How to install sshguard in FreeBSD

sshguard is a security tool protecting networked hosts from brute force attacks against ssh servers. It detects these attacks and blocks attacker's address creating a firewall rule.

sshguard with pf

Installing sshguard from ports:

cd /usr/ports/security/sshguard-pf
make install clean

Add to /etc/syslog.conf:

auth.info;authpriv.info |exec /usr/local/sbin/sshguard -a 3 -p 9200 -s 12000

Edit pf.conf:

table <sshguard> persist
block in quick on re0 proto tcp from <sshguard> to any port ssh label "ssh brute"
change re0 to your external interface name.

This command will display addresses in the table:

pfctl -t sshguard -T show

To delete an address from the table (for example 192.168.1.5) use:

pfctl -t sshguard -T delete 192.168.1.5

sshguard with ipfw

It's easy to install and configure sshguard with ipfw.sshguard:

cd /usr/ports/security/sshguard-ipfw/
make install clean
There are no build options so you can get straight to configuring.

Configuring sshguard

Add to /etc/syslog.conf:

auth.info;authpriv.info |/usr/local/sbin/sshguard -w 192.168.1.10

-w command-line option is used for whitelisting. This option can add explicit addresses, host names and address blocks. Specify the address directly, like:

-w 192.168.1.10
or in multiple occurrences:
-w 192.168.1.10 -w 192.168.1.11 -w 192.168.1.12

sshguard detects 4 attack attempts as brute force by default. You can change this number using -a option. When brute force is detected sshguard adds new rule to firewall rules: deny ip from brute.ip.add.ress to me

This rule will be deleted in 420 seconds. If the attack from this address happens again block time doubles.

-b option is used for creating blacklists. -b 10:/var/db/sshguard/blacklist.db means that after 10 firewall blocks the address will be put on the blacklist and blocked forever. Blocking rules are in 55000-55050 IDs range.






  1. Popov
    2014-04-16 17:22:22
    A lot mistakes this article ...
  1. S
    2014-04-16 18:31:58
    Care to elaborate? Worked fine for me
  1. Popov
    2014-04-17 12:30:16
    pfctl -t sshblock -T delete 192.168.1.5
    
    if you declare table <sshguard> persist
    
    have you testing with daemon mode sshguard ?
    
    
  1. S
    2014-04-17 12:36:03
    Yes, it's working fine. What's the problem? "persist" tells the kernel to keep the table even if it's empty.
  1. Popov
    2014-04-17 12:50:00
    you declare table name = sshguard
    
    you delete one ip from table name sshblock ? ...
    
    I'm sorry :)
  1. S
    2014-04-17 12:51:57
    Oh sorry, I see what you mean! Thanks for pointing it out, fixed :)

Got a comment?

captcha =

Categories

  1. System (20)
    1. FreeBSD (5)
    2. Linux (9)
  2. Email (2)
  3. DNS (2)
  4. Databases (1)
  5. WebServer (27)
 
Copyright © 2012-2015 HowToUnix - *nix Howtos and Tutorials
All Rights Reserved.