SSHGuard is very useful monitoring tool for preventing brute force attacks. SSHGuard reads log messages from standard input and determines malicious activities. If an attack is detected, the attacking IP address is immediately blocked in the firewall. In this article we will guide you through the steps of installing SSHGuard on an Ubuntu VPS and protecting your server against brute-force attacks.Excepts the SSH service as the name suggests, SHSGuard can also protect many services out of the box. Listed below are all services that can be protected by SSHGuard:
- SSH
- Sendmail
- Exim
- dovecot
- Cucipop
- UWimap (imap, pop)
- vsftpd
- proftpd
- pure-ftpd
- FreeBSD ftpd
- Request new!
Log in to your server as user root
ssh root@IP
Before proceeding any further it is best to start a screen session by executing the following command
screen -U -S sshguard
We will need to compile and install SSHGuard from source, so install the necessary packages
apt-get install gcc make
Make sure that all packages on your Ubuntu server are up to date
apt-get update apt-get upgrade
Now, Change the current working directory and download the latest SSHGuard source to your server
cd /opt wget http://downloads.sourceforge.net/project/sshguard/sshguard/sshguard-1.5/sshguard-1.5.tar.bz2
Unpack the downloaded archive
bunzip2 sshguard-1.5.tar.bz2 tar -xvf sshguard-1.5.tar
All SSHGuard files will be unpacked in a new ‘sshguard-1.5’ directory. Go inside that directory and compile and install the source
cd sshguard-1.5 ./configure –with-firewall=iptables make && make install
This will install the sshguard binary on your server.
SSHGuard does not have its own configuration file so we need to configure it with Iptables. First of all create a new chain in iptables so SSHGuard can insert its blocking rules
iptables -N sshguard
Now update the INPUT chain to pass the traffic to the sshguard chain created in the previous step. This will tell iptables to block all traffic from the offending IP addresses
iptables -A INPUT -j sshguard
If you want to block the offending IP addresses only for a specific service such as SSH, pop, imap, ftp, etc… you can use the multiport iptables module. For example, if you want to block the traffic for the FTP service you can use the following command
iptables -A INPUT -m multiport -p tcp --destination-ports 21 -j sshguard
You can also block the offending IP addresses for multiple servives using the following command
iptables -A INPUT -m multiport -p tcp --destination-ports 22,25,21 -j sshguard
This rule will block the traffic for the SSH, mail and FTP services.
Once you configure iptables to block all services that you need, save the iptables configuration
service iptables save
That’s all. You can visit SSHGuard’s official documentation to learn how to configure SSHGuard according to your needs.
Of course you don’t have to do any of this if you use one of our Ubuntu Web Hosting services, in which case you can simply ask our expert Linux admins to install SSHGuard for you. They are available 24×7 and will take care of your request immediately.
PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.
Last line in your writeup: “service iptables save”
I get error: “Failed to connect to bus. No such file or directory. iptables: unrecognized service”
Hi Ted,
Try to install the
iptables-persistentpackage on your server.