# sshguard-pf - blocking attempts on host for jails too



## jomo (Aug 1, 2012)

I have installed security/sshguard-pf and configured it as doccu documentation says for the simple config:

```
#in the /etc/syslog.conf
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard 

# in the /etc/pf.conf
table <sshguard> persist
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
```

It is working nicely. Now, want modify the config for monitoring logfiles not only for my host, but for my jails too.

The idea is:
- monitor logfiles on host
- block traffic on host with PF (so don't need install sshguard into jails)

The question is - is here some doccu documentation how to do this?
- probably need start *sshguard* from /etc/rc.conf (as daemon and not from syslog.conf), so probably will need remove the syslog.conf line
- and need add more log files to monitor to *sshguard* command-line, like -l /jails/jailname/var/log/autg.log

What is the correct way to do this?

Ps: here is already an thread about this (http://forums.freebsd.org/showthread.php?t=14703&highlight=sshguard) but it is solving how run sshguard inside a jail (with tcp-wrappers). I want block attempts at host-level with PF and not at jail-level (tcp-wrapper).


----------



## SirDice (Aug 1, 2012)

Simplest solution is to forward the syslog messages from the jail to the host.


----------



## jomo (Aug 1, 2012)

Thank you,



			
				SirDice said:
			
		

> Simplest solution is to forward the syslog messages from the jail to the host.



So need (somewhat) change syslogd configuration on all jails and on the host too.

Here isn't simpler solution?
Like configure sshguard reading multiple jail's log files what are simply accessible from host?
All my jails are in the /jail - so their logfiles are in /jails/<jailname>/var/log

Looking for a solution, where I need change only the host configuration, and nothing in the jails. Jails already logging into their /var/log/ unsuccessful ssh logins.

What are the problems in the solution-idea for what I asking in my question?


----------



## SirDice (Aug 1, 2012)

No problem. Sending all logs to the host is a good idea anyway. It will give you a nicely aggregated logs.

But anyway, remove the line from /etc/syslog.conf and start it from /etc/rc.conf:

```
sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth.log:/jails/jail1/var/log/auth.log:/jails/jail2/var/log/auth.log"
```

See /usr/local/etc/rc.d/sshguard.


----------



## jomo (Aug 1, 2012)

Thank you very much.


```
sshguard_enable="YES"
sshguard_watch_logs="/var/log/auth.log:/jails/jail1/var/log/auth.log:/jails/jail2/var/log/auth.log"
```

It is exactly, for what is looking. Works nicely. 
Unfortunately, I can't figure out how to set-up the *SOLVED* flag on this question.


----------



## SirDice (Aug 1, 2012)

You can't edit your posts yet. I've set it to Solved for you.


----------

