Blocking addresses with PF

In this scenario, the host running sshguard runs PF, that has to be configured for accepting blocking rules from sshguard.

Configuring a new table for sshguard in PF

PF has tables: sets of addresses that together apply to the same rule. The pf installation needs a rule that blocks TCP traffic to the ssh port (or all traffic, if you prefer) from addresses that proven source of attacks.

Edit the PF configuration file, usually /etc/pf.conf: 

vim /etc/pf.conf

Add this line in the table section: 

table <sshguard> persist

Add this line in the packet filtering (rules) section: 

block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
Replace $ext_if with your WAN interface name if needed. Omit the proto tcp and the to any port 22 segment if you want to block all the traffic from attackers (not just ssh).

Issue the new configuration: 

pfctl -f /etc/pf.conf

This command will display the set of addresses blocked in the sshguard table at any time: 

pfctl -Tshow -tsshguard

IPv6 support

PF supports IPv4 and IPv6 addresses indifferently, so the former setup covers both families. Sshguard will automatically insert IPv6 rules when IPv6 addresses need to be blocked.

Lates Releases View all»

  • sshguard 1.5rc3 This release contains improvements to blacklisting, the Log Sucker, ...
  • sshguard 1.5rc2 This release fixes compilation issues on Solaris, fixes the ...
  • sshguard 1.5rc1 With respect to 1.5beta3, this release completes support for ...

F.A.Q. View all»