Nov 012011
 

sshguardI’ve already talked about fail2ban and logcheck, 2 tools that can scan your logs and do actions, based on rules that you can give/modify, usually modify your iptables rules to stop active attacks against your server or simply send you a warning if some thing is found in the logs.

Today we’ll see a similar tool, sshguard, it is different from the other two in that it is written in C, so it’s uses less memory and CPU while running, but still achiving the same results.


So what does sshguard do?

The short version is: it receives log messages, it detects when a networked service has been abused based on them, and blocks the address of who abused it; after some time, it releases the blocking.

The full version is: sshguard runs on a machine as a small daemon, and receives log messages (in a number of ways, e.g. from syslog). When it determines that address X did something bad to service Y, it fires a rule in the machine’s firewall (one of the many supported) for blocking X.
Sshguard keeps X blocked for some time, then releases it automatically.

Please note that despite of his name sshguard detects attacks for many services out of the box, not only SSH but also several ftpds, Exim and dovecot. It can operate all the major firewalling systems, and features support for IPv6, whitelisting, suspension, and log message authentication

Installation

Sshguard is distributed under the permissive BSD license: you can use, modify and redistribute the software, at your own risk, for any use, including commercial, provided that you retain the original copyright notice you find in it. The software is distributed in the main repository of the most used GNU/Linux distributions and for some *BSD system, but you can also download the sources from their downlaod page.

To install it on Debian (or other .deb distributions like Ubuntu) just run from a terminal:

sudo aptitude install sshguard

Setup and configuration

Sshguard interfaces to the system in two points:

  • the logging system (how sshguard receives log messages to monitor)
  • the firewall (how sshguard blocks naughty addresses)

Since version 1.5, sshguard comes with the Log Sucker. With the Log Sucker, SSHGuard fetches log entries proactively, and handles transparently events like rotated log files and files disappearing and reappearing.


In the official documentation page there are instructions for many different firewalls, i’ll follow the instructions for netfilter/iptables.

sshguard does not have a configuration file. All configuration that has to be done is creating a chain named “sshguard” in the INPUT chain of iptables where sshguard automatically inserts rules to drop packets coming from bad hosts:

# for regular IPv4 support:
iptables -N sshguard
# if you want IPv6 support as well:
ip6tables -N sshguard

Now update the INPUT chain so it can pass all the traffic to sshguard, specify with –dport all the ports of services that you want to protect with sshguard. If you want to prevent attackers from doing any traffic to the host, remove the option completely:

# block any traffic from abusers
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard
 
        -- or --
 
# block abusers only for SSH, FTP, POP, IMAP services (use "multiport" module)
iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard

If you do not currently use iptables and just want to get sshguard up and running without any further impact on your system, these commands will create and save an iptables configuration that does absolutely nothing except allowing sshguard to work:

# iptables -F
# iptables -X
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -N sshguard
# iptables -A INPUT -j sshguard
# /etc/rc.d/iptables save

Conclusions

And that’s all you need to do to have a basic installation of sshguard up and running, it will help you to have your ssh, ftp and other daemons a bit more secure.

Popular Posts:

flattr this!

  9 Responses to “Protect your server with SSHGuard”

  1. Hello,

    Here’s a perl script that i made quite some time ago to ban in real time ssh attackers.
    http://freecode.com/projects/sshdautoban
    or directly here:
    http://git.coredumb.net/cgit.cgi/coredumb/tree/sshdautoban/trunk/sshd_autoban.pl

    The goal is to forward your syslog-ng output to the script to let him ban adresses in real time whether by iptables or by hosts.deny.

    Concerning system usage: Around 4MB of ram while running 24/7 banning thousands of IPs

    Hope this helps,
    Coredumb

    • Hello Coredumb,

      Thanks for the contribution, i think that everything help and that GNU/Linux and Unix in general it’s fantastic because there are so many different ways to do the same thing, so your perl script is more than welcome as alternative.

      Best regards

  2. How is this different than fail2ban???

    • Same goal different implementation

      From their FAQ:

      Several people wrote and released some scripts for blocking brute force attacks against SSH. Sshguard was started to have something closer to the traditional UNIX daemon: a small application written in C. As a collateral service, it is appealing to have something running standalone, consuming as little memory and computational resources as possible, and not sensitive to the dependencies and the versioning incompatibilities of script interpreters.
      Sshguard was then progressively extended with more features. Today, some additional differentials from other tools include log validation, sophisticated whitelisting, touchiness, and automatic blacklisting.
      On the top of this, sshguard strives for ease of use and quality of documentation, and the team tries to be as responsive as possible to users.

  3. Well, if there is no configuration file and you cannot configure sshguard, just how the heck can you extend it—without having to editing source code—to match on custom log messages? The way it looks, it can’t do that, and thus falls short.

  4. What configuration could be used if the server has ufw installed?

  5. Well you can use fail2ban too and it is more universal, because it can be used for other services like apache, ftp etc. as well. Furthermore, i suggest to change ssh port if you fear bruteforces and so on. Correct me if I am wrong :)

  6. Ottimo articolo, guida molto utile! Non conoscevo SSHGuard e sarà il prossimo demone che installerò sul VPS!
    Se ti interessa uno scambio di link fammi sapere.
    Ciao

  7. Piccola integrazione: come al solito Mamma Debian ci semplifica la vita: il pacchetto di sshguard presente in Debian 7 Wheezy provvede già ad abilitare le regole del firewall tramite lo script init in /etc/init.d/sshguard.

    Quindi se uno non ha previsto un altro script che reimposti le regole di iptables, dopo l’installazione di sshguard non c’è bisogno di far nulla di più per abilitarlo. ;-)

 Leave a Reply

(required)

(required)


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>