This short HOWTO explains how to set up and configure the security/sshguard-pf port to provide extra protection against port knockers and such. The HOWTO is written for pf(4) because that is the firewall software I use personally.
I'm assuming that pf(4) has already been set up and running, please see the Handbook for details on how to set up PF on FreeBSD. I'm also showing how to start security/sshguard-pf as a service and not from syslogd.conf(5), I prefer the service(8) method.
I'm assuming that pf(4) has already been set up and running, please see the Handbook for details on how to set up PF on FreeBSD. I'm also showing how to start security/sshguard-pf as a service and not from syslogd.conf(5), I prefer the service(8) method.
- Install security/sshguard-pf port.
# make -C /usr/ports/security/sshguard-pf install clean
or# pkg_add -r sshguard-pf
. When PKGNG repositories are available the installation is done as# pkg install sshguard-pf
- Configure and enable security/sshguard-pf service.
There aren't many options to set. However, the current version of the port has some of the options mistakenly reversed and the defaults are not completely satisfactory. I'm here showing and also explaining my configuration in rc.conf(5).
Code:sshguard_enable="YES" sshguard_safety_thresh="30" sshguard_pardon_min_interval="600" sshguard_prescribe_interval="7200"
The first line enables the service as expected.
The sshguard_safety_threshold setting sets the limit on how much "danger" a single IP address can cause before going to the block list. The lower the number the more sensitive blocking. This is the -a option of sshguard(8)
The sshguard_pardon_min_interval setting sets the minimum amount of time in seconds an IP address will be on the blocklist once it has been added to it. SSHGuard may raise this limit on its own if it detects a repeat offender. This is the -p option of sshguard(8)
The sshguard_prescribe_interval setting sets the time limit in seconds how long SSHGuard will remember an IP address that hasn't yet been blocked. Setting this too low can allow some attackers to send single probes with long intervals and not get blocked at all. This is the -s option of sshguard(8)
A whitelist of addresses that are known to be safe can be added to file /usr/local/etc/sshguard.whitelist (an empty file will be created on first run of the service if the file is missing). For example the local LAN addresses could be added to it like this:
Code:192.168.1.0/24
SSHGuard also keeps a permanent (that survives reboots) blacklist of offenders that is stored as a binary file /var/db/sshguard/blacklist.db. The default is to place an IP address to this blacklist after 40 "danger" has been reached. The sshguard_blacklist setting in rc.conf(5) can be used to change this behavior. See the -b option of sshguard(8) for details.
- Add a table and a block rule to pf.conf(5).
Edit /etc/pf.conf to include a persistent table for the blocklist.
Code:table <sshguard> persist
Add a block rule in such a way that it's evaluated before any pass rules.
Code:# Default block rule. block all ... block drop in log quick on $ext_if inet from <sshguard> to any ... pass in...
The official documentation for SSHGuard has an article that pretty much says the same:
http://www.sshguard.net/docs/setup/firewall/pf/
- Reload pf(4) rules.
# service pf reload
- Start the security/sshguard-pf service.
# service sshguard start
- Inspecting the block list.
Inspecting of the block list can be done with pfctl(8).
# pfctl -T show -t sshguard
- More information
http://www.sshguard.net/, sshguard(8), http://www.freshports.org/security/sshguard-pf/
Last edited: