Protect SSH with SSHGuard
There are some tools to prevent brute-force attacks on SSH servers. Both DenyHosts and Fail2ban are Python scripts coming with a bunch of dependencies.
But there is a better option available. SSHGuard is a small application written in C which is more closer to the traditional UNIX daemon. SSHGuard integrates with existing software from FreeBSD 10 base system (PF and syslog).
In order to use it we need to install security/sshguard-pf either from ports or using binary package:
pkg install sshguard-pf
Then we need to make SSHGuard gather information from logs adding one line to /etc/syslog.conf
auth.info;authpriv.info |/usr/local/sbin/sshguard
Reload syslog configuration:
killall -HUP syslogd
And setup PF to accept blocking rules from SSHGuard. We need to edit PF configuration file /etc/pf.conf.
Declare the table in the table section:
table <sshguard> persist
Add blocking rule to the packet filtering section:
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
Make PF to load the new configuration:
pfctl -f /etc/pf.conf
This command can be used to display the addresses blocked by SSHGuard:
pfctl -Tshow -tsshguard
