is a log monitor that protects networked hosts from brute force attacks against services, most notably SSH.
| sshguard-setup.7.rst (sshguard-2.4.1) | : | sshguard-setup.7.rst (sshguard-2.4.2) |
|---|
| ============== | | ============== |
| sshguard-setup | | sshguard-setup |
| ============== | | ============== |
| | |
| ---------------------------------- | | ---------------------------------- |
| setting up SSHGuard on your system | | setting up SSHGuard on your system |
| ---------------------------------- | | ---------------------------------- |
| | |
|
| :Date: May 23, 2019 | | :Date: August 27, 2020 |
| :Manual group: SSHGuard Manual | | :Manual group: SSHGuard Manual |
| :Manual section: 7 | | :Manual section: 7 |
| :Version: 2.4 | | :Version: 2.4 |
| | |
| DESCRIPTION | | DESCRIPTION |
| =========== | | =========== |
| To set up SSHGuard, write *sshguard.conf* and set up the backend, if | | To set up SSHGuard, write *sshguard.conf* and set up the backend, if |
| necessary. Configuration options are documented in the sample configuration | | necessary. Configuration options are documented in the sample configuration |
| file. A good starting point is to copy it and make the necessary changes: | | file. A good starting point is to copy it and make the necessary changes: |
| | |
| | |
| skipping to change at line 94 | | skipping to change at line 94 |
|---|
| BACKENDS | | BACKENDS |
| ======== | | ======== |
| SSHGuard can block attackers using one of several firewall backends that is | | SSHGuard can block attackers using one of several firewall backends that is |
| selected at compile-time. | | selected at compile-time. |
| | |
| .. warning:: Read the documentation for your firewall. Make sure you fully under
stand each rule or command in the examples below before using them. They may nee
d to be adjusted to suit your particular configuration. | | .. warning:: Read the documentation for your firewall. Make sure you fully under
stand each rule or command in the examples below before using them. They may nee
d to be adjusted to suit your particular configuration. |
| | |
| pf | | pf |
| -- | | -- |
| SSHGuard adds attackers to table *<sshguard>*. Create the table and block | | SSHGuard adds attackers to table *<sshguard>*. Create the table and block |
|
| attackers by adding the following lines to *pf.conf*:: | | attackers by adding the following lines to the end of *pf.conf*:: |
| | |
| table <sshguard> persist | | table <sshguard> persist |
| block in proto tcp from <sshguard> | | block in proto tcp from <sshguard> |
| | |
| After reloading the **pf** configuration, you can inspect the contents of | | After reloading the **pf** configuration, you can inspect the contents of |
| the table using:: | | the table using:: |
| | |
| # pfctl -t sshguard -T show | | # pfctl -t sshguard -T show |
| | |
| ipfw | | ipfw |
| | |
| skipping to change at line 200 | | skipping to change at line 200 |
|---|
| You can inspect the contents of the sets using:: | | You can inspect the contents of the sets using:: |
| | |
| # nft list set ip sshguard attackers | | # nft list set ip sshguard attackers |
| # nft list set ip6 sshguard attackers | | # nft list set ip6 sshguard attackers |
| | |
| Moreover, you can display sshguard's tables with:: | | Moreover, you can display sshguard's tables with:: |
| | |
| # nft list table ip sshguard | | # nft list table ip sshguard |
| # nft list table ip6 sshguard | | # nft list table ip6 sshguard |
| | |
|
| | TROUBLESHOOTING |
| | =============== |
| | |
| | Is SSHGuard configured correctly? |
| | --------------------------------- |
| | Check that the correct **FILES** (or **LOGREADER**) and BACKEND are set in |
| | *sshguard.conf*. |
| | |
| | Is SSHGuard running? |
| | -------------------- |
| | SSHGuard spawns a pipeline of cooperating processes. You can verify that |
| | SSHGuard is started correctly by viewing your process list using ``ps`` or |
| | ``top``. Shown here are the processes associated with an example |
| | configuration:: |
| | |
| | /bin/sh /opt/sshguard/sbin/sshguard |
| | tail -F -n 0 /tmp/log.txt |
| | /opt/sshguard/libexec/sshg-parser |
| | /opt/sshguard/libexec/sshg-blocker -a 30 -p 120 -s 1800 -N 128 -n 32 |
| | /bin/sh /usr/local/libexec/sshg-fw-null |
| | |
| | In order: |
| | |
| | - SSHGuard, installed in */opt/sshguard*, is being interpreted by */bin/sh*. |
| | |
| | - SSHGuard launched ``tail -F -n 0``, which is monitoring */tmp/log.txt*. |
| | |
| | - The default parser ``sshg-parser`` is running. |
| | |
| | - The blocker is running with options ``-a 30 -p 120 -s 1800 -N 128 -n 32``. |
| | |
| | - The firewall ``sshg-fw-null`` is running. The null backend doesn't actually |
| | block any attacks. |
| | |
| | Is SSHGuard recognizing attacks? |
| | -------------------------------- |
| | SSHGuard recognizes attacks by parsing log messages. The format of log |
| | messages can occasionally change. If you are using the default, built-in |
| | attack parser, you can check if SSHGuard recognizes your attacks by running:: |
| | |
| | $ cat /var/log/auth.log | %PREFIX%/libexec/sshg-parser -a |
| | |
| | Log messages that are recognized as attacks are prefixed with a '*' at the |
| | beginning of each line. If a log message that should be recognized as an |
| | attack is not, consider reporting it. |
| | |
| EXAMPLES | | EXAMPLES |
| ======== | | ======== |
| Ignore **FILES** and monitor these files instead:: | | Ignore **FILES** and monitor these files instead:: |
| | |
| # sshguard /var/log/auth.log /var/log/maillog | | # sshguard /var/log/auth.log /var/log/maillog |
| | |
| SEE ALSO | | SEE ALSO |
| ======== | | ======== |
| sshguard(8) | | sshguard(8) |
| | | |
| End of changes. 3 change blocks. |
|---|
| 2 lines changed or deleted | | 48 lines changed or added |
|---|
"Fossies" - the Fresh Open Source Software Archive 