SSH brute force attacks are incredibly common, and very easy to protect against.

Firstly, you can do things like only allow SSH from certain IPs, or some other options, but here I’m just going to cover SSHGuard. SSHGuard is a tool that lets you block brute force attempts.

The first step is to install SSHGuard.

pkg_add -i sshguard

Next, edit /etc/pf.conf to add the SSHGuard table and the block rule:

table <sshguard> persist
block in proto tcp from <sshguard>

The sshguard table is where the IP addresses that have been flagged get added. Note that I block all TCP traffic from offending IP addresses. If you want to only block on port 22 for SSH you can replace the second line with block in proto tcp from <sshguard> to port 22.

Before applying the changes, it is a good idea to verify the pf.conf changes were applied correctly:

pfctl -vnf /etc/pf.conf

If there are no syntax errors, then apply the changes:

pfctl -f /etc/pf.conf

Now to create the whitelist file, and set the daemon flags:

mkdir -p /var/db/sshguard/
touch /var/db/sshguard/whitelist.db
rcctl set sshguard flags -a 50 -l /var/log/authlog -p 14400 -w /var/db/sshguard/whitelist.db

Notes:

  • -a sets the number of attempts before an IP is blocked, and -p sets the time to block the IP for.
  • You can edit the whitelist file to add hostnames, IP addresses, and CIDR blocks for SSHGuard to ignore
  • You can set SSHGuard to use syslogd, or syslog-ng instead however it is easier to just configure it as shown above.

Now, just start and enable the daemon.

rcctl enable sshguard
rcctl start sshguard

That’s it! SSHGuard is now up and running!