SSHGuard is a fast and lightweight monitoring tool written in C language. It monitors and protects servers from brute force attacks using their logging activity. If someone continuously trying to access your server via SSH with many(may be four) unsuccessful attempts, the SSHGuard will block him/her for a bit by putting their IP address in iptables. Then it releases the lock automatically after sometime.
Not only SSH, it protects almost all services such as sendmail, exim, dovecot, vsftpd, proftpd and many. For more information refer the official website.
Install SSHGuard
On Ubuntu/Debian:
sk@sk:~$ sudo apt-get install sshguard
On CentOS/RHEL:
[root@server ~]# rpm -ivh http://flexbox.sourceforge.net/centos/5/i386/sshguard-1.5-2.el5.i386.rpm
If you are using different architecture, download the corresponding RPM here.
Configure SSHGuard with Iptables/Netfilter
The SSHGuard doesn’t have a configuration file. All you have to do is create a new chain for SSHGuard in iptables to insert blocking rules.
For IPv4 support :
[root@server ~]# iptables -N sshguard
For IPv6:
[root@server ~]# ip6tables -N sshguard
Now update the INPUT chain to pass the traffic to the sshguard. Specify --dport option to protect all the ports of services using sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely
Block all traffic from abusers
For IPv4 support:
[root@server ~]# iptables -A INPUT -j sshguard
For IPv6 support:
[root@server ~]# iptables -A INPUT -j sshguard
Block particular services such as SSH, FTP, POP, IMAP from abusers
For IPv4 support:
[root@server ~]# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
For IPv6 support:
[root@server ~]# ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143-j sshguard
Finally, save the iptables rule.
[root@server ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.
Here is a sample ruleset that makes sense:
[root@server ~]# iptables -N sshguard
Block whatever sshguard says is bad:
[root@server ~]# iptables -A INPUT -j sshguard
Enable ssh, dns, http, https:
[root@server ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT [root@server ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT [root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT [root@server ~]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Block everything else:
[root@server ~]# iptables -P INPUT DROP
Configure SSHGuard without Iptables/Netfilter
If you do not use iptables, the following commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
[root@server ~]# iptables -F [root@server ~]# iptables -X [root@server ~]# iptables -P INPUT ACCEPT [root@server ~]# iptables -P FORWARD ACCEPT [root@server ~]# iptables -P OUTPUT ACCEPT [root@server ~]# iptables -N sshguard [root@server ~]# iptables -A INPUT -j sshguard
Finally save the iptables configuration:
[root@server ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
That’s it. Now you have installed and configured SSHGuard to protect your ssh, ftp and other services from brute force attackers.
