SSH brute force attacks are incredibly common, and very easy to protect against.
Firstly, you can do things like only allow SSH from certain IPs, or some other options, but here I’m just going to cover SSHGuard. SSHGuard is a tool that lets you block brute force attempts.
The first step is to install SSHGuard.
/etc/pf.conf to add the SSHGuard table and the block rule:
table <sshguard> persist block in proto tcp from <sshguard>
sshguard table is where the IP addresses that have been flagged get added. Note that I block all TCP traffic from offending IP addresses. If you want to only block on port 22 for SSH you can replace the second line with
block in proto tcp from <sshguard> to port 22.
Before applying the changes, it is a good idea to verify the
pf.conf changes were applied correctly:
pfctl -vnf /etc/pf.conf
If there are no syntax errors, then apply the changes:
pfctl -f /etc/pf.conf
Now to create the whitelist file, and set the daemon flags:
mkdir -p /var/db/sshguard/ touch /var/db/sshguard/whitelist.db rcctl set sshguard flags -a 50 -l /var/log/authlog -p 14400 -w /var/db/sshguard/whitelist.db
-asets the number of attempts before an IP is blocked, and
-psets the time to block the IP for.
- You can edit the whitelist file to add hostnames, IP addresses, and CIDR blocks for SSHGuard to ignore
- You can set SSHGuard to use syslogd, or syslog-ng instead however it is easier to just configure it as shown above.
Now, just start and enable the daemon.
rcctl enable sshguard rcctl start sshguard
That’s it! SSHGuard is now up and running!