configure SSHGuard for OS X 10.8 and Higher

::UPDATE:: I’ve confirmed that this still works under Mavericks.
::UPDATE 2/15/2015:: Still works fine on Yosemite
::UPDATE 1/31/1016:: El Capitan appears to use socketfilterfw instead of pf, though pf is still installed. I’ll post when I have this working on El Cap.

These instructions use Homebrew and PF with SSHGuard on OS X 10.8.4 and higher (10.10 tested). Previous versions of OS X may use IPFW instead of PF and secure.log instead of system.log


$ brew install sshguard
$ su #(or use sudo from here-on out)$ vim /etc/pf.conf

(add the following lines – this assumes your ethernet and wifi interfaces are en0 and en1. You can also use en0 and en1 in the rules instead of setting up variables)


#############
# Variables #
#############
ext_if="en0"
wifi="en1"
loop_if="lo0"
############
# SSHGuard #
############
table <sshguard> persist
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "sshguard"
block in quick on $wifi proto tcp from <sshguard> to any port 22 label "sshguard"


$ (sudo) pfctl -f /etc/pf.conf #reloads the rules
$ (sudo) cp -fv /usr/local/opt/sshguard/*.plist /Library/LaunchDaemons #set sshguard to run at startup
$ (sudo) launchctl load /Library/LaunchDaemons/homebrew.mxcl.sshguard.plist #start sshguard

Here are the contents of homebrew.mxcl.sshguard.plist:


<!--?xml version="1.0" encoding="UTF-8"?>-->
<!--DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">-->
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.sshguard</string>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/sshguard/sbin/sshguard
<string>-l</string>
<string>/var/log/system.log</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

I’m including images of my terminal showing the contents of these files since WordPress seems to find new ways to break the formatting of this post every so often.

pf.conf:
Screenshot 2015-02-15 16.46.08

homebrew.mxcl.sshguard.plist:
homebrew_mxcl_sshguard_plist

If you don’t have homebrew installed, you should download the source and compile it for PF.

Advertisements

9 thoughts on “configure SSHGuard for OS X 10.8 and Higher

    1. No that I’ve found. The big factors that could cause problems would be OS X changing the default firewall or changing where SSH messages are logged, but neither of those seems to have happened in Yosemite.

  1. It looks like the tags in the plist were also dropped around the command filename,
    /usr/local/opt/sshguard/sbin/sshguard . Isn’t lack-of-html-escape-handling in blog-posts a joy?

  2. Another hint – /etc/pf.conf *requires* a line break at the end of the file, otherwise it reports a spurious syntax error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s