How to install SSHGuard on an Ubuntu 20.04 LTS

 

 

 

 

As a monitoring tool, SSHGuard is very beneficial for preventing brute force attacks. In addition to reading log messages, SSHGuard determines malicious activity based on the log message content. As soon as an attack is detected, the firewall blocks the IP address immediately. Additionally, SHSGuard is able to protect a wide range of services out of the box. Here is a list of all the services that you can protect with SSHGuard: SSH, Sendmai, dovecot, UWimap (imap, pop), Cucipop, Exim, and so on.

 

 

 

 

 

Throughout this article, we will explain how to install SSHGuard on Ubuntu and protect the server from brute-force attacks.

 

 

 

 

 

So let’s start,

 

 

 

 

 

 

Step 1: Getting your system up and running

 

 

 

 

  1. Sign in to your system or register a newly created one by logging in to your VPSie account
  2. Connect by SSH using the credentials we emailed you.
  3. Once you have logged into your Ubuntu instance, run these commands to update your system.
apt-get update && apt-get upgrade -y

 

 

 

 

 

 

Step 2: Install SSHGuard

 

 

 

 

 

The installation can be done by running the command,

 

 

 

apt-get install sshguard

 

 

 

 

Afterward, edit the /etc/sshguard/sshguard.conf file and set backend to the following,

 

 

BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"

 

Locate nft-sets will help you find the exact location of the script.

 

 

 

After enabling sshguard auto-start, you should restart the service 

 

 

# systemctl enable sshguard
# systemctl restart sshguard

 

 

 

Check the status,

 

 

systemctl status sshguard

 

 

OUTPUT

 

 

# systemctl status sshguard
● sshguard.service - SSHGuard
     Loaded: loaded (/lib/systemd/system/sshguard.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2021-11-27 15:52:36 UTC; 1h 10min ago
       Docs: man:sshguard(8)
    Process: 2571 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
    Process: 2582 ExecStartPre=/usr/sbin/ip6tables -N sshguard (code=exited, status=0/SUCCESS)
   Main PID: 2583 (sshguard)
      Tasks: 8 (limit: 988)
     Memory: 4.0M
     CGroup: /system.slice/sshguard.service
             ├─2583 /bin/sh /usr/sbin/sshguard
             ├─2584 /bin/sh /usr/sbin/sshguard
             ├─2585 /usr/lib/x86_64-linux-gnu/sshg-parser
             ├─2586 /usr/lib/x86_64-linux-gnu/sshg-blocker -a 30 -p 120 -s 1800 -w /etc/sshguard/whitelist
             ├─2587 /bin/sh /usr/sbin/sshguard
             ├─2588 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
             └─2589 /bin/sh /usr/lib/x86_64-linux-gnu/sshg-fw-iptables

 

 

 

 

The installation of a brute force blocker is extremely important if you allow ssh logins with passwords. Almost every server with an exposed ssh port is being attacked by bots. My server was soon blocked from being attacked by 3 IP addresses in a matter of seconds using sshguard.

 

 

 

 

Take a look at this,


Nov 27 16:58:25 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "134.122.49.13" on service 110 with danger 10.
Nov 27 16:58:25 LAX-a6d2-Ubuntu sshguard[2586]: Blocking "134.122.49.13/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 434 secs.)
Nov 27 17:02:30 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "221.131.165.65" on service 100 with danger 10.
Nov 27 17:02:30 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "221.131.165.65" on service 110 with danger 10.
Nov 27 17:02:31 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "221.131.165.65" on service 110 with danger 10.
Nov 27 17:02:31 LAX-a6d2-Ubuntu sshguard[2586]: Blocking "221.131.165.65/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Nov 27 17:06:10 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "222.186.42.13" on service 100 with danger 10.
Nov 27 17:06:11 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "222.186.42.13" on service 110 with danger 10.
Nov 27 17:06:11 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "222.186.42.13" on service 110 with danger 10.
Nov 27 17:06:11 LAX-a6d2-Ubuntu sshguard[2586]: Blocking "222.186.42.13/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)

 

 

 

I think that’s all. For more information about configuring SSHGuard to meet your needs, visit its official documentation.  

 

 

 


Stay safe with SSHGuard, thanks for reading! I hope it was informative for you! 

 

 

 

 

 

 

Try VPSie for free today!