Passing along an interesting read by Tatu Ylonen, the inventor of the original SSH program and the SSH 1 protocol, on how it’s not a coincidence that SSH got assigned to port number 22 and how scared he was of the [in]formal process of allocating a port number.
If you’re scared of leaving your SSH server unprotected today – almost 22 years later, you can get to sleep a little easier by installing SSHGuard.
SSHGuard 2.0.0 has been released, and here are the highlights:
- Support reading from os_log on macOS 10.12 and systemd journal
- Add firewalld backend (tutorial)
- Add ipset backend
- Resurrect the ipfilter backend
- Preliminary support for Capsicum and pledge()
- Match “no matching cipher” for SSH
- Annotate logs using -a flag to sshg-parser
- SSHGuard requires a configuration file to start
- Runtime flags now configurable in the sshguard.conf configuration file
- Add warning when reading from standard input
- Build and install all backend scripts by default
- Improve log messages and tweak logging priorities
- Remove process validation (-f option)
- Fix ipfw backend on FreeBSD 11
- Fix initial block time being doubled
- Update Dovecot pattern for macOS
- Use standard score for Sendmail auth attack
There has been a lot of changes to how SSHGuard is configured in this release. Most notable, piped commands and runtime flags should be moved from the init script to the permanent configuration file. The release contains example configurations for systemd and the journal on Linux, launchd and os_log on macOS, as well as a fully documented sshguard.conf in examples/.
Maintainers and distributors should make sure they update their distribution-specific configurations accordingly.
Ubuntu MATE 16.04.2 has disabled SSH by default, but once SSH is enabled by users — it will also enable SSHGuard at the same time. This will help protect the resource-limited Raspberry Pi devices against scripted attacks on their SSH service.
Users may also soon see SSHGuard pop up in other Raspberry Pi focused Linux distributions based on Ubuntu Pi Flavours for Raspberry Pi as per their blog.
The SSHGuard team is pleased to see a Linux distribution install SSHGuard by default, and thanks the Ubuntu MATE for Raspberry Pi team for trusting SSHGuard to protect their users.
So far we have been writing the man page directly in roff, the original man-page format. However, no tool is available to produce decent HTML output for roff, and we were constantly in need of minor or major manual edits every time an updated manual page had to be brought to the website.
To end this pain we chose to move to a more general markup language, reStructuredText, from which we are able to generate healthy, semantic and beautiful outputs in all required formats – like roff and HTML – entirely automatically.
Some users might have noticed Armando’s presence, over the last months, on our users’ mailing list.
Armando (AKA armax00 AKA arma@) has been hacking around with SSHGuard for a while now, and contributed a few interesting changes that already made it into trunk. All commits thus far passed through me (mij@) to ensure quality, but time has now come for arma to commit directly.
This means, arma@ is welcome into SSHGuard’s team, and he will be the point of contact for his own commits. Welcome Armando!
A few factors took me away from Open Source in the last months. In a way, these months have been a “bus factor test”: looking back, they show how the project would endure without the constant hand of the principal developer.
And the summary is: Surprise!
- year 2010 saw 6 SSHGuard releases, year 2011 saw one
- website traffic in 2011 increased 30%
- several packages appeared for new OSes/distributions spontaneously (we solicited hard for them in 2010)
- download count conserved for source package, despite spreading binary distros supposedly taking a bigger bite off
- submissions of patterns conserved (at about 60/year), still more than our processing rate
- code contributions on the mailing list grew significantly
So, development falls, and popularity rises? Apparently so, and the magic behind is called “community”.
If I have to name a few concrete factors that might have aided this:
- Federico’s new and awesome website
- Maturity of the codebase
- Time. The project has been around long enough to catch up with older massively-ranked projects on Search Engines
What can you do, as a user, to help SSHGuard build upon a stronger community? Give back with a few minutes of your time!
Here’s some ideas:
- always speak out for stuff you like. Ideas: your blog (yes!), alternative.to, ohloh, twitter, stackoverflow, webhostingtalk, freshmeat, sourceforge
- mention SSHGuard when someone asks for advice on mailing lists: help people find alternatives to choose from
- help other users by replying on sshguard’s mailing list. The less posts the team has to reply, the more we can work on code
Hello SSHguard happy users! The webmaster is speaking.
I am glad to announce the release of the new look ‘n feel of sshguard.net website: new colors, bigger logo, more logos (have you seen the little owl hanging on the footer?). Also, this feed is also available via HTML, not just via RSS as has always been. This micro-blog nicely blends into your social circle thanks to the Disqus commenting service we just deployed.
As SSHguard, sshguard.net can evolve also thanks to your contributions. So please, don’t be afraid to send us comments, ideas, bug reports and suggestions about the website. We’re always glad to hear from our users.
Today we release version 1.5rc4. Dijkstra used to say that the
aim of testing is to prove the presence of bugs, not their absence. If
so, we managed to be successful with 1.5rc3 too! :)
Thanks Florian for reporting the problems on recent Solaris, and working them out along with us. And thanks Dago from opencsw.org, which provides Solaris shells (and support) for developers to ensure maintenance of Solaris portability with ease. OpenCSW is definitely worth praise and notice for any project that cares about portability.
In the meantime, we keep receiving proposals for the addition of patterns on http://www.sshguard.net/support/attacks/submit/.
At the rate of one submission a week, this is a great way to reminds us
how big and lively our community is out there. Plus, users start
wanting to apply SSHGuard to tasks beyond its original portfolio. Awesome!
If anyone wonders what’s happening to such submissions (the background: we’re taking on average 3 months from submission to commit), the explanation is that by policy we prioritize fixes to outstanding bugs before addition of new features. As soon as we’re over with 1.5, the bulk of outstanding submission will be processed.
So, what can you do to speed this whole process up? Go test sshguard 1.5rc4 now, and report merciless any defect you might find. If we see we’re done with it, 1.5 stable is on its way in just a few weeks.
So long since the new website and no post! Thanks Federico for setting up the feed, and let’s stop the former HTTP 404 with a first post.
The original idea was to use this as a conveniently-editable replacement for Sourceforge’s Project News tool (you might have noticed that we’re progressively leaving Sourceforge to something self-hosted). More likely however posts here will be more frequent, and less polished.
This is what you might expect then:
- notifications of releases (spoiler-free, FreshMeat will remain the reference) or significant commits to the repository
- notifications of additions to the website. Federico’s fancy submission tools, and the volume of content enclosed on the site, have been much too long concealed and will now be given more of the deserved visibility
- comments on Internet publications relevant to SSHGuard
- comments on the mid/long-term direction of SSHGuard
- comments on users’ feedback or submissions, or verbatim comments from users if someone is up to and it’s worth
If you are used to blogs or Twitter, this is going to be like neither of them :) so stay tuned!