SSHGuard is an open-source daemon that is used to enhance the security of ssh as well as other network protocols. Moreover, it is used to prevent brute force attacks. It will continuously monitor and keep the track record of the system logs which helps in tracking the continuous login attempts or malicious activity. Once it detects such activity then it will immediately block the IP using firewall backends such as pf, iptables, and ipfw. Then it will unblock the IP after a set interval of time. Several log formats such as raw log file, Syslog-ng, and Syslog are supported by SSHGuard as well as provide extra layer protection to several services postfix, Sendmail, vsftpd, etc. including ssh.
In this tutorial, you will learn to install SSHGuard and configure the system to prevent brute force attacks in Ubuntu 20.04. Let’s begin with the installation.
You can install the sshguard from the apt package manager; you simply need to execute the following installation command in your terminal. First, we always need to update the package info before any package installation using apt.
$ sudo apt update $ sudo apt install sshguard
After successful SSHGuard installation, you can check the status of SSHGuard using the systemctl daemon. You will get to see the output similar to the following example.
$ sudo systemctl status sshguard
Configuring SSHGuard On Ubuntu
The default remote host ban period is of 120 seconds and each successive failed login attempt will increase ban time by a factor of 1.5. You can configure the SSHGuard sshguard.conf file which you can find in the following path.
$ sudo vim /etc/sshguard/sshguard.conf
As you can see in the above example there are many directives with its default value. Let’s highlight some directives and what it is actually for.
- The directive named BACKEND contains the path of the system firewall backend.
- The directive named THRESHOLD indicates the number of attempts after which the user will be blocked.
- The BLOCKE_TIME directive determines the duration for which the attacker will remain banned after successive incorrect login attempts.
- The DETECTION_TIME directive determines the time for which the attacker is detected/recorded.
- The WHITELIST_FILE directive contains the path to file which contains the list of the known hosts.
Then, let’s work out with a system firewall. To block the brute force attack you need to configure the firewall in the following way.
$ sudo vim /etc/ufw/before.rules
Then, add the following line of code in the open file just like the example given below.
:sshguard - [0:0] -A ufw-before-input -p tcp --dport 22 -j sshguard
Now, write and quit the file and restart the firewall.
$ sudo systemctl restart ufw
Once everything is set up your system is ready to persist the brute force attacks.
Whitelisting Blocked Hosts
The whitelist will allow the blocked hosts to re-login to the system without any restriction. To whitelist, the specific host then specifies the IP of the host in the file located at the following destination.
$ sudo vim /etc/sshguard/whitelist
Now, once you added the IP to the whitelist file, restart the SSHGuard daemon and firewall backend to apply the changes.
In this tutorial, I’ve shown you how to install SSHGuard and how to configure the security software to make the system capable of persisting the brute force attack and adding an additional layer of security.