Here are my notes of what is needed in case I ever need to re-do it:
- Download sshguard-1.4.tar.gz from http://www.sshguard.net/
- Unpack and compile (see the stock documentation on sshguard.net)
- In /etc/rc.local add the following lines before the "exit 0". This sets up iptables with a filter for ssh connections:
iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard
You should run those commands before you edit the syslog configuration. Or reboot.
In /etc/syslog-ng/syslog-ng.conf add around line 190 the following lines:
filter sshlogs { facility(auth, authpriv) and not match("sshguard"); };
destination sshguardproc {
program("/usr/local/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n"));
};
And down near the end of the file, add:
log { source(s_all); filter(sshlogs); destination(sshguardproc); };
And finally restart syslog-ng (sudo killall -HUP syslog-ng) and read the sshguard faqs: http://www.sshguard.net/docs/faqs/
