SSHGuard is a fast and lightweight monitoring tool written in C language. It monitors and protects servers  from brute force attacks using their logging activity. If someone continuously trying to access your server via SSH with many(may be four) unsuccessful attempts, the SSHGuard will block him/her for a bit by putting their IP address in iptables. Then it releases the lock automatically after sometime.
Not only SSH, it protects almost all services such as sendmail, exim, dovecot, vsftpd, proftpd and many. For more information refer the official website.
Install SSHGuard
On Ubuntu/Debian:
[email protected]:~$ sudo apt-get install sshguard
On CentOS/RHEL:
[[email protected] ~]# rpm -ivh http://flexbox.sourceforge.net/centos/5/i386/sshguard-1.5-2.el5.i386.rpm
If you are using different architecture, download the corresponding RPM here.
Configure SSHGuard with Iptables/Netfilter
The SSHGuard doesn’t have a configuration file. All you have to do is create a new chain for SSHGuard in iptables to insert blocking rules.
For IPv4 support :
[[email protected] ~]# iptables -N sshguard
For IPv6:
[[email protected] ~]# ip6tables -N sshguard
Now update the INPUT chain to pass the traffic to the sshguard. Specify --dport option to protect all the ports of services using sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely
Block all traffic from abusers
For IPv4 support:
[[email protected] ~]# iptables -A INPUT -j sshguard
For IPv6 support:
[[email protected] ~]# iptables -A INPUT -j sshguard
Block particular services such as SSH, FTP, POP, IMAP from abusers
For IPv4 support:
[[email protected] ~]# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
For IPv6 support:
[[email protected] ~]# ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143-j sshguard
Finally, save the iptables rule.
[[email protected] ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.
Here is a sample ruleset that makes sense:
[[email protected] ~]# iptables -N sshguard
Block whatever sshguard says is bad:
[[email protected] ~]# iptables -A INPUT -j sshguard
Enable ssh, dns, http, https:
[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT [[email protected] ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT [[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT [[email protected] ~]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Block everything else:
[[email protected] ~]# iptables -P INPUT DROP
Configure SSHGuard without Iptables/Netfilter
If you do not use iptables, the following commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
[[email protected] ~]# iptables -F [[email protected] ~]# iptables -X [[email protected] ~]# iptables -P INPUT ACCEPT [[email protected] ~]# iptables -P FORWARD ACCEPT [[email protected] ~]# iptables -P OUTPUT ACCEPT [[email protected] ~]# iptables -N sshguard [[email protected] ~]# iptables -A INPUT -j sshguard
Finally save the iptables configuration:
[[email protected] ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
That’s it. Now you have installed and configured SSHGuard to protect your ssh, ftp and other services from brute force attackers.
