In this article, I will take you through the steps to install and configure SSHGuard to Block Brute Force Attacks on Linux Servers. SSHGuard is a free and open source application that works along with firewall to protect hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.
SSHGuard can read log messages from standard input or monitor one or more log files to detect an attack. Log messages are parsed line by line for recognized patterns. If there is an attack where several login failures are detected within a few seconds then the offending IP will be blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option. More on SSHGuard Official documentation.
How to Install and Configure SSHGuard to Block Brute Force Attacks
Also Read: How to Define Audit File System Rules in RHEL/CentOS/Rocky Linux
Step 1: Prerequisites
a) You should have a running Linux Server(in my case it is
Ubuntu 20.04 LTS Server).
b) You should have
root access to run privileged commands.
c) You should have
apt-get utility available in your System.
d) You should have atleast one firewall(
Iptables) installed in your System.
Step 2: Update Your Server
It is always recommended to first sync the package index files from their sources using
apt update command as shown below. If there is any latest version available for any of the installed packages then you can upgrade the package by using apt upgrade command.
root@cyberithub:~# apt update Hit:1 http://in.archive.ubuntu.com/ubuntu focal InRelease Get:2 http://in.archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB] Get:3 https://apt.releases.hashicorp.com focal InRelease [9,495 B] Get:4 http://in.archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB] Get:5 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB] Get:6 https://apt.releases.hashicorp.com focal/main amd64 Packages [46.2 kB] Get:7 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [1,510 kB] Hit:8 https://dl.google.com/linux/chrome/deb stable InRelease Get:9 http://in.archive.ubuntu.com/ubuntu focal-updates/main i386 Packages [592 kB] Get:10 http://in.archive.ubuntu.com/ubuntu focal-updates/main amd64 DEP-11 Metadata [281 kB] Get:11 http://in.archive.ubuntu.com/ubuntu focal-updates/main DEP-11 48x48 Icons [60.8 kB] Get:12 http://in.archive.ubuntu.com/ubuntu focal-updates/main DEP-11 64x64 Icons [98.3 kB] .....................................................................
If you are using
RHEL/CentOS/Fedora/Rocky Linux based systems, then you can use below command to update your Server.
yum update dnf update
Similarly if any packages require upgradation then upgrade it by using below command.
yum upgrade dnf upgrade
Step 3: Install SSHGuard
Next step is to install SSHGuard package by using apt install sshguard command as shown below. This will install the package along with all its required dependencies.
root@cyberithub:~# apt install sshguard Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sshguard 0 upgraded, 1 newly installed, 0 to remove and 213 not upgraded. Need to get 272 kB of archives. After this operation, 1,683 kB of additional disk space will be used. Get:1 http://in.archive.ubuntu.com/ubuntu focal-updates/universe amd64 sshguard amd64 2.3.1-1ubuntu1.1 [272 kB] Fetched 272 kB in 0s (673 kB/s) Selecting previously unselected package sshguard. (Reading database ... 197203 files and directories currently installed.) Preparing to unpack .../sshguard_2.3.1-1ubuntu1.1_amd64.deb ... Unpacking sshguard (2.3.1-1ubuntu1.1) ... Setting up sshguard (2.3.1-1ubuntu1.1) ... Created symlink /etc/systemd/system/multi-user.target.wants/sshguard.service → /lib/systemd/system/sshguard.service. Processing triggers for man-db (2.9.1-1) ... Processing triggers for systemd (245.4-4ubuntu3.15) ...
If you are using
RHEL/CentOS/Fedora/Rocky Linux based systems, then first enable EPEL repository by using below command.
yum install epel-release dnf install epel-release
Then install the package by using below given command.
yum install sshguard dnf install sshguard
Step 4: Verify Service Status
Once the package is successfully installed you can check the status by using
systemctl status sshguard command as shown below. As you can see it is currently showing in active and running state. But in case if it shows Inactive then you need to start the service by using systemctl start sshguard command.
root@cyberithub:~# systemctl status sshguard ● sshguard.service - SSHGuard Loaded: loaded (/lib/systemd/system/sshguard.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-01-25 19:06:35 IST; 16min ago Docs: man:sshguard(8) Main PID: 4088 (sshguard) Tasks: 8 (limit: 5836) Memory: 19.7M CGroup: /system.slice/sshguard.service ├─4088 /bin/sh /usr/sbin/sshguard ├─4090 /bin/sh /usr/sbin/sshguard ├─4091 /usr/lib/x86_64-linux-gnu/sshg-parser ├─4092 /usr/lib/x86_64-linux-gnu/sshg-blocker -a 30 -p 120 -s 1800 -w /etc/sshguard/whitelist ├─4093 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 ├─4094 /bin/sh /usr/sbin/sshguard └─4096 /bin/sh /usr/lib/x86_64-linux-gnu/sshg-fw-iptables
Step 5: Enable the Service
If you want sshguard service to be automatically started after every system reboot then you can enable the service by using
systemctl enable sshguard command as shown below.
root@cyberithub:~# systemctl enable sshguard Synchronizing state of sshguard.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable sshguard
Step 6: Configure SSHGuard
You need to configure SSHGuard to protect your system from SSH brute force attacks. This can be done by modifying
/etc/sshguard/sshguard.conf file. Below are the required configuration that needs to be given here:-
- BACKEND : Specify full path to backend executable. Here by default it is set to iptables firewall.
