Block SSH Brute Force Attacks Using SSHGuard

SSHGuard is a fast and lightweight monitoring tool written in C language. It monitors and protects servers  from brute force attacks using their logging activity. If someone continuously trying to access your server via SSH with many(may be four) unsuccessful attempts, the SSHGuard will block him/her for a bit by putting their IP address in iptables. Then it releases the lock automatically after sometime.

term-bruteforce

Not only SSH, it protects almost all services such as sendmail, exim, dovecot, vsftpd, proftpd and many. For more information refer the official website.

Install SSHGuard

On Ubuntu/Debian:

sk@sk:~$ sudo apt-get install sshguard

On CentOS/RHEL:

[root@server ~]# rpm -ivh http://flexbox.sourceforge.net/centos/5/i386/sshguard-1.5-2.el5.i386.rpm

If you are using different architecture, download the corresponding RPM here.

Configure SSHGuard with Iptables/Netfilter

The SSHGuard doesn’t have a configuration file. All you have to do is create a new chain for SSHGuard in iptables to insert blocking rules.

For IPv4 support :

[root@server ~]# iptables -N sshguard

For IPv6:

[root@server ~]# ip6tables -N sshguard

Now update the INPUT chain to pass the traffic to the sshguard. Specify --dport option to protect all the ports of services using sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely

Block all traffic from abusers

For IPv4 support:

[root@server ~]# iptables -A INPUT -j sshguard

For IPv6 support:

[root@server ~]# iptables -A INPUT -j sshguard

Block particular services such as SSH, FTP, POP, IMAP from abusers

For IPv4 support:

[root@server ~]# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

For IPv6 support:

[root@server ~]# ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143-j sshguard

Finally, save the iptables rule.

[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.

Here is a sample ruleset that makes sense:

[root@server ~]# iptables -N sshguard

Block whatever sshguard says is bad:

[root@server ~]# iptables -A INPUT -j sshguard

Enable ssh, dns, http, https:

[root@server ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[root@server ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Block everything else:

[root@server ~]# iptables -P INPUT DROP

Configure SSHGuard without Iptables/Netfilter

If you do not use iptables, the following commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:

[root@server ~]# iptables -F
[root@server ~]# iptables -X
[root@server ~]# iptables -P INPUT ACCEPT
[root@server ~]# iptables -P FORWARD ACCEPT
[root@server ~]# iptables -P OUTPUT ACCEPT
[root@server ~]# iptables -N sshguard
[root@server ~]# iptables -A INPUT -j sshguard

Finally save the iptables configuration:

[root@server ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

That’s it. Now you have installed and configured SSHGuard to protect your ssh, ftp and other services from brute force attackers.