Tuesday, March 9, 2010

sshguard on Debian/lenny

The sshguard documentation is correct, but a little lacking.

Here are my notes of what is needed in case I ever need to re-do it:

  • Download sshguard-1.4.tar.gz from http://www.sshguard.net/

  • Unpack and compile (see the stock documentation on sshguard.net)

  • In /etc/rc.local add the following lines before the "exit 0". This sets up iptables with a filter for ssh connections:

    iptables -N sshguard

    iptables -A INPUT -p tcp --dport 22 -j sshguard

    You should run those commands before you edit the syslog configuration. Or reboot.

  • In /etc/syslog-ng/syslog-ng.conf add around line 190 the following lines:

    filter sshlogs { facility(auth, authpriv) and not match("sshguard"); };

    destination sshguardproc {
    template("$DATE $FULLHOST $MESSAGE\n"));


    And down near the end of the file, add:

    log { source(s_all); filter(sshlogs); destination(sshguardproc); };

  • And finally restart syslog-ng (sudo killall -HUP syslog-ng) and read the sshguard faqs: http://www.sshguard.net/docs/faqs/