Block SSH Brute Force Attacks Using SSHGuard

Tutorial willing 411Views 0 comment

SSHGuard is a fast and lightweight monitoring tool written in C language. It monitors and protects servers  from brute force attacks using their logging activity. If someone continuously trying to access your server via SSH with many(may be four) unsuccessful attempts, the SSHGuard will block him/her for a bit by putting their IP address in iptables. Then it releases the lock automatically after sometime.


Not only SSH, it protects almost all services such as sendmail, exim, dovecot, vsftpd, proftpd and many. For more information refer the official website.

Install SSHGuard

On Ubuntu/Debian:

[email protected]:~$ sudo apt-get install sshguard


[[email protected] ~]# rpm -ivh

If you are using different architecture, download the corresponding RPM here.

Configure SSHGuard with Iptables/Netfilter

The SSHGuard doesn’t have a configuration file. All you have to do is create a new chain for SSHGuard in iptables to insert blocking rules.

For IPv4 support :

[[email protected] ~]# iptables -N sshguard

For IPv6:

[[email protected] ~]# ip6tables -N sshguard

Now update the INPUT chain to pass the traffic to the sshguard. Specify --dport option to protect all the ports of services using sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely

Block all traffic from abusers

For IPv4 support:

[[email protected] ~]# iptables -A INPUT -j sshguard

For IPv6 support:

[[email protected] ~]# iptables -A INPUT -j sshguard

Block particular services such as SSH, FTP, POP, IMAP from abusers

For IPv4 support:

[[email protected] ~]# iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

For IPv6 support:

[[email protected] ~]# ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143-j sshguard

Finally, save the iptables rule.

[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.

Here is a sample ruleset that makes sense:

[[email protected] ~]# iptables -N sshguard

Block whatever sshguard says is bad:

[[email protected] ~]# iptables -A INPUT -j sshguard

Enable ssh, dns, http, https:

[[email protected] ~]# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
[[email protected] ~]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[[email protected] ~]# iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Block everything else:

[[email protected] ~]# iptables -P INPUT DROP

Configure SSHGuard without Iptables/Netfilter

If you do not use iptables, the following commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:

[[email protected] ~]# iptables -F
[[email protected] ~]# iptables -X
[[email protected] ~]# iptables -P INPUT ACCEPT
[[email protected] ~]# iptables -P FORWARD ACCEPT
[[email protected] ~]# iptables -P OUTPUT ACCEPT
[[email protected] ~]# iptables -N sshguard
[[email protected] ~]# iptables -A INPUT -j sshguard

Finally save the iptables configuration:

[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

That’s it. Now you have installed and configured SSHGuard to protect your ssh, ftp and other services from brute force attackers.



Keep link to this when copy:VPS List Agent » Block SSH Brute Force Attacks Using SSHGuard

You must Login to submit a comment