Securing SSH with SSHGuard

/in , /by

We all love SSH (Secure SHell). It lets us connect to our remote servers, circumvent firewalls, confuse stateful packet inspection and network monitoring, and otherwise keep nosy entities in the dark about what kind of data we’re shuffling around between machines. However, every server you run SSH on is experiencing hundreds or thousands of attacks every day — most are just brute-force login attempts, but some are more sophisticated attacks.

Here, I’ll show you how to set up SSHGuard, which is a cleverly designed, easy way to harden your SSH installation and decrease the amount of resources that attackers can soak up. It also conveniently works for other services, not just SSH (more on that later). Let’s get started!

SSHGuard works in a simple and clever way: it runs as a daemon, monitoring your system log (whether that’s syslog, syslog-ng, metalog, multilog, etc. — so it works out of the box on pretty much any Unix/Linux Operating System). When it detects malicious behavior from IP addresses connecting to your machine, it blocks them for some time using your firewall (whether that’s iptables on Linux, pf or IPFILTER on the BSDs, hosts.deny, or even the AIX firewall). The more often someone attacks, the higher their ‘threat’ score becomes and the longer their IP is blocked each time.

This is an excellent protection mechanism against the brute-force attacks that any Internet-connected system experiences hundreds or thousands of times per day. It also prevents the exciting mistake of locking your IP out of a server permanently by typing an incorrect password too many times, and having to use a different IP to connect.

Here’s their excellent website in case you’re interested in more details or less-used capabilities and features: http://www.sshguard.net/

Installing SSHGuard

To install (assuming a Debian-based Linux distro):

sudo apt-get install sshguard

 

Basic Configuration using the IPTables Firewall

Now it’s time to set up IPTables for blocking. Here’s a simple snippet that you can paste into your terminal to create a new iptables chain (for both IPv4 and IPv6) that will let sshguard block attackers (from http://www.sshguard.net/docs/setup/#netfilter-iptables ):

# for regular IPv4 support:
iptables -N sshguard
# if you want IPv6 support as well:
ip6tables -N sshguard
# block any traffic from abusers
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard

 

If you wanted to block abusers on specific ports ONLY, you could use a rule like this instead of the simple rule above (blocking for FTP, SSH, POP, and IMAP):

iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

 

Restart your Firewall Service to activate new Rules

Depending on your Distribution/OS and which firewall you’re using, this will be one of the following

sudo service iptables restart # (Ubuntu Server)
sudo /etc/init.d/iptables restart # (many other Linux Distros)
service pf reload # (on BSDs using the PF firewall)
sudo service networking restart # (on an Ubuntu Desktop machine)

 

Alternate Setup Instructions

 

You can find alternate setup instructions (and setup instructions for different use cases) here:

General Setup Instructionshttp://www.sshguard.net/docs/setup/

Instructions for the PF Firewall (OpenBSD, FreeBSD, DragonflyBSD, NetBSD): http://www.sshguard.net/docs/setup/#pf

Arch Linux Wiki (one of the best sources of practical Linux instructions out there): https://wiki.archlinux.org/index.php/Sshguard

 

Other Services that SSHGuard Protects:

  • Sendmail
  • Exim
  • dovecot
  • Cucipop
  • UWimap (imap, pop)
  • vsftpd
  • proftpd
  • pure-ftpd
  • FreeBSD ftpd

 

At this point, you should have SSHGuard monitoring your system logs and blocking malicious users via your system firewall. You can test this out by using a throwaway IP to connect to the server a few times and trying to log in with incorrect passwords. After a few attempts, you should be blocked for a minute or two. Have fun!