Add sshguard configurations.

2023-11-05 15:56:54 +00:00 · 2023-11-05 15:56:54 +00:00 · 63cadafd54
commit 63cadafd54
parent 03cec065bb
16 changed files with 126 additions and 2 deletions
--- a/etc/.gitignore
+++ b/etc/.gitignore
@ -40,7 +40,6 @@
 /idmapd.conf
 /inputrc
 /iproute2/
-/iptables/
 /issue
 /kernel.d/
 /ld.so.conf
--- a/etc/iptables/.gitignore
+++ b/etc/iptables/.gitignore
@ -0,0 +1,2 @@
+/empty.rules
+/simple_firewall.rules
--- a/etc/iptables/ip6tables.rules
+++ b/etc/iptables/ip6tables.rules
@ -0,0 +1,8 @@
+# Generated by ip6tables-save v1.8.9 on Sun Nov  5 15:51:09 2023
+*filter
+:INPUT ACCEPT [83:26918]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [76:25629]
+-A INPUT -m set --match-set sshguard6 src -j DROP
+COMMIT
+# Completed on Sun Nov  5 15:51:09 2023
--- a/etc/iptables/iptables.rules
+++ b/etc/iptables/iptables.rules
@ -0,0 +1,8 @@
+# Generated by iptables-save v1.8.9 on Sun Nov  5 15:50:23 2023
+*filter
+:INPUT ACCEPT [774:1137642]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [819:263679]
+-A INPUT -m set --match-set sshguard4 src -j DROP
+COMMIT
+# Completed on Sun Nov  5 15:50:23 2023
--- a/etc/runit/runsvdir/default/ip6tables
+++ b/etc/runit/runsvdir/default/ip6tables
@ -0,0 +1 @@
+/etc/sv/ip6tables
--- a/etc/runit/runsvdir/default/iptables
+++ b/etc/runit/runsvdir/default/iptables
@ -0,0 +1 @@
+/etc/sv/iptables
--- a/etc/runit/runsvdir/default/sshguard
+++ b/etc/runit/runsvdir/default/sshguard
@ -0,0 +1 @@
+/etc/sv/sshguard
--- a/etc/sshguard.conf
+++ b/etc/sshguard.conf
@ -0,0 +1,56 @@
+#!/bin/sh
+# sshguard.conf -- SSHGuard configuration
+# Options that are uncommented in this example are set to their default
+# values. Options without defaults are commented out.
+
+# Full path to backend executable (required, no default)
+BACKEND="/usr/libexec/sshg-fw-ipset"
+
+# Space-separated list of log files to monitor. (optional, no default)
+FILES="/var/log/sshd"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
+# Example 2: ssh from os_log (macOS 10.12+)
+#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
+
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD=10
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME=86400
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME=28800
+
+# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
+IPV6_SUBNET=128
+
+# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
+IPV4_SUBNET=32
+
+# Full path to PID file (optional, no default)
+PID_FILE=/run/sshguard.pid
+
+# Colon-separated blacklist threshold and full path to blacklist file.
+# (optional, no default)
+BLACKLIST_FILE=20:/var/lib/sshguard/blacklist
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+WHITELIST_FILE=/etc/sshguard.whitelist
+
+# If PARSER is unset, SSHGuard will use the installed sshg-parser as its
+# parser. Setting PARSER overrides this, so that you can use your own parser.
+#PARSER=
+
+# Run POST_PARSER as a filter after the parser. POST_PARSER must read as input
+# and produce as output lines in the format used by sshg-parser. This example
+# implements primitive whitelisting, preventing sshg-blocker from seeing
+# attacks from 1.2.3.4. Unlike whitelisting, attacks filtered by POST_PARSER
+# are not logged by SSHGuard.
+#POST_PARSER="grep -v 1.2.3.4"
--- a/etc/sshguard.whitelist
+++ b/etc/sshguard.whitelist
@ -0,0 +1,33 @@
+# Localhost.
+127.0.0.1/8
+::1
+
+# Private addresses.
+10.0.0.0/8
+169.254.0.0/16
+172.16.0.0/12
+192.168.0.0/16
+
+# Servers
+5.101.171.208/28
+2a01:a500:2981:1::/64
+
+# UK2
+91.109.244.7
+91.109.244.8
+91.109.244.9
+91.109.244.10
+91.109.244.11
+2a02:2498:1:227::/64
+
+# Linode
+88.80.191.137
+2a01:7e00::f03c:93ff:fe86:afae
+
+# Loveservers
+185.176.90.169
+2a07:4580:b0d:57f::169
+
+# Afterdark
+afterdark.org.uk
+2001:470:1f1c:58::/64
--- a/etc/sv/.gitignore
+++ b/etc/sv/.gitignore
@ -39,6 +39,7 @@
 /rpcsvcgssd/
 /rsyncd/
 /sshd/
+/sshguard-socklog/
 /statd/
 /sulogin/
 /udevd/
--- a/etc/sv/sshguard/run
+++ b/etc/sv/sshguard/run
@ -0,0 +1,5 @@
+#!/bin/sh
+
+[ -f ./conf ] && . ./conf
+
+exec sshguard $OPTS 2>&1
--- a/etc/sv/sshguard/supervise
+++ b/etc/sv/sshguard/supervise
@ -0,0 +1 @@
+/run/runit/supervise.sshguard
--- a/var/.gitignore
+++ b/var/.gitignore
@ -2,7 +2,6 @@
 /chroot/
 /db/
 /empty/
-/lib/
 /lock
 /log/
 /mail/
--- a/var/lib/.gitignore
+++ b/var/lib/.gitignore
@ -0,0 +1,8 @@
+/alsa/
+/gitea/
+/iptables/
+/logrotate.status
+/mlocate/
+/nfs/
+/os-prober/
+/seedrng/
--- a/var/lib/sshguard/.empty
+++ b/var/lib/sshguard/.empty
--- a/var/lib/sshguard/.gitignore
+++ b/var/lib/sshguard/.gitignore
@ -0,0 +1 @@
+/blacklist