Install and Configure SSHGuard on Linux Ubuntu. Prevent Brute Force Attacks using SSHGuard Tool. SSHGuard monitors servers from their logging activity. When logs convey that someone is doing a Bad Thing, SSHGuard reacts by blocking he/she/it for a bit.
When it detects that someone is doing something bad to a service, SSHGuard blocks the IP address of the bad guy. SSHGuard runs on a machine as a small daemon, and receives log messages (in a number of ways, e.g. from syslog). When it determines that address X did something bad to service Y, it fires a rule in the machine’s firewall (one of the many supported) for blocking X.
SSHGuard keeps X blocked for some time, then releases it automatically.
Some of the most important features of SSHGuard are:
- SSHGuard interprets log messages with several formats – syslog, syslog-ng, metalog, multilog and raw log.
- SSHGuard operates all the major firewalling systems around.
- SSHGuard supports log message authentication. It features automatic blacklisting and supports IPv6 addressing. It supports slick multiple-source monitoring, sophisticated whitelisting and per-service and per-address blocking actions.
These are the available blocking backends (choose yours):
- SSHGuard with PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- SSHGuard with netfilter/iptables (Linux)
- SSHGuard with IPFW (FreeBSD, Mac OS X)
- SSHGuard with IP FILTER (FreeBSD, NetBSD, Solaris)
- SSHGuard with TCP wrappers / hosts.allow (almost any UNIX system)
Install SSHGuard
SSHGuard is distributed under the permissive BSD license: you can use, modify and redistribute the software, at your own risk, for any use, including commercial.
Run the following commands in Terminal to install SSHGuard:
On Ubuntu and Debian Systems:
sudo apt-get install SSHGuard
On CentOS and RHEL Systems:
wget http://sourceforge.net/projects/flexbox/files/flexbox-release-1-1.noarch.rpm
yum repolist
yum install SSHGuard
For other disros, download the respective binary file from the official site and install it manually.
Configure SSHGuard With Iptables/Netfilter
To Configure SSHGuard with Iptables or Netfilter, create a new chain for SSHGuard in IPtables to insert blocking rules.
For IPv4:
iptables -N SSHGuard
For IPv6:
ip6tables -N SSHGuard
Now update the INPUT chain to also pass the traffic to the SSHGuard chain at the very end of its processing. Specify in –dport all the ports of services your SSHGuard protects.
Please note that if you want to prevent attackers from doing any traffic to the host, remove the option completely:
# block any traffic from abusers
iptables -A INPUT -j SSHGuard
ip6tables -A INPUT -j SSHGuard
or block abusers only for SSH, FTP, POP, IMAP services (use “multiport” module)
iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j SSHGuard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j SSHGuard
Save the IPtables rule.
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.
iptables -N SSHGuard
# block whatever SSHGuard says be bad …
iptables -A INPUT -j SSHGuard
# enable ssh, dns, http, https
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# and block everything else (default deny)
iptables -P INPUT DROP
While rebooting, the firewall configuration reset is done by default.