How to Install and Configure SSHGuard to Block Brute Force Attacks


In this article, I will take you through the steps to install and configure SSHGuard to Block Brute Force Attacks on Linux Servers. SSHGuard is a free and open source application that works along with firewall to protect hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.

SSHGuard can read log messages from standard input or monitor one or more log files to detect an attack. Log messages are parsed line by line for recognized patterns. If there is an attack where several login failures are detected within a few seconds then the offending IP will be blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option. More on SSHGuard Official documentation.

How to Install and Configure SSHGuard to Block Brute Force Attacks

How to Install and Configure SSHGuard to Block Brute Force Attacks

Also Read: How to Define Audit File System Rules in RHEL/CentOS/Rocky Linux

Step 1: Prerequisites

a) You should have a running Linux Server(in my case it is Ubuntu 20.04 LTS Server).

b) You should have sudo or root access to run privileged commands.

c) You should have apt or apt-get utility available in your System.

d) You should have atleast one firewall(ufw, firewalld or Iptables) installed in your System.



Step 2: Update Your Server

It is always recommended to first sync the package index files from their sources using apt update command as shown below. If there is any latest version available for any of the installed packages then you can upgrade the package by using apt upgrade command.

root@cyberithub:~# apt update
Hit:1 focal InRelease
Get:2 focal-updates InRelease [114 kB]
Get:3 focal InRelease [9,495 B]
Get:4 focal-backports InRelease [108 kB]
Get:5 focal-security InRelease [114 kB]
Get:6 focal/main amd64 Packages [46.2 kB]
Get:7 focal-updates/main amd64 Packages [1,510 kB]
Hit:8 stable InRelease
Get:9 focal-updates/main i386 Packages [592 kB]
Get:10 focal-updates/main amd64 DEP-11 Metadata [281 kB]
Get:11 focal-updates/main DEP-11 48x48 Icons [60.8 kB]
Get:12 focal-updates/main DEP-11 64x64 Icons [98.3 kB]

If you are using RHEL/CentOS/Fedora/Rocky Linux based systems, then you can use below command to update your Server.

yum update
dnf update

Similarly if any packages require upgradation then upgrade it by using below command.

yum upgrade
dnf upgrade


Step 3: Install SSHGuard

Next step is to install SSHGuard package by using apt install sshguard command as shown below. This will install the package along with all its required dependencies.

root@cyberithub:~# apt install sshguard
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
0 upgraded, 1 newly installed, 0 to remove and 213 not upgraded.
Need to get 272 kB of archives.
After this operation, 1,683 kB of additional disk space will be used.
Get:1 focal-updates/universe amd64 sshguard amd64 2.3.1-1ubuntu1.1 [272 kB]
Fetched 272 kB in 0s (673 kB/s)
Selecting previously unselected package sshguard.
(Reading database ... 197203 files and directories currently installed.)
Preparing to unpack .../sshguard_2.3.1-1ubuntu1.1_amd64.deb ...
Unpacking sshguard (2.3.1-1ubuntu1.1) ...
Setting up sshguard (2.3.1-1ubuntu1.1) ...
Created symlink /etc/systemd/system/ → /lib/systemd/system/sshguard.service.
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for systemd (245.4-4ubuntu3.15) ...

If you are using RHEL/CentOS/Fedora/Rocky Linux based systems, then first enable EPEL repository by using below command.

yum install epel-release
dnf install epel-release

Then install the package by using below given command.

yum install sshguard
dnf install sshguard


Step 4: Verify Service Status

Once the package is successfully installed you can check the status by using systemctl status sshguard command as shown below. As you can see it is currently showing in active and running state. But in case if it shows Inactive then you need to start the service by using systemctl start sshguard command.

root@cyberithub:~# systemctl status sshguard
● sshguard.service - SSHGuard
Loaded: loaded (/lib/systemd/system/sshguard.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2022-01-25 19:06:35 IST; 16min ago
Docs: man:sshguard(8)
Main PID: 4088 (sshguard)
Tasks: 8 (limit: 5836)
Memory: 19.7M
CGroup: /system.slice/sshguard.service
├─4088 /bin/sh /usr/sbin/sshguard
├─4090 /bin/sh /usr/sbin/sshguard
├─4091 /usr/lib/x86_64-linux-gnu/sshg-parser
├─4092 /usr/lib/x86_64-linux-gnu/sshg-blocker -a 30 -p 120 -s 1800 -w /etc/sshguard/whitelist
├─4093 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
├─4094 /bin/sh /usr/sbin/sshguard
└─4096 /bin/sh /usr/lib/x86_64-linux-gnu/sshg-fw-iptables


