assuming nftables is in da place already
wget https://sourceforge.net/projects/sshguard/files/sshguard/2.4.1/sshguard-2.4.1.tar.gz wget https://sourceforge.net/projects/sshguard/files/sshguard/2.4.1/sshguard-2.4.1.sha256 cat sshguard-2.4.1.sha256 sha256sum sshguard-2.4.1.tar.gz 875d02e6e67dced614790ed5e36aef1160edea940f353a79306cbb1852af3c67 sshguard-2.4.1.tar.gz tar xzf sshguard-2.4.1.tar.gz cd sshguard-2.4.1/ ./configure --sysconfdir=/etc --localstatedir=/var make make install cp examples/sshguard.conf.sample /etc/sshguard.conf mkdir /var/lib/sshguard/ ls -lF /usr/local/libexec/sshg-fw-nft-sets
e.g. securing Postfix/SASL and Dovecot/IMAP
vi /etc/sshguard.conf BACKEND="/usr/local/libexec/sshg-fw-nft-sets" FILES="/var/log/maillog /var/log/secure" IPV6_SUBNET=128 IPV4_SUBNET=32 PID_FILE=/var/run/sshguard.pid BLACKLIST_FILE=50:/var/lib/sshguard/enemies WHITELIST_FILE=/etc/friends
defaults are
THRESHOLD=30 BLOCK_TIME=120 DETECTION_TIME=1800
if you are under attack or want something paranoid
THRESHOLD=10 BLOCK_TIME=360 DETECTION_TIME=5400
DO NOT FORGET TO WHITELIST YOURSELF AND OTHER SYSADMIN WORKSTATIONS
vi /etc/friends x.x.x.x
enable at boot time
vi /etc/rc.d/rc.local echo sshguard /usr/bin/nohup /usr/local/sbin/sshguard -i /var/run/sshguard.pid > /var/log/sshguard.log 2>&1 &
not sure we need nohup
here but that &
at the end to put the process in background is not reassuring.
Slackware
vi /etc/rc.d/rc.sshguard #!/bin/sh case $1 in start) echo Starting SSHGUARD exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid & ;; status) ps auxfww | grep sshg | grep -vE 'grep|tail|rc.sshguard' ;; stop) echo Stopping SSHGUARD killall sshguard ;; restart) echo Restarting SSHGUARD killall sshguard exec /usr/local/sbin/sshguard -i /var/run/sshguard.pid & ;; *) echo "usage $0 start|status|stop|restart" exit 1 ;; esac chmod +x /etc/rc.d/rc.sshguard
in case you want to flush your blocked-ip list as it gets too big, clear-up the ennemies
mv /var/lib/sshguard/enemies /var/lib/sshguard/enemies.old rc.sshguard stop rc.sshguard status rc.sshguard start ls -lF /var/lib/sshguard/ nft list ruleset
at startup
echo sshguard /usr/bin/nohup /usr/local/sbin/sshguard > /root/sshguard.log 2>&1 &
status
ps auxfww | grep sshguard | grep -v grep tail -F /var/log/messages /var/log/syslog nft list ruleset
stop
pkill sshguard
https://wiki.archlinux.org/index.php/sshguard
https://wiki.gentoo.org/wiki/Sshguard
How do I start sshguard at boot? https://www.sshguard.net/faq.html#sshguard-start-at-boot