To guard against standard attacks by brute force, the program sshguard and a firewall like pf are put together in use. This is particularly useful when passwords are used as means of authentication.

  • Follow-up: Blacklistd
Build information

Ensure the following options:

security/sshguard
1

# No selectable options

sshguard

The attack detection is done by parsing log files looking for failed authentication or dubious messages in /var/log/auth.log, /var/log/maillog, … and inserting if necessary entries in the firewall (here using pf). It’s possible to whitelist hosts or network by listing them in sshguard.whitelist.

sshguard.conf
1
2
3

BACKEND="/usr/local/libexec/sshg-fw-pf"
FILES="/var/log/auth.log /var/log/maillog"
WHITELIST_FILE="/usr/local/etc/sshguard.whitelist"

For example host used for remote management will be whitelisted:

sshguard.whitelist
1
2

192.168.1.5
2001:db8::5

The sshguard service must be started at boot time:

rc.conf
1

sshguard_enable="YES"

Firewall

The following lines are to be inserted in the /etc/pf.conf file, they allow the creation of two tables, one myhosts used to achieve a white list at the firewall level for ssh connctions, the other sshguard (beware the name is hardcoded) is used by sshguard to create its blacklist:

pf.conf
1
2
3
4
5
6
7
8
9
10

# Definition of the tables used for the white list and by sshguard
table <myhosts>  { 192.168.1.5, 2001:db8::5 }
table <sshguard> persist

# Ensure that SSH is always available for a few selected hosts
#  (and don't drop the connection when reloading the firewall)
pass in quick log proto tcp from <myhosts> to any port ssh flags any

# Block connections if an attack is detected by sshguard
block in quick log from <sshguard> label "bruteforce"