sshguard blocking brute force attacks on Ubuntu

sshguard on Ubuntu 20.04 LTS (Focal Fossa)

Through the years, I have used fail2ban and denyhosts to block ssh brute force attacks. The modern weapon of choice seems to be sshguard, so here are instructions on how to install it:

apt-get install sshguard

Then edit /etc/sshguard/sshguard.conf and set backend to the following

BACKEND="/usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets"

You can use locate nft-sets to find the exact location of the script.

Then enable sshguard auto-start, start the service and check the status of the service:

systemctl enable sshguard
systemctl restart sshguard
systemctl status sshguard

You should get something like this:

● sshguard.service - SSHGuard
     Loaded: loaded (/lib/systemd/system/sshguard.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-07-01 14:37:42 CEST; 4s ago
       Docs: man:sshguard(8)
    Process: 72317 ExecStartPre=/sbin/iptables -N sshguard (code=exited, status=0/SUCCESS)
    Process: 72326 ExecStartPre=/sbin/ip6tables -N sshguard (code=exited, status=0/SUCCESS)
   Main PID: 72328 (sshguard)
      Tasks: 8 (limit: 4657)
     Memory: 2.9M
     CGroup: /system.slice/sshguard.service
             ├─72328 /bin/sh /usr/sbin/sshguard
             ├─72329 /bin/sh /usr/sbin/sshguard
             ├─72330 /usr/lib/x86_64-linux-gnu/sshg-parser
             ├─72331 /usr/lib/x86_64-linux-gnu/sshg-blocker -a 30 -p 120 -s 1800 -w /etc/sshguard/whitelist
             ├─72332 /bin/journalctl -afb -p info -n1 -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
             ├─72333 /bin/sh /usr/sbin/sshguard
             └─72334 /bin/sh /usr/lib/x86_64-linux-gnu/sshg-fw-nft-sets

Jul 01 14:37:42 myserver systemd[1]: Starting SSHGuard...
Jul 01 14:37:42 myserver systemd[1]: Started SSHGuard.
Jul 01 14:37:59 myserver sshguard[72331]: Attack from "51.68.174.34" on service 110 with danger 10.
Jul 01 14:37:59 myserver sshguard[72331]: Blocking "51.68.174.34/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)

If you allow ssh logins using a password, installing a brute force blocker is very important. Bots are hammering every server that exposes the ssh port. In just a few seconds, sshguard had blocked two IP addresses from hammering on my server:

Jul 01 15:18:11 myserver sshguard[71891]: Attack from "23.129.64.209" on service 100 with danger 10.
Jul 01 15:18:11 myserver sshguard[71891]: Attack from "23.129.64.209" on service 110 with danger 10.
Jul 01 15:18:12 myserver sshguard[71891]: Attack from "23.129.64.209" on service 110 with danger 10.
Jul 01 15:18:12 myserver sshguard[71891]: Blocking "23.129.64.209/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)
Jul 01 15:18:18 myserver sshguard[71891]: Attack from "103.138.148.25" on service 100 with danger 10.
Jul 01 15:18:19 myserver sshguard[71891]: Attack from "103.138.148.25" on service 110 with danger 10.
Jul 01 15:18:19 myserver sshguard[71891]: Attack from "103.138.148.25" on service 110 with danger 10.
Jul 01 15:18:19 myserver sshguard[71891]: Blocking "103.138.148.25/32" for 120 secs (3 attacks in 1 secs, after 1 abuses over 1 secs.)

Other good resources on sshguard:

Leave a Reply

Your email address will not be published. Required fields are marked *