gods

a simple blocklist for ssh
Log | Files | Refs | README | LICENSE

sdog.1 (1897B)

      1 .Dd Oct 23, 2021
      2 .Dt SDOG 1
      3 .Os
      4 .Sh NAME
      5 .Nm sdog
      6 .Nd block malicious ssh users
      7 .Sh SYNOPSIS
      8 .Nm sdog
      9 .Op Fl d
     10 .Sh DESCRIPTION
     11 .Nm
     12 monitors
     13 .Ar authlog
     14 and blocks malicious ssh users using
     15 simple pattern matching.
     16 .Nm
     17 uses two files
     18 .Ar blacklist
     19 and
     20 .Ar whitelist
     21 to maintain users
     22 who are respectively banned and allowed access perpetually.
     23 The files shall contain the respective ip-addresses of users
     24 and shall remain mutually exclusive to each other.
     25 
     26 .Nm
     27 bans malicious users based on a simple mathematical model:
     28 
     29 ban-duration = 3 ^
     30 .Ar n
     31 where
     32 .Ar n
     33 is the number of times the user has tried to initiate a connection and
     34 failed.
     35 After 8 failed attempts,
     36 the user is banned eternally by adding
     37 the respective ip address of the user to
     38 .Ar blacklist .
     39 .Sh OPTIONS
     40 .Bl -tag -width "-d "
     41 .It Fl d
     42 Debug mode. The server sends debug output to standard error
     43 and does not daemonize.
     44 .El
     45 .Sh SIGNALS
     46 .Bl -tag
     47 .It HUP
     48 Gracefully shutdown
     49 .Nm
     50 .
     51 .Sh FILES
     52 .Bl -tag
     53 .It authlog
     54 /var/log/authlog
     55 .It blacklist
     56 /etc/gods/blacklist
     57 .It whitelist
     58 /etc/gods/whitelist
     59 .El
     60 .Sh NOTES
     61 OpenBSD pf is only supported at the moment.
     62 .Nm
     63 uses a pf table called
     64 .Ar blacklist
     65 to block and unblock prospective attackers.
     66 Copying the following lines to
     67 .Ar pf.conf
     68 and restarting pf will create the respective table.
     69 
     70 .nf
     71 table <blacklist> persist
     72 block in on <if> from <blacklist> to any
     73 .fi
     74 
     75 Care must be taken to replace <if> with the respective interface.
     76 
     77 .Sh CAVEATS
     78 .Nm
     79 can not dynamically ban/unban users at the moment.
     80 In the event of having to ban/unban a user
     81 the following commands will be helpful:
     82 
     83 .nf
     84 Show all ip-addresses that are banned
     85 pfctl -t blacklist -T show
     86 
     87 Unban an ip-address
     88 pfctl -t blacklist -T delete <ip>
     89 
     90 Ban an ip-address
     91 pfctl -t blacklist -T add <ip>
     92 .fi
     93 
     94 Please shutdown the daemon prior to changing the state of a user.
     95 
     96 .Sh AUTHORS
     97 .An Naveen Narayanan Aq Mt zerous@nocebo.space