sshguard is different from the other two in that it is written in C, is lighter and simpler to use with fewer features while performing its core function equally well.
sshguard is not vulnerable to most (or maybe any) of the log analysis vulnerabilities that have caused problems for similar tools.
Install the package.
sshguard works by monitoring
/var/log/auth.log, syslog-ng or the systemd journal for failed login attempts. For each failed attempt, the offending host is banned from further communication for a limited amount of time. The default amount of time the offender is banned starts at 7 minutes, and doubles each time he or she fails another login. sshguard can be configured to permanently ban a host with too many failed attempts.
Both temporary and permanent bans are done by adding an entry into the "sshguard" chain in iptables that drops all packets from the offender. The ban is then logged to syslog and ends up in
/var/log/auth.log, or the systemd journal, if systemd is being used. To make the ban only affect port 22, simply do not send packets going to other ports through the "sshguard" chain.
You must configure a firewall to be used with sshguard in order for blocking to work.
UFWIf UFW is installed and enabled, it must be given the ability to pass along DROP control to sshguard. This is accomplished by modifying
/etc/ufw/before.rulesto contain the following lines which should be inserted just after the section for loopback devices.
# hand off control for sshd to sshguard -N sshguard -A ufw-before-input -p tcp --dport 22 -j sshguard
Restart ufw after making this modification.
The main configuration required is creating a chain named
sshguard, where sshguard automatically inserts rules to drop packets coming from bad hosts:
# iptables -N sshguard
Then add a rule to jump to the
sshguard chain from the
INPUT chain. This rule must be added before any other rules processing the ports that sshguard is protecting. See this example.
# iptables -A INPUT -p tcp --dport 22 -j sshguard
To save the rules:
# iptables-save > /etc/iptables/iptables.rules
Enable and start the
sshguard.service. The provided systemd unit uses a blacklist located at
/var/db/sshguard/blacklist.db and pipes journalctl into sshguard for monitoring.
To add optional sshguard arguments, modify the provided service with drop-in snippets as described in systemd#Editing provided units.
If you haveinstalled, you may start sshguard directly from the command line instead.
/usr/sbin/sshguard -l /var/log/auth.log -b /var/db/sshguard/blacklist.db
Change danger level
By default in the Arch-provided systemd unit, offenders become permanently banned once they have reached a "danger" level of 120 (or 12 failed logins; see terminology for more details). This behavior can be modified by prepending a danger level to the blacklist file.
Edit the provided systemd unit and change the
[Service] ExecStart= ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-b 200:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
200: in this example tells sshguard to permanently ban a host after achieving a danger level of 200.
Finally restart the
For some users under constant attack, it may be beneficial to enable a more aggressive banning policy. If you can be reasonably sure that accidental failed logins are unlikely, then you can instruct SSHGuard to automatically ban hosts with a single failed login. Edit the provided systemd unit in the following way:
[Service] ExecStart= ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 10 -b 10:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
Finally restart the
Tips and Tricks
If you get banned, you can wait to get unbanned automatically or use iptables to unban yourself. First check if your IP is banned by sshguard:
# iptables -L sshguard --line-numbers --numeric
Then use the following command to unban, with the line-number as identified in the former command:
# iptables -D sshguard <line-number>
You will also need to remove the IP address from
/var/db/sshguard/blacklist.db in order to make unbanning persistent.
# sed -i '/<ip-address>/d' /var/db/sshguard/blacklist.db
To see what is being passed to sshguard, examine the script in
/usr/lib/systemd/scripts/sshguard-journalctl and the systemd service
sshguard.service. An equivalent command to view the logs in the terminal:
$ journalctl -afb -p info SYSLOG_FACILITY=4 SYSLOG_FACILITY=10