- LOGREADER : Shell command that provides logs on standard output.
- THRESHOLD : It is the value after which attackers will be blocked.
- BLOCK_TIME : It is the time till which attackers will be blocked after exceeding the threshold.
- DETECTION_TIME : It is the time in seconds upto which System will remember the attacker before the score is reset.
- WHITELIST_FILE : It is the full path of the file which contains the host address that are not supposed to be blocked.
root@cyberithub:~# nano /etc/sshguard/sshguard.conf #### REQUIRED CONFIGURATION #### # Full path to backend executable (required, no default) BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-iptables" # Shell command that provides logs on standard output. (optional, no default) # Example 1: ssh and sendmail from systemd journal: LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10" #### OPTIONS #### # Block attackers when their cumulative attack score exceeds THRESHOLD. # Most attacks have a score of 10. (optional, default 30) THRESHOLD=30 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. # Subsequent blocks increase by a factor of 1.5. (optional, default 120) BLOCK_TIME=120 # Remember potential attackers for up to DETECTION_TIME seconds before # resetting their score. (optional, default 1800) DETECTION_TIME=1800 # IP addresses listed in the WHITELIST_FILE are considered to be # friendlies and will never be blocked. WHITELIST_FILE=/etc/sshguard/whitelist
After performing the changes, you can reload the daemon to update the changes.
root@cyberithub:~# systemctl restart sshguard
Step 7: Block SSH Attacks Using Firewalld
If you are using firewalld then run below command to enable sshguard permanently for IPV4 address family. In case if you want to enable for IPV6 addresses also then you need to use
"firewall-cmd --permanent --new-ipset="sshguard6" --type="hash:net" --option="family=inet6" command.
root@cyberithub:~# firewall-cmd --permanent --new-ipset="sshguard4" --type="hash:net" --option="family=inet" success
Then reload the firewall to update the changes.
root@cyberithub:~# firewall-cmd --reload success
Next restart sshguard daemon as well to apply the changes.
root@cyberithub:~# systemctl restart sshguard
You can also verify the applied rule by using
firewall-cmd --info-ipset=sshguard4 command for IPV4 address and
firewall-cmd --info-ipset=sshguard6 command for IPV6 address as shown below.
root@cyberithub:~# firewall-cmd --info-ipset=sshguard4 sshguard4 type: hash:net options: family=inet entries:
Step 8: Block SSH Attacks Using Iptables
If you are using Iptables then create a new chain rule called sshguard using
iptables -N sshguard command as shown below.
root@cyberithub:~# iptables -N sshguard
Append the Input chain and redirect all the traffic to sshguard rule using iptables -A INPUT -j sshguard command as shown below.
root@cyberithub:~# iptables -A INPUT -j sshguard
Then to block any destination port for example
TCP Port 22 in this case, use below iptables command.
root@cyberithub:~# iptables -A INPUT -m multiport -p tcp --destination-ports 22 -j sshguard
Finally save the rule to apply all the changes.
root@cyberithub:~# iptables-save > /etc/iptables/iptables.rules
Step 9: Block SSH Attacks Using UFW
If you are using UFW Firewall then you need to modify
/etc/ufw/before.rules and add rule for redirecting SSH traffic to sshguard.
root@cyberithub:~# nano /etc/ufw/before.rules .......................................................... # Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines # allow all on loopback -A ufw-before-input -i lo -j ACCEPT -A ufw-before-output -o lo -j ACCEPT # Redirecting SSH Traffic to sshguard :sshguard - [0:0] -A ufw-before-input -p tcp --dport 22 -j sshguard
Then restart firewall by using
systemctl restart ufw command as shown below.
root@cyberithub:~# systemctl restart ufw
Step 10: Whitelist SSH Blocked Hosts
If you want to whitelist any of the blocked hosts then you need to do it through
/etc/sshguard/whitelist file as shown below. It is important note here that this file name and path is the same one which you need to provide in
/etc/sshguard/sshguard.conf file for whitelisting to work.
root@cyberithub:~# nano /etc/sshguard/whitelist # To see more examples, please see # /usr/share/doc/sshguard/examples/whitelistfile.example # Address blocks in CIDR notation 127.0.0.0/8 ::1/128