How to install sshguard in FreeBSD

sshguard is a security tool protecting networked hosts from brute force attacks against ssh servers. It detects these attacks and blocks attacker's address creating a firewall rule.

sshguard with pf

Installing sshguard from ports:

cd /usr/ports/security/sshguard-pf
make install clean

Add to /etc/syslog.conf:

auth.info;authpriv.info |exec /usr/local/sbin/sshguard -a 3 -p 9200 -s 12000

Edit pf.conf:

table <sshguard> persist
block in quick on re0 proto tcp from <sshguard> to any port ssh label "ssh brute"

change re0 to your external interface name.

This command will display addresses in the table:

pfctl -t sshguard -T show

To delete an address from the table (for example 192.168.1.5) use:

pfctl -t sshguard -T delete 192.168.1.5

sshguard with ipfw

It's easy to install and configure sshguard with ipfw.sshguard:

cd /usr/ports/security/sshguard-ipfw/
make install clean

There are no build options so you can get straight to configuring.

Configuring sshguard

Add to /etc/syslog.conf:

auth.info;authpriv.info |/usr/local/sbin/sshguard -w 192.168.1.10

-w command-line option is used for whitelisting. This option can add explicit addresses, host names and address blocks. Specify the address directly, like:

-w 192.168.1.10

or in multiple occurrences:

-w 192.168.1.10 -w 192.168.1.11 -w 192.168.1.12

sshguard detects 4 attack attempts as brute force by default. You can change this number using -a option. When brute force is detected sshguard adds new rule to firewall rules: deny ip from brute.ip.add.ress to me

This rule will be deleted in 420 seconds. If the attack from this address happens again block time doubles.

-b option is used for creating blacklists. -b 10:/var/db/sshguard/blacklist.db means that after 10 firewall blocks the address will be put on the blacklist and blocked forever. Blocking rules are in 55000-55050 IDs range.

---

---

1. Popov

   2014-04-16 17:22:22

   A lot mistakes this article ...

1. S

   2014-04-16 18:31:58

   Care to elaborate? Worked fine for me

1. Popov

   2014-04-17 12:30:16

   pfctl -t sshblock -T delete 192.168.1.5
   
   if you declare table <sshguard> persist
   
   have you testing with daemon mode sshguard ?
   
   

1. S

   2014-04-17 12:36:03

   Yes, it's working fine. What's the problem? "persist" tells the kernel to keep the table even if it's empty.

1. Popov

   2014-04-17 12:50:00

   you declare table name = sshguard
   
   you delete one ip from table name sshblock ? ...
   
   I'm sorry :)

1. S

   2014-04-17 12:51:57

   Oh sorry, I see what you mean! Thanks for pointing it out, fixed :)

Got a comment?

Name (optional):

Comment

Anti-Bot:

=

Submit