configure SSHGuard for OS X 10.8 and Higher

::UPDATE:: I’ve confirmed that this still works under Mavericks.
::UPDATE 2/15/2015:: Still works fine on Yosemite
::UPDATE 1/31/1016:: El Capitan appears to use socketfilterfw instead of pf, though pf is still installed. I’ll post when I have this working on El Cap.

These instructions use Homebrew and PF with SSHGuard on OS X 10.8.4 and higher (10.10 tested). Previous versions of OS X may use IPFW instead of PF and secure.log instead of system.log


$ brew install sshguard
$ su #(or use sudo from here-on out)$ vim /etc/pf.conf

(add the following lines – this assumes your ethernet and wifi interfaces are en0 and en1. You can also use en0 and en1 in the rules instead of setting up variables)


#############
# Variables #
#############
ext_if="en0"
wifi="en1"
loop_if="lo0"
############
# SSHGuard #
############
table <sshguard> persist
block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "sshguard"
block in quick on $wifi proto tcp from <sshguard> to any port 22 label "sshguard"


$ (sudo) pfctl -f /etc/pf.conf #reloads the rules
$ (sudo) cp -fv /usr/local/opt/sshguard/*.plist /Library/LaunchDaemons #set sshguard to run at startup
$ (sudo) launchctl load /Library/LaunchDaemons/homebrew.mxcl.sshguard.plist #start sshguard

Here are the contents of homebrew.mxcl.sshguard.plist:


<!--?xml version="1.0" encoding="UTF-8"?>-->
<!--DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">-->
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.sshguard</string>
<key>KeepAlive</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/sshguard/sbin/sshguard
<string>-l</string>
<string>/var/log/system.log</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

I’m including images of my terminal showing the contents of these files since WordPress seems to find new ways to break the formatting of this post every so often.

pf.conf:
Screenshot 2015-02-15 16.46.08

homebrew.mxcl.sshguard.plist:
homebrew_mxcl_sshguard_plist

If you don’t have homebrew installed, you should download the source and compile it for PF.

9 thoughts on “configure SSHGuard for OS X 10.8 and Higher

    1. No that I’ve found. The big factors that could cause problems would be OS X changing the default firewall or changing where SSH messages are logged, but neither of those seems to have happened in Yosemite.

      1. I think It’s not working properly, I see the sshguard blocking messages, but the connections keep coming in.

  1. It looks like the tags in the plist were also dropped around the command filename,
    /usr/local/opt/sshguard/sbin/sshguard . Isn’t lack-of-html-escape-handling in blog-posts a joy?

  2. Another hint – /etc/pf.conf *requires* a line break at the end of the file, otherwise it reports a spurious syntax error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s