-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSHGuard Configuration to Enhance Security example configuration.nix #649
Conversation
Added the option to enable sshguard to the examples configuration.nix. I also included new Fixme lines to keep things consistent.
Thanks for your PR! To reduce logspam, users could also:
I don't think using |
Thank you for your insightful feedback on the PR! I understand the concerns raised regarding the perceived limited benefits of sshguard when public key authorization is pre-enabled by configuration.nix, and I will add if this doesn't provide enough perceived value to be included I understand that and don't want to add too much bloat to the example file. So I understand that. You're absolutely right; with public key authorization, the risks of brute-force and dictionary attacks are mitigated. However, I would like to highlight that the role of sshguard extends beyond protecting against these types of attacks. It serves as an additional layer of defense to help shore up potential unknown vulnerabilities in OpenSSH by blocking IPs exhibiting anomalous behavior, thus contributing to a defense in depth strategy. Here’s a brief comparison with port knocking and dedicated binding that you highlighted, and I would argue that sshguard is the most user-friendly bang for the buck: Port Knocking: While it offers stealth and selective opening of ports, it can be complex for typical users to set up and does not automatically block malicious IPs. I've used it in the past and for users like us it is definitely useful but the user experience for new users adds additional complexity and increases barrier to entry. Dedicated Binding: It limits exposure by binding sshd to a dedicated IP or a different port, but like port knocking, it does not provide automatic blocking of malicious IPs and is more security through obscurity (which is fine to a degree, but port scanning all 65,535 is relatively trivial anymore using something like masscan or using something like shodan. Both port knocking and dedicated binding are valuable for reducing exposure and allowing specific access, but they may lack in user-friendliness and do not address anomalous behavior indicative of exploitation attempts. I proposed the implementation of sshguard as it provides a balanced, user-friendly approach to security, especially for typical users, and can work in conjunction with other security measures like port knocking and dedicated binding to provide a more comprehensive security solution for more experienced users. It adds a penalty to people attempting to attack systems at scale and removes them from the equation from public facing nodes. Would love to hear your thoughts on this and whether you have any suggestions for improving the current PR to better align it with the project’s goals or I can close if this offers too little value in ya'll opinion. Cheers, |
Hi @ionisle, thanks for your PR and explanations! We don't really have a policy for default options in configuration.nix. Right now, it mostly consists of nix-bitcoin specific options. I think a reasonable informal policy is to add "whatever we want to be enabled most of the time on our own nodes". I'm not sure if that's the case for sshguard.
Is that true? I can't find the claim on their website. If I understand correctly, it just reads log files to block connections. So even if the attack would produce a suspicious log line and the "attack scoring" by sshguard would be high enough to block the connection, it is likely to be too late - exploitation would have already happened. So the main benefit for us appears to be preventing log spam at the cost of locking yourself out accidentally. Maybe changing the SSH port would be enough to reduce the spam. |
@jonasnick, Having said that, I'm here to contribute and help long-term, what are some of the pressing issues/things that need to get done? |
Interesting to hear that you already have a significant amount of experience with this and
is a good point. As for higher priority things to work on (imo):
|
I'm closing this request, and will start finding what I can do on the list you mentioned. |
Added the option to enable sshguard to the examples configuration.nix. I also included new Fixme lines to keep things consistent.