SSHGuard settings on pfSense

SSHGuard settings on pfSense

Something that always annoyed me when performing a vulnerability scan on a pfSense system was the alerts it triggered. Basically, the vulnerability scanner would attempt to bruteforce SSH logins, which would trigger the sshguard protections, placing the IP address in the sshguard table (Diagnostics -> Tables), producing 100’s of firewall block messages, etc.

Dec 3 16:22:37 - Int: em0 Type: block Prot: tcp Src: 192.168.1.8:38553 Dest: 192.168.1.1:22
Tracker: 1000000301 - block drop in log quick proto tcp from <sshguard:1> to (self:14) port = ssh label "sshguard"
Dec 3 16:22:39 - Int: em0 Type: block Prot: tcp Src: 192.168.1.8:38553 Dest: 192.168.1.1:22
Tracker: 1000000301 - block drop in log quick proto tcp from <sshguard:1> to (self:14) port = ssh label "sshguard"
Dec 3 16:22:43 - Int: em0 Type: block Prot: tcp Src: 192.168.1.8:38553 Dest: 192.168.1.1:22
Tracker: 1000000301 - block drop in log quick proto tcp from <sshguard:1> to (self:14) port = ssh label "sshguard"
Dec 3 16:22:46 - Int: em0 Type: block Prot: tcp Src: 192.168.1.8:48443 Dest: 192.168.1.1:22
Tracker: 1000000301 - block drop in log quick proto tcp from <sshguard:1> to (self:14) port = ssh label "sshguard"
Dec 3 16:22:47 - Int: em0 Type: block Prot: tcp Src: 192.168.1.8:48443 Dest: 192.168.1.1:22
Tracker: 1000000301 - block drop in log quick proto tcp from <sshguard:1> to (self:14) port = ssh label "sshguard"
Dec 3 16:22:49 - Int: em0 Type: block Prot: tcp Src: 192.168.1.8:48443 Dest: 192.168.1.1:22
Tracker: 1000000301 - block drop in log quick proto tcp from <sshguard:1> to (self:14) port = ssh label "sshguard"

Based on what I’ve read elsewhere, some monitoring solutions such as Nagios or Icinga also caused some sshguard false positives. I’m guessing those solutions are just checking for open SSH ports because this other, ridiculously in-depth solution hasn’t triggered sshguard one time. 😉 Shameless plug!

As of pfSense verison 2.4.4, there is now an option to whitelist IP addresses. Simply go to System -> Advanced (Admin Access). Scroll down to the login protection section, which is under the secure shell section as shown below. Add the IP address for the vulnerability scanner as shown below. Don’t forget to click ‘Save’ after you’re done!

pfsense whiltelist protection sshguard

Please note that this only eliminates the failed SSH logins. You should still receive alerts tied to failed HTTP logins, incorrect HTTP paths, etc. The other side bonus to whitelisting the IP is that your vulnerability scan should finish a bit quicker too.

Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.

One thought on “SSHGuard settings on pfSense

Leave a Reply

Your email address will not be published.