• Most Recent | 24 hours | 7 days | 30 days | 365 days |

• Content
• Comments
• Who Voted

• 3
• Vote

Block SSH Brute Force Attacks with sshguard

Category: Networking | Tags: ssh blocking bruteforce sshguard syslog-ng iptables linux 0 Comments

HowFlow — sshguard was born for protecting SSH servers from the today's widespread brute force attacks, and evolved to an extensible log supervisor for blocking attacks to applications in real-time. It monitors logging activity and reacts to attacks by blocking their source addresses.

  Posted by aroedl about 1 year ago
View Profile

Add to:         

Installation and setup

All you need to run sshguard is some sort of system logger (in this example, we’re using syslog-ng), iptables and of course a running ssh daemon. Visit the sshguard website for more information on how to use it with a different logger. Every major distribution should have sshguard in its package management system. I’m on Gentoo, so I just had to enter emerge sshguard.

Next, we have to tell the system logger (syslog-ng) to pass the logs to sshguard. This is done in the syslog-ng.conf:

filter sshlogs { facility(auth, authpriv) and match("sshd"); };
destination sshguardproc {
        program("/usr/sbin/sshguard" 
        template("$DATE $FULLHOST $MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };

Tell syslog-ng to re-read it’s configuration:

killall -HUP syslog-ng

Set up your Netfilter (iptables rules) as usual. You’ll find plenty of example on the interwebs, but you can also leave it pretty much empty. Just make sure to have the following:

iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard

This sets up a new sshguard chain and passes the ssh traffic to it. sshguard takes care of the rest – that’s basically it!

Please log in or sign up and vote for this trick if it was helpful for you.
Don't forget to subscribe to our RSS/Atom feed to get the latest tricks.