Setting up SSHGuard against NFTABLES

assuming nftables is in da place already

wget https://sourceforge.net/projects/sshguard/files/sshguard/2.4.1/sshguard-2.4.1.tar.gz
wget https://sourceforge.net/projects/sshguard/files/sshguard/2.4.1/sshguard-2.4.1.sha256
cat sshguard-2.4.1.sha256
sha256sum sshguard-2.4.1.tar.gz
875d02e6e67dced614790ed5e36aef1160edea940f353a79306cbb1852af3c67  sshguard-2.4.1.tar.gz

tar xzf sshguard-2.4.1.tar.gz
cd sshguard-2.4.1/
./configure --sysconfdir=/etc --localstatedir=/var
make
make install
cp examples/sshguard.conf.sample /etc/sshguard.conf
mkdir /var/lib/sshguard/
ls -lF /usr/local/libexec/sshg-fw-nft-sets

e.g. securing Postfix/SASL and Dovecot/IMAP

vi /etc/sshguard.conf

BACKEND="/usr/local/libexec/sshg-fw-nft-sets"
FILES="/var/log/maillog /var/log/secure"
IPV6_SUBNET=128
IPV4_SUBNET=32
PID_FILE=/var/run/sshguard.pid
BLACKLIST_FILE=50:/var/lib/sshguard/enemies
WHITELIST_FILE=/etc/friends

defaults are

THRESHOLD=30
BLOCK_TIME=120
DETECTION_TIME=1800

if you are under attack or want something paranoid

THRESHOLD=10
BLOCK_TIME=360
DETECTION_TIME=5400

DO NOT FORGET TO WHITELIST YOURSELF AND OTHER SYSADMIN WORKSTATIONS

vi /etc/friends

x.x.x.x

Ready to go

enable at boot time

vi /etc/rc.d/rc.local

echo sshguard
/usr/bin/nohup /usr/local/sbin/sshguard -i /var/run/sshguard.pid > /var/log/sshguard.log 2>&1 &

not sure we need nohup here but that & at the end to put the process in background is not reassuring.

–OR– init script

Slackware

vi /etc/rc.d/rc.sshguard

#!/bin/sh

case $1 in
    start)
        echo Starting SSHGUARD
        exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid &
        ;;
    status)
        ps auxfww | grep sshg | grep -vE 'grep|tail|rc.sshguard'
        ;;
    stop)
        echo Stopping SSHGUARD
        killall sshguard
        ;;
    restart)
        echo Restarting SSHGUARD
        killall sshguard
        exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid &
        ;;
    *)
        echo "usage $0 start|status|stop|restart"
        exit 1
        ;;
esac

chmod +x /etc/rc.d/rc.sshguard

Maintenance

in case you want to flush your blocked-ip list as it gets too big, clear-up the ennemies

mv /var/lib/sshguard/enemies /var/lib/sshguard/enemies.old
rc.sshguard stop
rc.sshguard status
rc.sshguard start
ls -lF /var/lib/sshguard/
nft list ruleset

Trash

at startup

echo sshguard
/usr/bin/nohup /usr/local/sbin/sshguard > /root/sshguard.log 2>&1 &

status

ps auxfww | grep sshguard | grep -v grep
tail -F /var/log/messages /var/log/syslog
nft list ruleset

stop

pkill sshguard

Resources

https://wiki.archlinux.org/index.php/sshguard

https://wiki.gentoo.org/wiki/Sshguard

How do I start sshguard at boot? https://www.sshguard.net/faq.html#sshguard-start-at-boot