1
<h2>Installation and setup</h2>
<p>All you need to run sshguard is some sort of system logger (in this example, we’re using syslog-ng), iptables and of course a running ssh daemon. Visit the <a href="http://sshguard.sourceforge.net/">sshguard website</a> for more information on how to use it with a different logger. Every major distribution should have sshguard in its package management system. I’m on Gentoo, so I just had to enter <em>emerge sshguard</em>.</p>
<p>Next, we have to tell the system logger (syslog-ng) to pass the logs to sshguard. This is done in the <strong>syslog-ng.conf</strong>:</p>
<pre>
<code>
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
destination sshguardproc {
program("/usr/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
</code>
</pre>
<p>Tell syslog-ng to re-read it’s configuration:</p>
<pre>
<code>
killall -HUP syslog-ng
</code>
</pre>
<p>Set up your Netfilter (iptables rules) as usual. You’ll find plenty of example on the interwebs, but you can also leave it pretty much empty. Just make sure to have the following:</p>
<pre>
<code>
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard
</code>
</pre>
<p>This sets up a new sshguard chain and passes the ssh traffic to it. sshguard takes care of the rest – that’s basically it!</p>
Textile
h2. Installation and setup
p. All you need to run sshguard is some sort of system logger (in this example, we're using syslog-ng), iptables and of course a running ssh daemon. Visit the "sshguard website":http://sshguard.sourceforge.net/ for more information on how to use it with a different logger. Every major distribution should have sshguard in its package management system. I'm on Gentoo, so I just had to enter _emerge sshguard_.
p. Next, we have to tell the system logger (syslog-ng) to pass the logs to sshguard. This is done in the *syslog-ng.conf*:
<pre>
<code>
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
destination sshguardproc {
program("/usr/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
</code>
</pre>
p. Tell syslog-ng to re-read it's configuration:
<pre>
<code>
killall -HUP syslog-ng
</code>
</pre>
p. Set up your Netfilter (iptables rules) as usual. You'll find plenty of example on the interwebs, but you can also leave it pretty much empty. Just make sure to have the following:
<pre>
<code>
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard
</code>
</pre>
p. This sets up a new sshguard chain and passes the ssh traffic to it. sshguard takes care of the rest - that's basically it!
2008-06-16T03:12:48+02:00
1
262
en
0
3
block_ssh_brute_force_attacks_with_sshguard
2008-06-16T13:12:33+02:00
published
sshguard was born for protecting SSH servers from the today's widespread brute force attacks, and evolved to an extensible log supervisor for blocking attacks to applications in real-time. It monitors logging activity and reacts to attacks by blocking their source addresses.
Block SSH Brute Force Attacks with sshguard
2008-06-16T15:12:33+02:00
37