# pf + sshguard



## folivora (Nov 9, 2010)

Hi,

I've installed security/sshguard-pf.

I followed instructions. I removed comment from syslog.conf, so now the line looks like this:


```
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
```

After this I edited pf.conf by adding these lines.


```
table <sshguard> persist
```


```
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
```

After this I restarted syslogd and loaded new pf-rules with [CMD=]pfctl -f /etc/pf.conf[/CMD].

After 3 days of running pf-sshguard. Sshguard-table is still empty.

[CMD=]pfctl -Tshow -t sshguard[/CMD] 

provides nothing...

Should I change some other settings or where i should start looking the error ?

Best Regards 

Folivora


----------



## SirDice (Nov 9, 2010)

Have a look in /var/log/auth.log. You should see lines similar to these:

```
Nov  8 05:18:47 maelcum sshd[23638]: error: PAM: authentication error for root from 190.1.159.185
Nov  8 05:24:50 maelcum sshd[23688]: error: PAM: authentication error for root from 190.144.1.98
Nov  8 05:32:27 maelcum sshd[23744]: error: PAM: authentication error for root from 213.16.101.5
Nov  8 05:39:38 maelcum sshd[23803]: error: PAM: authentication error for root from 212.174.45.37
Nov  8 05:48:13 maelcum sshd[23873]: error: PAM: authentication error for root from 190.1.159.185
Nov  8 05:48:13 maelcum sshguard[20559]: Blocking 190.1.159.185:4 for >420secs: 4 failures over 1766 seconds.
Nov  8 05:54:26 maelcum sshd[23915]: error: PAM: authentication error for root from 190.253.223.162
Nov  8 05:55:36 maelcum sshguard[20559]: Releasing 190.1.159.185 after 443 seconds.
```

Did you also restart syslog?


----------



## folivora (Nov 9, 2010)

Hey,

Yes i see that blocking line. So it is working, my bad.

And it seems that due flush-time, table will be mostly empty.

Is there any option to adjust ban time, or give permanent bans ? 

- Folivora


----------



## graudeejs (Nov 9, 2010)

Yes, sshguard(8)


----------



## francisloco (Mar 7, 2011)

And what about

```
table <ssh-bruteforce> persist
```


```
#SSH Bruteforce
pass in on $ext_if proto tcp from any to ($ext_if) port ssh \
        flags S/SA keep state \
        (max-src-conn-rate 2/15, overload <ssh-bruteforce> flush global)
# Bloqueo de ssh-bruteforce
block drop in quick on $ext_if from <ssh-bruteforce>
```


----------



## epopen (May 27, 2013)

Hi everyone 

I have a question about the sshguard log. I have installed sshguard with PF support, protecting sshd in a jail, and configured like below:
/etc/rc.conf.local

```
sshguard_enable="YES"
sshguard_watch_logs="/var/jail/sshd/log/auth.log"
sshguard_safety_thresh="4"
sshguard_pardon_min_interval="10800" 
#sshguard_pardon_min_interval="1250" 
sshguard_prescribe_interval="7200"
```

/etc/syslog.conf

```
#auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
```

Note: Because it doesn't monitor the system's auth, 'exec sshguard' is commented out.

sshguard works fine (add block/release IP in PF's table <sshguard>) and logs like:

```
Nov  8 05:48:13 maelcum sshguard[20559]: Blocking 190.1.159.185:4 for >420secs: 4 failures over 1766 seconds.
```

But releasing never appears in the log like:

```
Nov  8 05:55:36 maelcum sshguard[20559]: Releasing 190.1.159.185 after 443 seconds.
```
even with

```
*.notice... /var/log/messages modified to *.info... /var/log/messages
```
in /etc/syslog.conf

I have been checking the source code in sshguard-1.5/src/sshguard.c

```
static void *pardonBlocked(void *par) {
   sshguard_log(LOG_INFO, "Releasing %s after %lld seconds.\n", tmpel->attack.address.value, (long long int)(now - tmpel->whenlast));
```
I think pardonBlocked() works fine, but haven't seen any message about releasing printed.

Thanks a lot.
Neko


----------

