Line 1: |
Line 1: |
− | Place holder page WIP
| + | ===Public SSH Acess=== |
| + | Configuring SSH access as public will result in lots of script based login attempts which consume bandwidth, CPU and generate log noise. A new iptables rule which blocks repeated connection attempts to the configured sshd port. See [[bugzilla 8257]] and [[bugzilla:8258]] |
| | | |
− | New SME feature: [http://bugs.contribs.org/show_bug.cgi?id=8308 AutoBlock SSH]
| + | It is set to reject connections when there have been 3 or more requests in the previous 15 minutes. The autoblock lapses when there have been fewer than this many requests in the specified times (set by AutoBlockTime). |
| | | |
− | Current work-in-progress documentation: [http://bugs.contribs.org/attachment.cgi?id=4578 here]
| + | By design only IP outside your local network will blocked if too many attempts are done. |
| + | ===Default values=== |
| + | |
| + | AutoBlockTime=900 # 900 seconds (15 minutes). |
| + | AutoBlockTries=4 # meaning that 3 Tries are allowed, the fourth trie is blocked. |
| + | AutoBlock=disabled # default for SME Server 8 |
| + | AutoBlock=enabled # default for SME Server 9 |
| + | |
| + | ===Set Values=== |
| + | |
| + | The ipt_recent (SME8) or xt_recent/SSH (SME9) module records the current block status for the last 100 IP addresses seen in /proc/net/ipt_recent/SSH (SME8) or /proc/net/xt_recent/SSH (SME9), i.e. Output from "iptables -L SSH_Autoblock -v" from a system up for 56 days: |
| + | |
| + | Chain SSH_Autoblock (1 references) |
| + | pkts bytes target prot opt in out source destination |
| + | 29388 1521K all -- any any anywhere anywhere recent: SET name: SSH side: source |
| + | 19169 1010K denylog all -- any any anywhere anywhere recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source |
| + | 3 180 denylog all -- any any anywhere anywhere recent: CHECK seconds: 7200 hit_count: 8 TTL-Match name: SSH side: source |
| + | |
| + | You only have two controls for iptables rule - a time period to consider and a connection attempt threshold for that time period. The default settings have a 900 second (15 minute) time period, during which 3 connection requests may be made without interference. The fourth and subsequent attempts will be counted and blocked. After at most 15 minutes of quiet, the block will expire and you can try again. |
| + | |
| + | {{Note box|Setting the AutoBlockTries to a larger number will allow more attempts in whatever interval is selected by AutoBlockTime. Three tries in 15 minutes seems like a reasonable balance between blocking SSH scanners and human frailty. |
| + | }} |
| + | |
| + | ====How to tune hitrates?==== |
| + | |
| + | db configuration setprop sshd AutoBlockTries {n} # [ignore parentheses, just enter a number] |
| + | signal-event remoteaccess-update |
| + | |
| + | ====How to tune Blocktime?==== |
| + | |
| + | db configuration setprop sshd AutoBlockTime {s} # [ignore parentheses, just enter a number] |
| + | signal-event remoteaccess-update |
| + | |
| + | ====How to disable/enable SSH_Autoblock?==== |
| + | |
| + | db configuration setprop sshd AutoBlock disabled |
| + | or: |
| + | db configuration setprop sshd AutoBlock enabled |
| + | |
| + | followed by: |
| + | signal-event remoteaccess-update |
| + | |
| + | Note: if ssh is moved to another port (say 2211) then SSH_Autoblock installs itself on the port number configured for sshd. |
| + | |
| + | |
| + | ===How to access the AutoBlock history?=== |
| + | |
| + | *For SME8: |
| + | cat /proc/net/ipt_recent/SSH |
| + | |
| + | *For SME9: |
| + | cat /proc/net/xt_recent/SSH |
| + | |
| + | {{Note box|signal-event remoteaccess-update will result in the AutoBlock history being cleared due to the presence of: masq -> adjust in services2adjust for remoteaccess-update.}} |
| + | |
| + | ====the current block status==== |
| + | |
| + | How to display the current block status for the last 100 IP addresses seen: |
| + | iptables -L SSH_Autoblock -v" |
| + | |
| + | ====How clear logs==== |
| + | |
| + | A local system admin logged as root may clear the SSH_AutoBlock history at any time with the following: |
| + | |
| + | * For SME8: |
| + | echo clear > /proc/net/ipt_recent/SSH |
| + | |
| + | * For SME9: |
| + | echo "/" > /proc/net/xt_recent/SSH |
| + | |
| + | See the information in the iptables(8) man page for other block list management options. |
| + | |
| + | |
| + | [[Category:Howto]] |