1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
|
.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "SSHGUARD-SETUP" "7" "January 1, 2025" "2.5.1" "SSHGuard Manual"
.SH NAME
sshguard-setup \- setting up SSHGuard on your system
.SH DESCRIPTION
.sp
To set up SSHGuard, write \fIsshguard.conf\fP and set up the backend, if
necessary. Configuration options are documented in the sample configuration
file. A good starting point is to copy it and make the necessary changes:
.INDENT 0.0
.IP 1. 3
Set \fBBACKEND\fP\&. You may also need to set it up to work with SSHGuard
(see BACKENDS).
.IP 2. 3
Set \fBFILES\fP, \fBLOGREADER\fP, or both. Alternatively, give \fBsshguard\fP a
list of files to monitor as positional arguments on the command\-line.
.UNINDENT
.sp
Use \fBFILES\fP to specify a space\-separated list of log files to monitor.
Use \fBLOGREADER\fP to specify a shell command to run to obtain logs. Both
settings are ignored if files are given on the command\-line.
.sp
Sample \fBLOGREADER\fP commands for \fBjournalctl(1)\fP and macOS 10.12+ are
available in the sample configuration.
.SH OTHER LOGS
.SS syslog\-ng
.sp
For \fBsyslog\-ng 2.x\fP, add the following lines to \fIsyslog\-ng.conf\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# pass only entries with auth+authpriv facilities from programs other than sshguard
filter sshlogs { facility(auth, authpriv) and not match(\(dqsshguard\(dq); };
# pass to this process with this template (avoids <ID> prefixes)
destination sshguardproc {
program(\(dq/usr/local/sbin/sshguard\(dq
template(\(dq$DATE $FULLHOST $MESSAGE\en\(dq));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
.EE
.UNINDENT
.UNINDENT
.sp
For \fBsyslog\-ng 3.x\fP, add the following lines to \fIsyslog\-ng.conf\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# enable 3.x mode
@version:3.0
# pass only entries with auth+authpriv facilities from programs other than sshguard
filter f_sshguard { facility(auth, authpriv) and not program(\(dqsshguard\(dq); };
# pass entries built with this format
destination sshguard {
program(\(dq/usr/sbin/sshguard\(dq
template(\(dq$DATE $FULLHOST $MSGHDR$MESSAGE\en\(dq)
);
};
log { source(src); filter(f_sshguard); destination(sshguard); };
.EE
.UNINDENT
.UNINDENT
.sp
After restarting \fBsyslog\-ng\fP, SSHGuard should start as soon as a log entry
with facility \fBauth\fP or \fBauthpriv\fP arrives. If you are monitoring
services other than \fBsshd\fP, add the appropriate log facilities to
\fIsyslog\-ng.conf\fP\&.
.SS metalog
.sp
Add the following lines to \fImetalog.conf\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
Stuff to protect from brute force attacks :
# for ssh
facility = \(dq*\(dq
program = \(dqsshd\(dq
# other services ...
# log to /var/log/sshguard directory
logdir = \(dq/var/log/sshguard\(dq
.EE
.UNINDENT
.UNINDENT
.sp
After restarting \fBmetalog\fP, log entries will appear in
\fI/var/log/sshguard\fP\&. Use \fIlog polling\fP to monitor the \fIcurrent\fP log.
.SH BACKENDS
.sp
SSHGuard can block attackers using one of several firewall backends that is
selected at compile\-time.
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
Read the documentation for your firewall. Make sure you fully understand each rule or command in the examples below before using them. They may need to be adjusted to suit your particular configuration.
.UNINDENT
.UNINDENT
.SS pf
.sp
SSHGuard adds attackers to table \fI<sshguard>\fP\&. Create the table and block
attackers by adding the following lines to the end of \fIpf.conf\fP:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
table <sshguard> persist
block in proto tcp from <sshguard>
.EE
.UNINDENT
.UNINDENT
.sp
After reloading the \fBpf\fP configuration, you can inspect the contents of
the table using:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# pfctl \-t sshguard \-T show
.EE
.UNINDENT
.UNINDENT
.SS ipfw
.sp
SSHGuard creates and adds attackers to table 22. The table can be used to
block attackers in your ruleset. For example:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# ipfw add 5000 reset ip from table\e(22\e) to me
.EE
.UNINDENT
.UNINDENT
.sp
You can inspect the contents of the table using:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# ipfw table 22 list
.EE
.UNINDENT
.UNINDENT
.SS firewalld
.sp
Blocked attackers are added to two ipsets named sshguard4 and sshguard6.
The entries in the ipsets are blocked by default in the default firewall
zone. Additional firewall zones can be configured using:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# firewall\-cmd \-\-zone=zone\-name \-\-permanent \e
\-\-add\-rich\-rule=\(dqrule source ipset=sshguard4 drop\(dq
# firewall\-cmd \-\-zone=zone\-name \-\-permanent \e
\-\-add\-rich\-rule=\(dqrule source ipset=sshguard6 drop\(dq
.EE
.UNINDENT
.UNINDENT
.sp
You can inspect the entries in the two ipsets using:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# firewall\-cmd \-\-permanent \-\-info\-ipset=sshguard4
# firewall\-cmd \-\-permanent \-\-info\-ipset=sshguard6
.EE
.UNINDENT
.UNINDENT
.SS ipset
.sp
Blocked attackers are added to two ipsets named sshguard4 and sshguard6.
