# sshguard with TCP wrappers / hosts.allow not work



## f5b (Dec 25, 2010)

FreeBSD  8.1-RELEASE


```
cd /usr/ports/security/sshguard
make install clean
```


```
pkg_info | grep sshg
sshguard-1.4        Protect hosts from brute force attacks against ssh and othe
```


```
vi /etc/syslog.conf
something ...

auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
*.err;kern.warning;auth.notice;mail.crit                /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
```

`/etc/rc.d/syslogd reload`


```
less /etc/hosts.allow
something like this:

###sshguard###
###sshguard###
#
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.23.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
# NOTE: The hosts.deny file is deprecated.
#       Place both 'allow' and 'deny' rules in the hosts.allow file.
#       See hosts_options(5) for the format of this file.
#       hosts_access(5) no longer fully applies.

#        _____                                      _          _
#       | ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |
#       |  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |
#       | |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|
#       |_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)
#                                          |_|
# !!! This is an example! You will need to modify it for your specific
# !!! requirements!


# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
ALL : ALL : allow
```


```
tail /var/log/auth.log
something like this

Dec 25 17:28:19 b sshguard[15013]: Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Dec 25 17:28:20 b sshd[15002]: Invalid user bill from 123.111.128.211
Dec 25 17:28:22 b sshd[15015]: Invalid user maggie from 123.111.128.211
Dec 25 17:28:24 b sshd[15017]: Invalid user info from 123.111.128.211
Dec 25 17:28:26 b sshd[15019]: Invalid user ftp from 123.111.128.211
Dec 25 17:28:27 b sshd[15021]: Invalid user httpd from 123.111.128.211
Dec 25 17:28:29 b sshd[15023]: Invalid user dany from 123.111.128.211
Dec 25 17:28:31 b sshd[15025]: Invalid user susan from 123.111.128.211
Dec 25 17:28:33 b sshd[15027]: Invalid user oracle from 123.111.128.211
Dec 25 17:28:35 b sshd[15029]: Invalid user tomcat from 123.111.128.211
Dec 25 17:28:37 b sshd[15032]: Invalid user backup from 123.111.128.211
Dec 25 17:28:39 b sshd[15034]: Invalid user id from 123.111.128.211
Dec 25 17:28:40 b sshd[15036]: Invalid user sgi from 123.111.128.211
Dec 25 17:28:42 b sshd[15038]: Invalid user postgres from 123.111.128.211
Dec 25 17:28:44 b sshd[15040]: Invalid user flowers from 123.111.128.211
Dec 25 17:28:46 b sshd[15042]: Invalid user linux from 123.111.128.211
Dec 25 17:28:48 b sshd[15044]: Invalid user internet from 123.111.128.211
Dec 25 17:28:50 b sshd[15046]: Invalid user server from 123.111.128.211
Dec 25 17:28:52 b sshd[15048]: Invalid user nokia from 123.111.128.211
Dec 25 17:28:53 b sshd[15050]: Invalid user bash from 123.111.128.211
Dec 25 17:28:55 b sshd[15052]: Invalid user work from 123.111.128.211
Dec 25 17:28:59 b sshd[15056]: Invalid user gateway from 123.111.128.211
Dec 25 17:29:01 b sshd[15058]: Invalid user michael from 123.111.128.211
Dec 25 17:29:03 b sshd[15060]: Invalid user michael from 123.111.128.211
Dec 25 17:29:05 b sshd[15062]: Invalid user rk from 123.111.128.211
Dec 25 17:29:06 b sshd[15064]: Invalid user internet from 123.111.128.211
Dec 25 17:29:08 b sshd[15066]: Invalid user kathi from 123.111.128.211
Dec 25 17:29:10 b sshd[15068]: Invalid user squid from 123.111.128.211
Dec 25 17:29:12 b sshd[15070]: Invalid user darwin from 123.111.128.211
Dec 25 17:29:14 b sshd[15072]: Invalid user info from 123.111.128.211
Dec 25 17:29:16 b sshd[15074]: Invalid user job from 123.111.128.211
Dec 25 17:29:18 b sshd[15076]: Invalid user pamela from 123.111.128.211
Dec 25 17:29:19 b sshd[15078]: Invalid user jack from 123.111.128.211
Dec 25 17:29:21 b sshd[15080]: Invalid user webmaster from 123.111.128.211
Dec 25 17:29:25 b sshd[15084]: Invalid user shaun from 123.111.128.211
Dec 25 17:29:27 b sshd[15086]: Invalid user sven from 123.111.128.211
Dec 25 17:29:29 b sshd[15088]: Invalid user steve from 123.111.128.211
Dec 25 17:29:31 b sshd[15090]: Invalid user steven from 123.111.128.211
Dec 25 17:29:32 b sshd[15092]: Invalid user temp from 123.111.128.211
Dec 25 17:29:34 b sshd[15094]: Invalid user tim from 123.111.128.211
```

