Sshguard
sshguard is a daemon that protects SSH and other services against brute-force attacks, similar to fail2ban.
sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
sshguard is not vulnerable to most (or maybe any) of the log analysis vulnerabilities that have caused problems for similar tools.
Contents
Installation
Install sshguard from the official repositories.
Configuration
UFW
UFW must be given the ability to pass along DROP control to sshguard. This is accomplished by modifying/etc/ufw/before.rules
to contain the following lines which should be inserted just after the section for loopback devices.
# hand off control for sshd to sshguard -N sshguard -A ufw-before-input -p tcp --dport 22 -j sshguard
Restart ufw after making this modification.
Straight up iptables
The main configuration required is creating a chain named "sshguard" in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:
# iptables -N sshguard # iptables -A INPUT -p tcp --dport 22 -j sshguard # iptables-save > /etc/iptables/iptables.rules
If you use IPv6:
# ip6tables -N sshguard # ip6tables -A INPUT -p tcp --dport 22 -j sshguard # ip6tables-save > /etc/iptables/ip6tables.rules
If you don't use IPv6, create and empty file "ip6tables.rules" with:
# touch /etc/iptables/ip6tables.rules
Finally:
# systemctl reload iptables
If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:
# iptables -F # iptables -X # iptables -P INPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -P OUTPUT ACCEPT # iptables -N sshguard # iptables -A INPUT -j sshguard # iptables-save > /etc/iptables/iptables.rules
To finish saving your iptables configuration. Repeat above steps with ip6tables
to configure the firewall rules for IPv6 and save them
with ip6tables-save
to /etc/iptables/ip6tables.rules
.
For more information on using iptables to create powerful firewalls, see Simple stateful firewall.
Usage
sshguard does not have its own configuration file. All options are supplied as arguments when sshguard is started. See man sshguard
.
With systemd
Enable and start the sshguard.service
.
To add optional sshguard arguments, modify the provided service as described in systemd#Editing provided unit files.
With syslog-ng
If you have syslog-ng installed, you may start sshguard directly from the command line instead.
/usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
General Information
sshguard works by monitoring /var/log/auth.log
, syslog-ng or the systemd journal for failed login attempts. For each failed attempt, the offending host is banned from further communication for a limited amount of time. The default amount of time the offender is banned starts at 7 minutes, and doubles each time he or she fails another login. sshguard can be configured to permanently ban a host with too many failed attempts.
Both temporary and permanent bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. The ban is then logged to syslog and ends up in /var/log/auth.log
, or the systemd journal, if systemd is being used. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
By default in the archlinux package, offenders become permanently banned once they have reached a "danger" level of 40 (or 4 failed logins; see terminology for more details). This behavior can be modified by prepending a danger level to the blacklist file. For example, users of systemd can configure this behavior in /usr/lib/systemd/system/sshguard.service
:
[Service] ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-b 200:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
The 200:
in this example tells sshguard to permanently ban a host after achieving a danger level of 200.
Aggressive banning
For some users under constant attack, it may be beneficial to enable a more aggressive banning policy. If you can be reasonably sure that accidental failed logins are unlikely, then you can instruct SSHGuard to automatically ban hosts with a single failed login. Users of systemd can configure this in the following way:
Stop SSHGuard:
# systemctl stop sshguard
Edit the following line in /usr/lib/systemd/system/sshguard.service
:
[Service] ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 1 -b 10:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
You'll need to reload the unit with:
# systemctl daemon-reload
Then restart SSHGuard:
# systemctl start sshguard
How to Unban
If you get banned, you can wait to get unbanned automatically or use iptables to unban yourself. First check if your ip is banned by sshguard:
# iptables -L sshguard --line-numbers
Then use the following command to unban, with the line-number as identified in the former command:
# iptables -D sshguard <line-number>