# sshguard-pf not working



## f5b (Dec 26, 2010)

have test sshguard with TCP wrapper(hosts.allow), not work, see the topic last day.
now test sshguard-pf with pf firewall, same problem.

[CMD=]cd /usr/ports/security/sshguard-pf[/CMD]
[CMD=]make install clean[/CMD]
[CMD=]vi etc/syslog.conf[/CMD]
add line

```
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
```


the server have two interfaces,one for int, another for ext
so
[CMD=]vi /etc/pf.conf[/CMD]


```
table <sshguard> persist

set skip on lo

scrub in

block in quick on egress proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in
pass out
```


[CMD=]/etc/rc.d/syslog reload[/CMD]


top  found


```
7907 root        2  44    0  7184K  1612K nanslp  4   0:00  0.00% sshguard
```


[CMD="tail -f /var/log/auth.log"][/CMD]
test the brute force ssh, nothing found excecpt ...


```
Dec 26 10:29:47 b sshd[1077]: Server listening on 0.0.0.0 port 22.
Dec 26 10:29:47 b sshguard[1079]: Started successfully [(a,p,s)=(4, 420, 1200)],now ready to scan.
Dec 26 10:32:18 b sshd[1202]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:18 b sshd[1202]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49700 ssh2
Dec 26 10:32:18 b sshd[1202]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:18 b sshd[1202]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49700 ssh2
Dec 26 10:32:23 b sshd[1206]: Invalid user a from 10.0.0.88
Dec 26 10:32:23 b sshd[1206]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:23 b sshd[1206]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49701 ssh2
Dec 26 10:32:23 b sshd[1206]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:23 b sshd[1206]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49701 ssh2
Dec 26 10:32:29 b sshd[1210]: Invalid user a from 10.0.0.88
Dec 26 10:32:29 b sshd[1210]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:29 b sshd[1210]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49702 ssh2
Dec 26 10:32:29 b sshd[1210]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:29 b sshd[1210]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49702 ssh2
Dec 26 10:32:34 b sshd[1214]: Invalid user a from 10.0.0.88
Dec 26 10:32:34 b sshd[1214]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:34 b sshd[1214]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49703 ssh2
Dec 26 10:32:34 b sshd[1214]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:34 b sshd[1214]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49703 ssh2
Dec 26 10:32:39 b sshd[1218]: Invalid user a from 10.0.0.88
Dec 26 10:32:39 b sshd[1218]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:39 b sshd[1218]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49704 ssh2
Dec 26 10:32:39 b sshd[1218]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:39 b sshd[1218]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49704 ssh2
Dec 26 10:32:43 b sshd[1222]: Invalid user a from 10.0.0.88
Dec 26 10:32:44 b sshd[1222]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:44 b sshd[1222]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49705 ssh2
Dec 26 10:32:44 b sshd[1222]: error: PAM: authentication error for illegal user a from 10.0.0.88
Dec 26 10:32:44 b sshd[1222]: Failed keyboard-interactive/pam for invalid user a from 10.0.0.88 port 49705 ssh2
Dec 26 10:32:48 b sshd[1226]: Invalid user a from 10.0.0.88
```


----------



## SirDice (Dec 27, 2010)

Remove the 
	
	



```
table <sshguard> persist
```

Did you also restart syslog?


----------



## f5b (Dec 27, 2010)

SirDice said:
			
		

> Remove the
> 
> 
> 
> ...



Why remove 

```
table <sshguard> persist
```

Yes, I have restarted syslog with `/etc/rc.d/syslogd reload`


----------