It seems that sshguard not work in tcp wrapper mode with hosts.allow.


----------



## SirDice (Dec 25, 2010)

Use sshguard with PF, it's much easier. Just add something like this to /etc/pf.conf:

```
block in on $ext_if proto tcp from <sshguard>
```
And you're good to go.


----------



## DutchDaemon (Dec 25, 2010)

Format your posts, f5b!


----------



## f5b (Dec 26, 2010)

SirDice said:
			
		

> Use sshguard with PF, it's much easier. Just add something like this to /etc/pf.conf:
> 
> ```
> block in on $ext_if proto tcp from <sshguard>
> ...




now I install sshguard-pf
/etc/pf.conf


```
table <sshguard> persist

set skip on lo

scrub in

block in quick on egress proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out
```

am i ok?


----------



## SirDice (Dec 26, 2010)

egress? Make sure you block incoming ssh connections on your external interface.


----------



## f5b (Dec 26, 2010)

SirDice said:
			
		

> egress? Make sure you block incoming ssh connections on your external interface.



yes. the pf firewall works fine.
when change pf.conf  to  "block in on $ext_if proto tcp from <sshguard>  "
sshguard not work either.

egress from pf-faq41.pdf

interface
The name or group of the network interface that the packet is moving through. Interfaces can be added to arbitrary groups using the ifconfig(8) command. Several groups are also automatically created by the kernel:

The egress group, which contains the interface(s) that holds the default route(s).

Interface family group for cloned interfaces. For example: ppp or carp


----------



## kpa (Dec 27, 2010)

Egress is an OpenBSDism that does not exist in FreeBSD by default, either use the real name of the interface in pf rules or create the egress interface group yourself with ifconfig(8).


----------



## f5b (Dec 27, 2010)

kpa said:
			
		

> Egress is an OpenBSDism that does not exist in FreeBSD by default, either use the real name of the interface in pf rules or create the egress interface group yourself with ifconfig(8).



yes, now /etc/pf.conf and 
[CMD=]pfctl -f /etc/pf.conf[/CMD]


```
ext_if="bce1"

table <sshguard> persist

set skip on lo


block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out
```

but sshguard-pf not work either.


----------



## DutchDaemon (Dec 27, 2010)

Why do you need to block on anything other than the pf table? Why is the label statement in there? Does it even match anything?


----------



## f5b (Dec 28, 2010)

DutchDaemon said:
			
		

> Why do you need to block on anything other than the pf table? Why is the label statement in there? Does it even match anything?



the label keyword if from the example http://www.sshguard.net/docs/setup/firewall/pf/


now the pf.conf change to 

```
ext_if="bce1"

table <sshguard> persist

set skip on lo

block in quick on $ext_if proto tcp from <sshguard>
pass in
pass out
```

`pfctl -f /etc/pf.conf`
`/etc/rc.d/syslogd reload`

test the brute force login, not work


----------

