# sshguard on a jail



## alsuki (Jun 2, 2010)

Hi everyone.

I have a jail just for ssh and I created a firewall within this jail. To block ssh bruteforce attacks I've installed sshguard.

However I'm getting this errors:


```
Jun  1 23:00:31 orion sshguard[97439]: Blocking 218.77.129.82:4 for >420secs: 4 failures over 280 seconds.
Jun  1 23:00:31 orion sshguard[97439]: Blocking command failed. Exited: -1
```

Also inside the jail the commands to PF have the following result

```
/dev/pf file or directory not found
```

Can anyone help or suggest something?

Thanks.


----------



## SirDice (Jun 2, 2010)

By default a jail is restricted. Have a look at /etc/default/devfs.rules. Create new rules in /etc/devfs.rules (doesn't exist by default) to allow access to the pf device.

See devfs.rules(5).


----------



## dennylin93 (Jun 2, 2010)

There is some ongoing work to virtualize the network stack for Jails. However, it isn't complete yet (if I remember correctly), so SirDice's method is probably the only way right now.


----------



## alsuki (Jun 2, 2010)

Thanks for a so quick reply.
When I get home I'll apply the suggested changes.

Once more, thanks.


----------



## alsuki (Jun 6, 2010)

Thanks all for your replies.

I've tested the rule to have /dev/pf support inside the jail, but that doesn't work for me because the jail rules will be added to the general pf rules ( the real machine), creating some problems with other services.

Some how at this time I'm not able to prevent brute force attacks on the jail. I've tested several techniques with no good results.

I believe that this tests with sshguard has damaged my file system ( because of system hanging and forcing unclean reboots, pressing the button).

If anyone as been some how successful in blocking ssh bruteforce attacks inside a jail, can you please share your success.

In my system firewall I redirect all ssh on the outside Ethernet device to the jail ip.


```
rdr pass on $Ext proto tcp from any to any port 22 -> $SSH
```

$SSH being the jail lan ip.

About my system freebsd 8.0-RELEASE-p3 amd64 with custom kernel.
kernel added support for ALTQ.


Thanks.


----------



## michelem (Jul 6, 2010)

alsuki said:
			
		

> Can anyone help or suggest something?



In jails you use the "hosts" backend, which performs application-level filtering with /etc/hosts.allow . I see it's not available in the ports tree, so you'll need to compile by hand in the meantime. I'll try to remember to submit one.


----------



## michelem (Jul 6, 2010)

michelem said:
			
		

> I see it's not available in the ports tree, so you'll need to compile by hand in the meantime. I'll try to remember to submit one.



Mew, this is actually security/sshguard (the master port).


----------



## alsuki (Jul 14, 2010)

Hello everyone, 
Sorry for the late replay.

Please note that the first reply by SirDice was the one that I've followed, but that one didn't work for me because the rules from both firewalls wore overlapping each other. 

As so, for me now there is no chance of blocking ssh brute force from inside a jail. 

As to installing sshguard, I've also installed and configured it but that didn't work, the reason is the one presented by SirDice.

Thanks for all the replays and your help.


----------



## michelem (Jul 17, 2010)

alsuki said:
			
		

> As so, for me now there is no chance of blocking ssh brute force from inside a jail.
> 
> As to installing sshguard, I've also installed and configured it but that didn't work, the reason is the one presented by SirDice.



There is no way (until full network stack virtualization) for any program inside a jail to mangle the host firewall.

Yet, you can use sshguard just fine in jails, I'm doing it myself on many systems. No need for tweaking any jail network setting on the host, just use the hosts backend, which is provided by security/sshguard and works entirely in user space. There is no configuration involved; see http://www.sshguard.net/docs/setup/firewall/hosts/.

If you don't get it working, see the debugging sshguard FAQ or ask on the users mailing list.


----------



## vivek (Jul 18, 2010)

See my FreeBSD ssh security howto, you need to install one of those software http://forums.freebsd.org/showthread.php?t=4108 :

security/denyhosts Works with both jaild ssh and host sshd without firewall access. Blocks ssh access.
security/sshguard-pf Protect hosts from brute force attacks against ssh and other services using pf
security/sshguard-ipfw Protect hosts from brute force attacks against ssh and other services using ipfw
security/sshguard-ipfilter Protect hosts from brute force attacks against ssh and other services using ipfilter
security/sshblock Block abusive SSH login attempts
security/sshit 	Checks for SSH/FTP bruteforce and blocks given IPs

pf is not possible inside jail right now. use denyhosts. Other option is to run ssh on different ports.


----------



## alsuki (Jul 19, 2010)

Ok, I'll try your suggestions and see if it works!

Thanks.


----------



## michelem (Jul 19, 2010)

vivek said:
			
		

> pf is not possible inside jail right now. use denyhosts. Other option is to run ssh on different ports.



What I want to avoid from the heritage of this thread is that DenyHosts is "the option" for jails. It's not: technically, all log monitors supporting /etc/hosts.allow (TCP Wrappers) work on jails. Fail2Ban is an alternative. SSHGuard is another alternative. SSHGuard supports PF as one of six possible backends; the one for jails is "hosts" (TCP Wrappers). Fail2ban also supports two backends (iptables or TCP Wrappers). DenyHosts is actually the only option that _cannot_ work on anything other than TCP Wrappers. Also, if you use DenyHosts, beware of the security threats implied by enabling "synchronization mode".


----------

