|
SSHGuard is a host-based intrusion prevention system based on the log monitor paradigm. It monitors the logging activity of several processes, infers when one service is under attack and reacts by blocking the author's address with a firewall rule. Despite the name, kept for historical reasons, SSHGuard is not limited to protect SSH but can protect many services. SSHGuard focuses on reliability, efficiency, adaptability to different scenarios and ease of deployment. It supports several logging formats transparently, it can operate several firewalls for blocking attackers and has support for log message authentication. Functionality SSHGuard is self-contained in a single binary file and runs without configuration. Options are passed via command line for ease of use. Several features are included to extend the scope of use of the program and ease its use. Logging formats SSHGuard makes use of a powerful parser based on a context-free grammar instead of traditional regular expressions, which can monitor several services at once, even if the respective messages come in different formats. The following logging formats are supported out of the box: * syslog * syslog-ng * metalog * multilog * raw messages The parser takes care of automatically extracting the address of the attacker from log messages, when it is expressed in domain form. Blocking backends When an attack is identified, SSHGuard blocks the author's address through a blocking backend. Several blocking backends are supported: * PF * netfilter via iptables * ipfirewall/ipfw * IPFilter/ipf * IBM AIX's Packet Filter * TCP wrapper via the hosts.allow control file The backend is determined at compile-time for ease of later use. Log message authentication A well-known problem with log monitors is the possibility of Denial-of-Service attacks from local users when they are not trusted in the security scheme. This possibility stems from the fact that local users can inject arbitrary log messages in the system, thus being able to fake a situation of attack to a service from a certain address. When enough information is available from logs, SSHGuard can operate in a way that verifies the authenticity of log messages, checking that they were actually produced by the serving process. When operating in this mode, SSHGuard automatically discards faked messages and reports them. Whitelisting SSHGuard supports address whitelisting: whitelisted addresses are never blocked even if they appear to generate attacks. This can be used to protect LAN users or friendly addresses from being accidentally blocked. Whitelists can be composed of multiple addresses, address ranges and domain names. Extensions SSHGuard is built on an extendible infrastructure that simplifies the addition of support for new logging formats, services and backends. The project's website encourages proposals for such extensions; an interface is provided to users for collecting details about new possible attack patterns and logging formats (New attack patterns). A further interface is provided for collecting proposals about new blocking backends (New firewall backend). The latter is integrated with a tool shipped with the program that enables to define custom blocking backends and to automatically report them to the project.
|
|
|