Nothing is blocked by default, but can used as a source for iptables
and other tools. E.g.:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# iptables \-I INPUT \-m set \-\-match\-set sshguard4 src \-j DROP
# ip6tables \-I INPUT \-m set \-\-match\-set sshguard6 src \-j DROP
.EE
.UNINDENT
.UNINDENT
.SS netfilter/iptables
.sp
Create a chain for SSHGuard:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# iptables \-N sshguard # for IPv4
# ip6tables \-N sshguard # for IPv6
.EE
.UNINDENT
.UNINDENT
.sp
Update the INPUT chain to also pass the traffic to the sshguard chain at the
very end of its processing. Specify in \-\-dport all the ports of services
your sshguard protects. If you want to prevent attackers from doing any
traffic to the host, remove the option completely:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# block any traffic from abusers
iptables \-A INPUT \-j sshguard
ip6tables \-A INPUT \-j sshguard
.EE
.UNINDENT
.UNINDENT
.sp
Or:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# block abusers only for SSH, FTP, POP, IMAP services (use \(dqmultiport\(dq module)
iptables \-A INPUT \-m multiport \-p tcp \-\-destination\-ports 21,22,110,143 \-j sshguard
ip6tables \-A INPUT \-m multiport \-p tcp \-\-destination\-ports 21,22,110,143 \-j sshguard
.EE
.UNINDENT
.UNINDENT
.sp
Verify that you have NOT a default allow rule passing all ssh traffic higher
in the chain. Verify that you have NOT a default deny rule blocking all ssh
traffic in your firewall. In either case, you already have the skill to
adjust your firewall setup.
.sp
Here is a sample ruleset that makes sense:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
iptables \-N sshguard
# block whatever SSHGuard says be bad ...
iptables \-A INPUT \-j sshguard
# enable ssh, dns, http, https
iptables \-A INPUT \-p tcp \-\-dport 22 \-j ACCEPT
iptables \-A INPUT \-p udp \-\-dport 53 \-j ACCEPT
iptables \-A INPUT \-p tcp \-\-dport 80 \-j ACCEPT
iptables \-A INPUT \-p tcp \-\-dport 443 \-j ACCEPT
# and block everything else (default deny)
iptables \-P INPUT DROP
.EE
.UNINDENT
.UNINDENT
.sp
When rebooting, most systems reset the firewall configuration by default. To
preserve your configuration, you usually use the iptables\-save and
iptables\-restore utilities. However, each Linux variant has its own \(dqright
way\(dq.
.SS nftables
.sp
SSHGuard creates tables with a high priority and adds attackers to a set
automatically.
.sp
You can inspect the contents of the sets using:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# nft list set ip sshguard attackers
# nft list set ip6 sshguard attackers
.EE
.UNINDENT
.UNINDENT
.sp
Moreover, you can display sshguard\(aqs tables with:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# nft list table ip sshguard
# nft list table ip6 sshguard
.EE
.UNINDENT
.UNINDENT
.SH TROUBLESHOOTING
.SS Is SSHGuard configured correctly?
.sp
Check that the correct \fBFILES\fP (or \fBLOGREADER\fP) and BACKEND are set in
\fIsshguard.conf\fP\&.
.SS Is SSHGuard running?
.sp
SSHGuard spawns a pipeline of cooperating processes. You can verify that
SSHGuard is started correctly by viewing your process list using \fBps\fP or
\fBtop\fP\&. Shown here are the processes associated with an example
configuration:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
/bin/sh /opt/sshguard/sbin/sshguard
tail \-F \-n 0 /tmp/log.txt
/opt/sshguard/libexec/sshg\-parser
/opt/sshguard/libexec/sshg\-blocker \-a 30 \-p 120 \-s 1800 \-N 128 \-n 32
/bin/sh /usr/local/libexec/sshg\-fw\-null
.EE
.UNINDENT
.UNINDENT
.sp
In order:
.INDENT 0.0
.INDENT 3.5
.INDENT 0.0
.IP \(bu 2
SSHGuard, installed in \fI/opt/sshguard\fP, is being interpreted by \fI/bin/sh\fP\&.
.IP \(bu 2
SSHGuard launched \fBtail \-F \-n 0\fP, which is monitoring \fI/tmp/log.txt\fP\&.
.IP \(bu 2
The default parser \fBsshg\-parser\fP is running.
.IP \(bu 2
The blocker is running with options \fB\-a 30 \-p 120 \-s 1800 \-N 128 \-n 32\fP\&.
.IP \(bu 2
The firewall \fBsshg\-fw\-null\fP is running. The null backend doesn\(aqt actually
block any attacks.
.UNINDENT
.UNINDENT
.UNINDENT
.SS Is SSHGuard recognizing attacks?
.sp
SSHGuard recognizes attacks by parsing log messages. The format of log
messages can occasionally change. If you are using the default, built\-in
attack parser, you can check if SSHGuard recognizes your attacks by running:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
$ cat /var/log/auth.log | %PREFIX%/libexec/sshg\-parser \-a
.EE
.UNINDENT
.UNINDENT
.sp
Log messages that are recognized as attacks are prefixed with a \(aq*\(aq at the
beginning of each line. If a log message that should be recognized as an
attack is not, consider reporting it.
.SH EXAMPLES
.sp
Ignore \fBFILES\fP and monitor these files instead:
.INDENT 0.0
.INDENT 3.5
.sp
.EX
# sshguard /var/log/auth.log /var/log/maillog
.EE
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
sshguard(8)
.\" Generated by docutils manpage writer.
.
|
