Setting up SSHGuard against NFTABLES

assuming nftables is in da place already

wget https://sourceforge.net/projects/sshguard/files/sshguard/2.4.1/sshguard-2.4.1.tar.gz
wget https://sourceforge.net/projects/sshguard/files/sshguard/2.4.1/sshguard-2.4.1.sha256
cat sshguard-2.4.1.sha256
sha256sum sshguard-2.4.1.tar.gz
875d02e6e67dced614790ed5e36aef1160edea940f353a79306cbb1852af3c67  sshguard-2.4.1.tar.gz

tar xzf sshguard-2.4.1.tar.gz
cd sshguard-2.4.1/
./configure --sysconfdir=/etc --localstatedir=/var
make
make install
cp examples/sshguard.conf.sample /etc/sshguard.conf
mkdir /var/lib/sshguard/
ls -lF /usr/local/libexec/sshg-fw-nft-sets

e.g. securing Postfix/SASL and Dovecot/IMAP

vi /etc/sshguard.conf

BACKEND="/usr/local/libexec/sshg-fw-nft-sets"
FILES="/var/log/maillog /var/log/secure"
IPV6_SUBNET=128
IPV4_SUBNET=32
PID_FILE=/var/run/sshguard.pid
BLACKLIST_FILE=50:/var/lib/sshguard/enemies
WHITELIST_FILE=/etc/friends

defaults are

THRESHOLD=30
BLOCK_TIME=120
DETECTION_TIME=1800

if you are under attack or want something paranoid

THRESHOLD=10
BLOCK_TIME=360
DETECTION_TIME=5400

DO NOT FORGET TO WHITELIST YOURSELF AND OTHER SYSADMIN WORKSTATIONS

vi /etc/friends

x.x.x.x

Operations

enable at boot time – no need for nohup here

vi /etc/rc.d/rc.local

echo sshguard
rm -f /var/run/sshguard.pid
echo >> /var/log/sshguard.log
date >> /var/log/sshguard.log
/usr/local/sbin/sshguard -i /var/run/sshguard.pid >> /var/log/sshguard.log 2>&1 &

status

    ps auxfww | grep sshguard | grep -vE 'grep|tail'
    tail -F /var/log/messages /var/log/syslog
    nft list ruleset

stop

    pkill sshguard

–OR– init script

Slackware

vi /etc/rc.d/rc.sshguard

#!/bin/sh

case $1 in
    start)
        echo Starting SSHGUARD
        exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid &
        ;;
    status)
        ps auxfww | grep sshg | grep -vE 'grep|tail|rc.sshguard'
        ;;
    stop)
        echo Stopping SSHGUARD
        killall sshguard
        ;;
    restart)
        echo Restarting SSHGUARD
        killall sshguard
        exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid &
        ;;
    *)
        echo "usage $0 start|status|stop|restart"
        exit 1
        ;;
esac

chmod +x /etc/rc.d/rc.sshguard

Maintenance

in case you need to un-filter a false-positive, you need to fix both, the whitelist AND the blacklist

vi /etc/friends

x.x.x.x

vi /var/lib/sshguard/enemies

(delete offending line)

rc.sshguard restart

start with a fresh list of filtered hosts

rm -f /var/lib/sshguard/enemies
rc.sshguard restart
nft list ruleset

Resources

sshguard https://wiki.archlinux.org/index.php/sshguard

sshguard https://wiki.gentoo.org/wiki/Sshguard

How do I start sshguard at boot? https://www.sshguard.net/faq.html#sshguard-start-at-boot