In light of CVE-2024-6387 here’s a quick-and-dirty way to use SSHGuard to protect the SSH server of a Gitlab instance running in Docker. These instructions were made with Ubuntu as the host but should work on other systems. Note that this will only monitor the SSH logs of Gitlab itself, not the host OS. Further, since the timestamps are removed, that may affect SSHGuard’s time calculations (generally only on first launch)
Fail2Ban did not work for me, as it had trouble parsing the non-standard logs produced by Gitlab’s sshd.
First, copy /usr/libexec/sshguard/sshg-fw-nft-sets to /etc/sshguard/sshg-fw-nft-sets-local and patch it according to the changes listed here
@@ -24,8 +24,8 @@
run_nft "add table" "" 4
run_nft "add table" "" 6
- run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 4
- run_nft "add chain" "${NFT_CHAIN}"' { type filter hook input priority -10 ; }' 6
+ run_nft "add chain" "${NFT_CHAIN}"' { type filter hook prerouting priority -200 ; }' 4
+ run_nft "add chain" "${NFT_CHAIN}"' { type filter hook prerouting priority -200 ; }' 6
# Create sets
run_nft "add set" "${NFT_SET} { type ipv4_addr; flags interval; }" 4
Then populate /etc/sshguard/sshguard.conf with these settings, assuming gitlab is running out of /srv/gitlab. Adjust the other settings as required.
BACKEND="/etc/sshguard/sshg-fw-nft-sets-local" # remove the timestamp LOGREADER="tail -F /srv/gitlab/logs/sshd/current |stdbuf -o0 cut -b 26-" THRESHOLD=30 BLOCK_TIME=120 DETECTION_TIME=1800 WHITELIST_FILE=/etc/sshguard/whitelist