I have an idea to use haas proxy only on those peers that have proven to be fraudent:
sshd listens on port 22, haas-proxy listens on a different port (e.g. 2200) which is not open on iptables.
After several unsuccessful login attempts, fail2ban or sshguard or similar will adds an attacker to an ipset
A firewall rule routes all connections from IPs of this ipset to haas-proxy using TPROXY.
Advantage: In a conventional setup with sshd listening on another port, if someone figures out a real port it would be able to target their attacks directly. This new approach fixes this problem
Disadvantages: An attacker will have the possibility to brute force the password if he knows about the described setup and is able to change his IP often enough. We would also have a problem if our sshd has a vulnerability in the connection process.
Does anyone tried a similar setup? (as I don’t want to reinvent a bicycle)
Is it a good or bad idea at all? (if Turris folks had considered it internally and dropped for some reason, I would prefer to know that reason before implementing this myself).
If you (only) want SSH to your router, I’d say that connecting to the whole network (via VPN) is a complication that doesn’t improve security of that connection. You may of course want to connect to the whole network anyway, for other reasons…
Set sshguard backend to ipset in /etc/sshguard.conf: BACKEND="/usr/lib/sshg-fw-ipset"
Remove firewall configuration by haas with uci set haas.settings.setup_fw=0 && uci commit
Add the following lines to the end of /etc/firewall.user:
echo "fw_init"|/usr/lib/sshg-fw-ipset 2>/dev/null
iptables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "haas" -m set --match-set sshguard4 src -j DNAT --to-destination $(ubus call network.interface.wan status | sed -n 's|.*address":[[:blank:]]*"\([0-9.]*\)".*|\1|p'):$(uci -q get haas.settings.local_port)
ip6tables -t nat -I zone_wan_prerouting -p tcp -m tcp --dport 22 -m comment --comment "haas" -m set --match-set sshguard6 src -j DNAT --to-destination $(ubus call network.interface.wan6 status | sed -n 's|.*address":[[:blank:]]*"\([0-9a-f:.]*\)".*|\1|p' | head - n 1):$(uci -q get haas.settings.local_port)
For optional IPv6 support, change the following line in /usr/lib/python2.7/site-packages/haas_proxy/proxy.py (hope haas-proxy developers will support ipv6 natively soon):
That would listen on IPv6 interface but IPv4 connections would also be accepted with an IPv4-mapped IPv6 address.
6. Done! Now you can control with ssguard who will connect to the real ssh service and who will go to the haas honeypot. Sample system log:
2018-11-20 12:17:54 info sshd[14984]: Unable to negotiate with 103.79.142.15 port 53724: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 [preauth]
2018-11-20 12:17:54 notice sshguard[12468]: Attack from "103.79.142.15" on service 100 with danger 10.
2018-11-20 12:17:54 warning sshguard[12468]: Blocking "103.79.142.15/32" for 120 secs (1 attacks in 0 secs, after 1 abuses over 0 secs.)
2018-11-20 12:17:56 info sshd[14910]: Invalid user admin from 5.188.10.144 port 42076
2018-11-20 12:17:56 notice sshguard[12468]: Attack from "5.188.10.144" on service 100 with danger 10.
2018-11-20 12:17:56 warning sshguard[12468]: Blocking "5.188.10.144/32" for 120 secs (1 attacks in 0 secs, after 1 abuses over 0 secs.)