OpenBSD SSHGuard Tutorial
This is a quick look at SSHGuard and how to effectively use it to ban ssh brute force attacks on OpenBSD machines.
The sshguard program is an extra layer of security that bans IP addresses that have reached a maximum threshold of failed password attempts. The SSHGuard program can monitor multiple log sources and block based on a threat weighted system. By default SSHGuard will block an IP for 120 seconds and following blocks will increase by a factor of 1.5. If you’re familiar with the Linux world, this is similar to Fail2Ban. However, unlike Fail2Ban, SSHGuard is compatible with both Linux and BSD systems.
Before configuring sshguard it is STRONGLY recommend to do the following:
- Disable root ssh authentication
- Generate and use a ED25519 keypair for ssh authentication (with a complex password on the keypair)
- Disable ssh password authentication
- Disable ssh keyboard-interactive authentication
Installation
Use OpenBSD’s package manager pkg with the root user or root privileges to install SSHGuard with the command
pkg_add sshguard
Initial Configuration
Backup the default configuration with the command:
cp /etc/sshguard.conf /etc/examples/sshguard.conf
Edit SSHGuard’s configuration file:
vi /etc/sshguard.conf
Find the line BACKEND and confirm it is set to:
BACKEND="/usr/local/libexec/sshg-fw-pf"
Find the line FILES and confirm it is set to:
FILES=/var/log/authlog
Password Attempts Threshold
The default threshold for blocking is 30 points. If you want to lower the threshold to 20 points do the following
Edit the configuration file with the command:
vi /etc/sshguard.conf
Find the line:
THRESHOLD=30
Edit the line to be:
THRESHOLD=20
Block Time
The default block time is 120 seconds. If for example, if you want to increase the block time to 10 minutes, edit the SSHGuard configuration:
vi /etc/sshguard.conf
Find the line:
BLOCK_TIME=120
Change the time to 10 minutes (in seconds):
BLOCK_TIME=600
Blacklists and Whitelists
Creating Blacklist or Whitelist will permanently block or allow ssh attempts. These files are not automatically created on OpenBSD. I’d recommend putting them into /etc as they are config files just like the sshguard.conf file. This tutorial will put them in a directory with /etc to keep them organized. Run all the following commands as root or with root permissions.
Add a configuration directory for SSHGuard:
mkdir /etc/sshguard.d
Edit the SSHGuard configuration with the command:
vi /etc/sshguard
Find the line:
#BLACKLIST_FILE=
Edit it to look like:
BLACKLIST_FILE=/etc/sshguard.d/sshguard.blacklist
Find the line:
#WHITELIST_FILE=
Edit it to look like:
WHITELIST_FILE=/etc/sshguard.d/sshguard.whitelist
Persistent tables
A reminder that pf tables are not persistent and will be cleared if the system is restart or killed.
Dump the table with the command:
pfctl -t sshguard -T show > sshguardtabledump.txt
Consider making a more complex script for crontab to properly backup you SSHGuard table.