How to install SSHGuard on an Ubuntu 20.04 LTS
As a monitoring tool, SSHGuard is very beneficial for preventing brute force attacks. In addition to reading log messages, SSHGuard determines malicious activity based on the log message content. As soon as an attack is detected, the firewall blocks the IP address immediately.
Additionally, SHSGuard is able to protect a wide range of services out of the box. Here is a list of all the services that you can protect with SSHGuard: SSH, Sendmai, dovecot, UWimap (imap, pop), Cucipop, Exim, and so on.
Throughout this article, we will explain how to install SSHGuard on Ubuntu and protect the server from brute-force attacks.
So let’s start,
Step 1: Getting your system up and running
- Sign in to your system or register a newly created one by logging in to your VPSie account.
- Connect by SSH using the credentials we emailed you.
- Once you have logged into your Ubuntu instance, run these commands to update your system.
apt-get update && apt-get upgrade -y
Step 2: Install SSHGuard
The installation can be done by running the command,
apt-get install sshguard
Afterward, edit the /etc/sshguard/sshguard.conf file and set backend to the following,
BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"
Locate nft-sets will help you find the exact location of the script.
After enabling sshguard auto-start, you should restart the service
# systemctl enable sshguard # systemctl restart sshguard
Check the status,
systemctl status sshguard
OUTPUT
# systemctl status sshguard
● sshguard.service - SSHGuard
Loaded: loaded (/lib/systemd/system/sshguard.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-11-27 15:52:36 UTC; 1h 10min ago
Docs: man:sshguard(8)
Process: 2571 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
Process: 2582 ExecStartPre=/usr/sbin/ip6tables -N sshguard (code=exited, status=0/SUCCESS)
Main PID: 2583 (sshguard)
Tasks: 8 (limit: 988)
Memory: 4.0M
CGroup: /system.slice/sshguard.service
├─2583 /bin/sh /usr/sbin/sshguard
├─2584 /bin/sh /usr/sbin/sshguard
├─2585 /usr/lib/x86_64-linux-gnu/sshg-parser
├─2586 /usr/lib/x86_64-linux-gnu/sshg-blocker -a 30 -p 120 -s 1800 -w /etc/sshguard/whitelist
├─2587 /bin/sh /usr/sbin/sshguard
├─2588 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
└─2589 /bin/sh /usr/lib/x86_64-linux-gnu/sshg-fw-iptables
The installation of a brute force blocker is extremely important if you allow ssh logins with passwords. Almost every server with an exposed ssh port is being attacked by bots. My server was soon blocked from being attacked by 3 IP addresses in a matter of seconds using sshguard.
Take a look at this,
Nov 27 16:58:25 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "134.122.49.13" on service 110 with danger 10. Nov 27 16:58:25 LAX-a6d2-Ubuntu sshguard[2586]: Blocking "134.122.49.13/32" for 480 secs (3 attacks in 1 secs, after 3 abuses over 434 secs.) Nov 27 17:02:30 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "221.131.165.65" on service 100 with danger 10. Nov 27 17:02:30 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "221.131.165.65" on service 110 with danger 10. Nov 27 17:02:31 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "221.131.165.65" on service 110 with danger 10. Nov 27 17:02:31 LAX-a6d2-Ubuntu sshguard[2586]: Blocking "221.131.165.65/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.) Nov 27 17:06:10 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "222.186.42.13" on service 100 with danger 10. Nov 27 17:06:11 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "222.186.42.13" on service 110 with danger 10. Nov 27 17:06:11 LAX-a6d2-Ubuntu sshguard[2586]: Attack from "222.186.42.13" on service 110 with danger 10. Nov 27 17:06:11 LAX-a6d2-Ubuntu sshguard[2586]: Blocking "222.186.42.13/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
I think that’s all. For more information about configuring SSHGuard to meet your needs, visit its official documentation.
Stay safe with SSHGuard, thanks for reading! I hope it was informative for you!
SSHGuard is a security program that monitors login attempts and blocks IP addresses that exhibit malicious behavior.
SSHGuard monitors log files for login attempts and determines whether they are legitimate. If it detects repeated failed attempts, it blocks the IP address associated with the attempts.
You can install SSHGuard on Ubuntu by using the following command: sudo apt-get install sshguard
Yes, SSHGuard can be configured to monitor other protocols such as FTP, SMTP, and HTTP.
Yes, SSHGuard can be used with other Linux distributions and operating systems such as FreeBSD, OpenBSD, and macOS.
You can check if SSHGuard is running by using the next command: sudo systemctl status sshguard
You can check if SSHGuard has blocked any IP addresses by using the following command: sudo iptables -L -n | grep sshguard