Solved sshguard to monitor jails

fred974

fred974

Hello,

I am curently using security/sshguard-pf to prevent brute force attack on my FreeBSD 10 server. The problem that I have is that security/sshguard-pf is not aware of what is going on in my jails. I read that I can configure syslogd(8) in the jails to send auth.info and authpriv.info facilities/priorities to the FreeBSD host's authpriv.info file.

Could anyone please explain me how to configure syslogd(8) to achieve this?

Also when using running security/sshguard-pf via syslogd using
Code: 
auth.info;authpriv.info |exec /usr/local/sbin/sshguard -a 50 -p 43200
what does -a 50 -p 43200 represent?

Thank you all in advance.

Fred
 
Run sshguard as a daemon and set sshguard_watch_logs:
Code: 
sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth.log:/jails/mail/var/log/exim/mainlog"
 
Hi SirDice,

I have now got the following in my /etc/rc.conf file
Code: 
### brute force attacks prevention ###
sshguard_enable="YES"
sshguard_safety_thresh="30"
sshguard_pardon_min_interval="600"
sshguard_prescribe_interval="7200"
sshguard_watch_logs="/var/log/auth.log:/jails/mail/var/log/exim/mainlog"
but I really don't understand how this monitors the jails' logs.

Do I need to change /jails/mail/var/log/exim/mainlog to something else? Did a search on the server and could not find a file called "mainlog".
 
It's a copy of my settings. It watches Exim's mainlog on a jail that's running on /jails/mail/. If you want to watch a jail's auth.log you'd use something like /path/to/jail/var/log/auth.log.
 
Ok, I get it, sorry.

This is how I monitor the web log with fail2ban, so I should have known. This actually makes me think that I might not even need security/sshguard-pf and do the brute force prevention only using fail2ban. This will avoid running multiple daemons that do the same job.

What do you think?
 
Yes, pick one or the other. You should be able to run either one on the host. You just have to adjust the various paths to point to the jail's directories.

I like sshguard because it has no dependencies. But fail2ban supports more services and its detection can easily be extended to include custom logs. Use the one that suits your needs ;)
 
You must log in or register to reply here.
Back
Top