SSH servers are the gateway to critical systems. While they offer a secure method for remote administration, they remain vulnerable to unauthorized access attempts. Tools like SSHGuard provide an efficient solution to protect servers from brute-force attacks and other threats. This article explains what SSHGuard is, how it works, and how to configure it on Linux systems.
What is SSHGuard?
SSHGuard is a security tool designed to protect servers from malicious login attempts. It operates as a log-based intrusion prevention system, monitoring system log files to detect suspicious activities, such as multiple failed login attempts. Upon identifying a threat, SSHGuard automatically blocks the offending IP addresses using firewall rules.
With compatibility across various log formats and firewall tools like UFW, firewalld, iptables, and nftables, SSHGuard is a lightweight, efficient option to strengthen server security.
Differences Between SSHGuard and Fail2Ban
While both SSHGuard and Fail2Ban aim to block suspicious IP addresses, they have key differences:
- Monitoring Approach:
SSHGuard directly analyzes system logs without requiring regular expressions, whereas Fail2Ban relies heavily on regular expressions, making it more flexible but also more complex to configure. - Supported Services:
SSHGuard is optimized for SSH protection, with additional support for mail and FTP servers. Fail2Ban, on the other hand, can protect a broader range of services, including web and database servers. - Performance:
SSHGuard, written in C, is lightweight and faster on resource-limited systems. Fail2Ban, developed in Python, is slightly slower but more adaptable due to Python’s extensive libraries. - Configuration:
SSHGuard is easier to set up, ideal for quickly securing SSH services. Fail2Ban requires more detailed configuration, offering greater flexibility for protecting various services.
Installing SSHGuard on Linux
Installation steps for SSHGuard depend on the Linux distribution:
Debian, Ubuntu, and Linux Mint
sudo apt install sshguard
sudo systemctl enable --now sshguard.serviceFedora
sudo dnf install sshguard
sudo systemctl enable --now sshguard.serviceIn Fedora, SSHGuard integrates with firewalld by default. Alternative backends, such as sshguard-iptables or sshguard-nftables, are also available.
CentOS, AlmaLinux and Rocky Linux
First, install the EPEL repository if it’s not already added:
sudo dnf install epel-release
sudo dnf update
sudo dnf install sshguard
sudo systemctl enable --now sshguard.serviceConfiguring SSHGuard
SSHGuard uses a configuration file to define its behavior. The file location depends on your distribution:
- Debian and derivatives:
/etc/sshguard/sshguard.conf - RHEL-based systems (AlmaLinux, RockyLinux, Fedora):
/etc/sshguard.conf
Key configuration options include:
- BACKEND: Specifies the firewall backend to use (
sshg-fw-nft-sets,sshg-fw-iptables, etc.). - THRESHOLD: The number of failed login attempts before blocking an IP.
- BLOCK_TIME: Duration of the block (in seconds).
- DETECTION_TIME: Timeframe for counting failed attempts.
- WHITELIST_FILE: File containing trusted IPs that should never be blocked.
After making changes, restart SSHGuard:
sudo systemctl restart sshguardFirewall-Specific Configurations
UFW and nftables
Although SSHGuard doesn’t directly support UFW, it works with nftables, which UFW manages under the hood. To configure:
- Edit SSHGuard’s configuration file and set the backend to
sshg-fw-nft-sets. - Add rules to UFW’s configuration for SSHGuard to manage connections.
- Restart UFW and SSHGuard services.
iptables
For iptables, ensure SSHGuard is configured to use it as a backend by setting the following in sshguard.conf:
BACKEND=/usr/libexec/sshguard/sshg-fw-iptablesThen, create a new chain for SSHGuard:
sudo iptables -N sshguard
sudo iptables -A INPUT -p tcp --dport 22 -j sshguard
sudo iptables-save -f /etc/iptables/rules.v4firewalld
On RHEL-based systems, set SSHGuard to use sshg-fw-firewalld as its backend. IPs blocked by SSHGuard will appear in the sshguard4 (IPv4) and sshguard6 (IPv6) rules under the default firewalld zone.
To list blocked IPs:
sudo firewall-cmd --info-ipset=sshguard4For IPv6:
sudo firewall-cmd --info-ipset=sshguard6Whitelisting IP Addresses
To prevent trusted IPs from being blocked, add them to the whitelist file:
- Debian:
/etc/sshguard/whitelist - RHEL-based systems:
/etc/sshguard.whitelist
Add entries in the following formats:
192.168.1.10
192.168.0.0/24
trustedhost.domain.comAfter editing, restart SSHGuard:
sudo systemctl restart sshguardConclusion
SSHGuard offers a robust, lightweight solution to safeguard SSH servers from brute-force attacks. Its simplicity and compatibility with various firewalls make it an excellent choice for enhancing server security. Regular monitoring and updates will ensure your system remains protected against emerging threats.
