Tuesday, March 9, 2010

sshguard on Debian/lenny

The sshguard documentation is correct, but a little lacking.

Here are my notes of what is needed in case I ever need to re-do it:



  • Download sshguard-1.4.tar.gz from http://www.sshguard.net/


  • Unpack and compile (see the stock documentation on sshguard.net)


  • In /etc/rc.local add the following lines before the "exit 0". This sets up iptables with a filter for ssh connections:



    iptables -N sshguard

    iptables -A INPUT -p tcp --dport 22 -j sshguard



    You should run those commands before you edit the syslog configuration. Or reboot.


  • In /etc/syslog-ng/syslog-ng.conf add around line 190 the following lines:



    filter sshlogs { facility(auth, authpriv) and not match("sshguard"); };

    destination sshguardproc {
    program("/usr/local/sbin/sshguard"
    template("$DATE $FULLHOST $MESSAGE\n"));

    };


    And down near the end of the file, add:


    log { source(s_all); filter(sshlogs); destination(sshguardproc); };



  • And finally restart syslog-ng (sudo killall -HUP syslog-ng) and read the sshguard faqs: http://www.sshguard.net/docs/faqs/

No comments:

Post a Comment