Monthly Archives: August 2013

configure SSHGuard for OS X 10.8 and Higher

::UPDATE:: I’ve confirmed that this still works under Mavericks.
::UPDATE 2/15/2015:: Still works fine on Yosemite
::UPDATE 1/31/1016:: El Capitan appears to use socketfilterfw instead of pf, though pf is still installed. I’ll post when I have this working on El Cap.

These instructions use Homebrew and PF with SSHGuard on OS X 10.8.4 and higher (10.10 tested). Previous versions of OS X may use IPFW instead of PF and secure.log instead of system.log


$ brew install sshguard
$ su #(or use sudo from here-on out)$ vim /etc/pf.conf

(add the following lines – this assumes your ethernet and wifi interfaces are en0 and en1. You can also use en0 and en1 in the rules instead of setting up variables)


#############
# Variables #
#############
ext_if="en0"
wifi="en1"
loop_if="lo0"
############
# SSHGuard #
############
table <sshguard> persist
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "sshguard"
block in quick on $wifi proto tcp from <sshguard> to any port 22 label "sshguard"


$ (sudo) pfctl -f /etc/pf.conf #reloads the rules
$ (sudo) cp -fv /usr/local/opt/sshguard/*.plist /Library/LaunchDaemons #set sshguard to run at startup
$ (sudo) launchctl load /Library/LaunchDaemons/homebrew.mxcl.sshguard.plist #start sshguard

Here are the contents of homebrew.mxcl.sshguard.plist:


<!--?xml version="1.0" encoding="UTF-8"?>-->
<!--DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">-->
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.sshguard</string>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/sshguard/sbin/sshguard
<string>-l</string>
<string>/var/log/system.log</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

I’m including images of my terminal showing the contents of these files since WordPress seems to find new ways to break the formatting of this post every so often.

pf.conf:
Screenshot 2015-02-15 16.46.08

homebrew.mxcl.sshguard.plist:
homebrew_mxcl_sshguard_plist

If you don’t have homebrew installed, you should download the source and compile it for PF.

Advertisements