How to install sshguard in FreeBSD
sshguard is a security tool protecting networked hosts from brute force attacks against ssh servers. It detects these attacks and blocks attacker's address creating a firewall rule.
sshguard with pf
Installing sshguard from ports:
cd /usr/ports/security/sshguard-pf make install clean
Add to /etc/syslog.conf:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard -a 3 -p 9200 -s 12000
table <sshguard> persist block in quick on re0 proto tcp from <sshguard> to any port ssh label "ssh brute"change re0 to your external interface name.
This command will display addresses in the table:
pfctl -t sshguard -T show
To delete an address from the table (for example 192.168.1.5) use:
pfctl -t sshguard -T delete 192.168.1.5
sshguard with ipfw
It's easy to install and configure sshguard with ipfw.sshguard:
cd /usr/ports/security/sshguard-ipfw/ make install cleanThere are no build options so you can get straight to configuring.
Add to /etc/syslog.conf:
auth.info;authpriv.info |/usr/local/sbin/sshguard -w 192.168.1.10
-w command-line option is used for whitelisting. This option can add explicit addresses, host names and address blocks. Specify the address directly, like:
-w 192.168.1.10or in multiple occurrences:
-w 192.168.1.10 -w 192.168.1.11 -w 192.168.1.12
sshguard detects 4 attack attempts as brute force by default. You can change this number using -a option. When brute force is detected sshguard adds new rule to firewall rules: deny ip from brute.ip.add.ress to me
This rule will be deleted in 420 seconds. If the attack from this address happens again block time doubles.
-b option is used for creating blacklists. -b 10:/var/db/sshguard/blacklist.db means that after 10 firewall blocks the address will be put on the blacklist and blocked forever. Blocking rules are in 55000-55050 IDs range.
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.
A lot mistakes this article ...
Care to elaborate? Worked fine for me
pfctl -t sshblock -T delete 192.168.1.5 if you declare table <sshguard> persist have you testing with daemon mode sshguard ?
Yes, it's working fine. What's the problem? "persist" tells the kernel to keep the table even if it's empty.
you declare table name = sshguard you delete one ip from table name sshblock ? ... I'm sorry :)
Oh sorry, I see what you mean! Thanks for pointing it out, fixed :)
Got a comment?
All Rights Reserved.