is a log monitor that protects networked hosts from brute force attacks against services, most notably SSH.
| sshguard-setup.7 (sshguard-2.4.1) | : | sshguard-setup.7 (sshguard-2.4.2) |
|---|
| | |
| skipping to change at line 76 | | skipping to change at line 76 |
|---|
| | |
| BACKENDS | | BACKENDS |
| SSHGuard can block attackers using one of several firewall backends that
is selected at compile-time. | | SSHGuard can block attackers using one of several firewall backends that
is selected at compile-time. |
| | |
| WARNING: | | WARNING: |
| Read the documentation for your firewall. Make sure you fully understa
nd each rule or command in the | | Read the documentation for your firewall. Make sure you fully understa
nd each rule or command in the |
| examples below before using them. They may need to be adjusted to suit
your particular configuration. | | examples below before using them. They may need to be adjusted to suit
your particular configuration. |
| | |
| pf | | pf |
| SSHGuard adds attackers to table <sshguard>. Create the table and block
attackers by adding the following | | SSHGuard adds attackers to table <sshguard>. Create the table and block
attackers by adding the following |
|
| lines to pf.conf: | | lines to the end of pf.conf: |
| | |
| table <sshguard> persist | | table <sshguard> persist |
| block in proto tcp from <sshguard> | | block in proto tcp from <sshguard> |
| | |
| After reloading the pf configuration, you can inspect the contents of the
table using: | | After reloading the pf configuration, you can inspect the contents of the
table using: |
| | |
| # pfctl -t sshguard -T show | | # pfctl -t sshguard -T show |
| | |
| ipfw | | ipfw |
| SSHGuard creates and adds attackers to table 22. The table can be used to
block attackers in your ruleset. | | SSHGuard creates and adds attackers to table 22. The table can be used to
block attackers in your ruleset. |
| | |
| skipping to change at line 170 | | skipping to change at line 170 |
|---|
| You can inspect the contents of the sets using: | | You can inspect the contents of the sets using: |
| | |
| # nft list set ip sshguard attackers | | # nft list set ip sshguard attackers |
| # nft list set ip6 sshguard attackers | | # nft list set ip6 sshguard attackers |
| | |
| Moreover, you can display sshguard's tables with: | | Moreover, you can display sshguard's tables with: |
| | |
| # nft list table ip sshguard | | # nft list table ip sshguard |
| # nft list table ip6 sshguard | | # nft list table ip6 sshguard |
| | |
|
| | TROUBLESHOOTING |
| | Is SSHGuard configured correctly? |
| | Check that the correct FILES (or LOGREADER) and BACKEND are set in sshgua |
| | rd.conf. |
| | |
| | Is SSHGuard running? |
| | SSHGuard spawns a pipeline of cooperating processes. You can verify that |
| | SSHGuard is started correctly by |
| | viewing your process list using ps or top. Shown here are the processes a |
| | ssociated with an example config- |
| | uration: |
| | |
| | /bin/sh /opt/sshguard/sbin/sshguard |
| | tail -F -n 0 /tmp/log.txt |
| | /opt/sshguard/libexec/sshg-parser |
| | /opt/sshguard/libexec/sshg-blocker -a 30 -p 120 -s 1800 -N 128 -n 32 |
| | /bin/sh /usr/local/libexec/sshg-fw-null |
| | |
| | In order: |
| | |
| | · SSHGuard, installed in /opt/sshguard, is being interpreted by /bin/s |
| | h. |
| | |
| | · SSHGuard launched tail -F -n 0, which is monitoring /tmp/log.txt. |
| | |
| | · The default parser sshg-parser is running. |
| | |
| | · The blocker is running with options -a 30 -p 120 -s 1800 -N 128 -n 3 |
| | 2. |
| | |
| | · The firewall sshg-fw-null is running. The null backend doesn't actua |
| | lly block any attacks. |
| | |
| | Is SSHGuard recognizing attacks? |
| | SSHGuard recognizes attacks by parsing log messages. The format of log |
| | messages can occasionally change. |
| | If you are using the default, built-in attack parser, you can check if SS |
| | HGuard recognizes your attacks by |
| | running: |
| | |
| | $ cat /var/log/auth.log | %PREFIX%/libexec/sshg-parser -a |
| | |
| | Log messages that are recognized as attacks are prefixed with a '*' at |
| | the beginning of each line. If a |
| | log message that should be recognized as an attack is not, consider repor |
| | ting it. |
| | |
| EXAMPLES | | EXAMPLES |
| Ignore FILES and monitor these files instead: | | Ignore FILES and monitor these files instead: |
| | |
| # sshguard /var/log/auth.log /var/log/maillog | | # sshguard /var/log/auth.log /var/log/maillog |
| | |
| SEE ALSO | | SEE ALSO |
| sshguard(8) | | sshguard(8) |
| | |
|
| 2.4 May 23, 2019
SSHGUARD-SETUP(7) | | 2.4 August 27, 2020
SSHGUARD-SETUP(7) |
| | | |
| End of changes. 3 change blocks. |
|---|
| 1 lines changed or deleted | | 48 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 