Step 5: Enable the Service

If you want sshguard service to be automatically started after every system reboot then you can enable the service by using systemctl enable sshguard command as shown below.

root@cyberithub:~# systemctl enable sshguard
Synchronizing state of sshguard.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable sshguard


Step 6: Configure SSHGuard

You need to configure SSHGuard to protect your system from SSH brute force attacks. This can be done by modifying /etc/sshguard/sshguard.conf file. Below are the required configuration that needs to be given here:-

  • BACKEND : Specify full path to backend executable. Here by default it is set to iptables firewall.
  • LOGREADER : Shell command that provides logs on standard output.
  • THRESHOLD : It is the value after which attackers will be blocked.
  • BLOCK_TIME : It is the time till which attackers will be blocked after exceeding the threshold.
  • DETECTION_TIME : It is the time in seconds upto which System will remember the attacker before the score is reset.
  • WHITELIST_FILE : It is the full path of the file which contains the host address that are not supposed to be blocked.
root@cyberithub:~# nano /etc/sshguard/sshguard.conf
# Full path to backend executable (required, no default)

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.

After performing the changes, you can reload the daemon to update the changes.

root@cyberithub:~# systemctl restart sshguard


Step 7: Block SSH Attacks Using Firewalld

If you are using firewalld then run below command to enable sshguard permanently for IPV4 address family. In case if you want to enable for IPV6 addresses also then you need to use "firewall-cmd --permanent --new-ipset="sshguard6" --type="hash:net" --option="family=inet6" command.

root@cyberithub:~# firewall-cmd --permanent --new-ipset="sshguard4" --type="hash:net" --option="family=inet"

Then reload the firewall to update the changes.

root@cyberithub:~# firewall-cmd --reload

Next restart sshguard daemon as well to apply the changes.

root@cyberithub:~# systemctl restart sshguard

You can also verify the applied rule by using firewall-cmd --info-ipset=sshguard4 command for IPV4 address and firewall-cmd --info-ipset=sshguard6 command for IPV6 address as shown below.

root@cyberithub:~# firewall-cmd --info-ipset=sshguard4
type: hash:net
options: family=inet


Step 8: Block SSH Attacks Using Iptables

If you are using Iptables then create a new chain rule called sshguard using iptables -N sshguard command as shown below.

root@cyberithub:~# iptables -N sshguard

Append the Input chain and redirect all the traffic to sshguard rule using iptables -A INPUT -j sshguard command as shown below.

root@cyberithub:~# iptables -A INPUT -j sshguard

Then to block any destination port for example TCP Port 22 in this case, use below iptables command.

root@cyberithub:~# iptables -A INPUT -m multiport -p tcp --destination-ports 22 -j sshguard

Finally save the rule to apply all the changes.

root@cyberithub:~# iptables-save > /etc/iptables/iptables.rules


Step 9: Block SSH Attacks Using UFW

If you are using UFW Firewall then you need to modify /etc/ufw/before.rules and add rule for redirecting SSH traffic to sshguard.

root@cyberithub:~# nano /etc/ufw/before.rules
# Don't delete these required lines, otherwise there will be errors
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# Redirecting SSH Traffic to sshguard
:sshguard - [0:0]
-A ufw-before-input -p tcp --dport 22 -j sshguard

Then restart firewall by using systemctl restart ufw command as shown below.

root@cyberithub:~# systemctl restart ufw


Step 10: Whitelist SSH Blocked Hosts

If you want to whitelist any of the blocked hosts then you need to do it through /etc/sshguard/whitelist file as shown below. It is important note here that this file name and path is the same one which you need to provide in /etc/sshguard/sshguard.conf file for whitelisting to work.

root@cyberithub:~# nano /etc/sshguard/whitelist
# To see more examples, please see
# /usr/share/doc/sshguard/examples/whitelistfile.example

# Address blocks in CIDR notation

Leave a Comment