blacklist threshold and full path to blacklist file. +# (optional, no default) +BLACKLIST_FILE=10:/var/lib/sshguard/blacklist + +# IP addresses listed in the WHITELIST_FILE are considered to be +# friendlies and will never be blocked. +WHITELIST_FILE=/etc/sshguard.whitelist + +# If PARSER is unset, SSHGuard will use the installed sshg-parser as its +# parser. Setting PARSER overrides this, so that you can use your own parser. +#PARSER= + +# Run POST_PARSER as a filter after the parser. POST_PARSER must read as input +# and produce as output lines in the format used by sshg-parser. This example +# implements primitive whitelisting, preventing sshg-blocker from seeing +# attacks from 1.2.3.4. Unlike whitelisting, attacks filtered by POST_PARSER +# are not logged by SSHGuard. +#POST_PARSER="grep -v 1.2.3.4" diff --git a/etc/sshguard.whitelist b/etc/sshguard.whitelist new file mode 100644 index 0000000..77a0c3d --- /dev/null +++ b/etc/sshguard.whitelist @@ -0,0 +1,19 @@ +# Localhost. +127.0.0.1/8 +::1 + +# UK Servers +5.101.171.208/28 +2a01:a500:2981:1::/64 + +# Linode +172.236.16.105 +2600:3c13::2000:50ff:fef4:7f56 + +# Loveservers +185.176.90.169 +2a07:4580:b0d:57f::169 + +# Afterdark +afterdark.org.uk +2001:470:1f1c:58::/64