A sshlockout Tutorial
This is a quick look at sshlockout and how to effectively use it to ban attackers on OpenBSD machines.
The sshlockout program is a extra layer of security that bans IP addresses that have reached a maximum threshold of failed password attempts. The sshlockout program originates from DragonFlyBSD and has been ported to OpenBSD. If you’re from the Linux world this is similar to Fail2Ban and is a very simple program. When sshlockout is setup using the settings in the manpage it will ban any IP address that exceeds 5 incorrect passwords in one hour. The blocked IP address by default is blocked for one day and then it is allowed to attempt to login again.
Before configuring sshlockout I STRONGLY recommend the following:
- Generate RSA keys for ssh authentication
- disable ssh password authentication
- disable root ssh authentication
- Change the default ssh port
Once all of those tasks are done it is time for the installation!
Installation & Configuration
The initial installation is done with OpenBSD’s package manager as the root user or with root privileges using the command:
pkg_add sshlockout
To setup the correct permissions edit /etc/doas.conf and add the following:
permit nopass _syslogd as root cmd /usr/sbin/sshlockout
Now that sshlockout is installed confiuration is required. You will need to add a PF table and a rule to block the table. Edit to the bottom of /etc/pf.conf the following:
table <lockout> persist
block in quick on egress proto tcp from <lockout> to port 22
To test and then apply the new PF table and rule run the following command:
pf -n -f /etc/pf.conf && pfctl -f /etc/pf.conf
Edit /etc/syslog.conf and for logging purposes add the following:
auth.info;authpriv.info | exec /usr/bin/doas -n /usr/local/sbin/sshlockout -pf "lockout"
The last part of the sshlockout is to add a line into the root crontab to expire blocked IP addresses do the following command:
doas crontab -e
Then add the following line to root’s crontab:
3 3 * * * pfctl -tlockout -T expire 4294967295
The number set to expire is in seconds. Change it to the preferred amount of time you would like to block malicious public IPs for.
Testing
The way to test if sshlockout is working is by trying to login from a different IP address. You can VPN into a server and move your ssh keys into a different directory so the ssh command will not use them. Then you can try to ssh into your server and with random credentials. After 5 failed attempts when you try to use ssh it will just hang instead of asking for credentials. To escape this it required user intervention with a Ctrl+C.
After getting banned you should check you public IP while your VPN connection is active. Then disconnect from your VPN and move your RSA keys back to ~/.ssh. Now you can ssh into your remote webserver and run the command:
pfctl -t lockout -T show | grep your.vpn.ip.address
Now it will returned the VPN’s IP address which confirms that it has been added to the blocklist.