SSHD brute force attacks

Tested on FreeBSD 6.2

Normally I just use hosts.allow to control SSH guessing attacks by white listing IPs that should be connecting to my box, but it is not always an option. I’m also not just going to let people just pound away for hours trying to guess random passwords even though I use only keys for authentication.

I had tried several solutions before I found sshguard.
It is simple yet powerful and supports ipfw, pf, iptables, and tcp wrappers.

The only problem is that the version in the ports has a bug that causes the program to drop a core. ie
kernel: pid 1665 (sshguard), uid 0: exited on signal 6 (core dumped)

The solution which I found from here is to edit a few quick lines in sshguard.c.

It’s not ideal, but it works.

# cd /usr/ports/security/sshguard
# make fetch extract
# cd work/sshguard-1.0/src
# vi sshguard.c


Make the changes listed above.

# cd ../../..
# make install clean
# vi /etc/syslog.conf


You will notice a line like:
#auth.info;authpriv.info |exec /usr/local/sbin/sshguard
Uncomment this line and restart syslogd

# /etc/rc.d/syslogd restart


Make sure that /etc/hosts.deny has a ALL: ALL (If you don’t have anything else using wrappers), and hosts.allow has SSHD: ALL.

hosts.allow should end up looking like this:

###sshguard###
###sshguard###
SSHD: ALL


sshguard will add the first two lines after a the first ssh login.

That is it for this quick howto but there is support for white listing and a whole slew of other options in the manpages.

# man sshguard


Good luck