PF SSH protection for jail

[suntzu00]

Hey guys!

I was wondering if there's a way to protect the SSH daemon that runs in a jail(since the jail doesn't have access to PF - no VNET). I don't do any NATs and stuff cause the server and the jails have IPs from the same class. ie. The IP of the server is 1.2.3.4 and the jail's IP 1.2.3.5. sshguard and I think blacklistd look for the auth logs and then decide to block the IP or not. Do I have to hack sshguard or blacklistd to look for multiple auth log locations?

Cheers!!

 

[sko]

You don't have to "hack" sshguard - just add the desired logfiles within the jail (e.g. /iocage/jails/<UUID>/root/var/log/auth.log if you are using iocage) to sshguard_watch_logs=<path>:<nextpath>:<anotherpath> in rc.conf

Have a look at /usr/local/etc/rc.d/sshguard for other options and their defaults.

 

[SirDice]

You don't have to "hack" sshguard - just add the desired logfiles within the jail (e.g. /iocage/jails/<UUID>/root/var/log/auth.log if you are using iocage) to sshguard_watch_logs=<path>:<nextpath>:<anotherpath> in rc.conf

Yep, that's a good solution. I have something similar for a VPS with a couple of jails on it. You can easily add a bunch of log files to monitor, the host is able to access everything from the jails. Just point it to the right log file and let the host take care of the firewalling.