Table of Contents

Shortnote

SSHGuard offers protection from brute-force attempts for all major Linux services. Installing in Debian is performed by issuing:

aptitude install sshguard

This does not set-up sshguard but instead it just installs the binaries.

Setup

SSHGuard needs a firewall configuration and a startup script so it will start automatically on Debian.

Firewall

For setting up the firewall, it is recommended to use to iptables-persistent package, installed with:

aptitude install iptables-persistent

Adding the following sshguard rules to a bash script and execute it:

#!/bin/sh
iptables -N sshguard
ip6tables -N sshguard
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard

run the script and then check:

iptables -L

that you have lines saying:

target     prot opt source               destination         
sshguard   all  --  anywhere             anywhere

and then commit the rules to /etc/iptables/rules using:

mkdir -p /etc/iptables/
iptables-save >/etc/iptables/rules

SSHGuard

First, create a directory to store a blacklist database:

mkdir -p /var/sshguard

Then, we place the sshguard script at /etc/init.d/sshguard which will be responsible for restarting sshguard.

There is a setting in the file you can change, namely on the line that says:

DAEMON_ARGS="-a 4 -b 5:/var/sshguard/blacklist.db -w 192.168.0.0/16 -i /var/run/$NAME.pid -l /var/log/auth.log"

this whitelists 192.168.0.0 with a /16 netmask with the option:

 -w 192.168.0.0/16

Meaning that any connections from the local network, such as 192.168.1.0 or 192.168.0.1 etc… Will bypass any sshguard checks. It's a good idea to whitelist your local network.

Init Script

A System V compatible init script can be placed at /etc/init.d/sshguard so that sshguard will be relaunched on system restart. After placing the file at /etc/init.d/sshguard, the following command can be used to register it with the system on Debian:

update-rc.d defaults sshguard

Monit (optional)

Additionally, we can set-up monit to make sure that sshguard stays up and running. Monit can be installed in Debian with:

aptitutde install monit

and then, we place a configuration file for sshguard in /etc/monit/conf.d/sshguard with the contents from monit sshguard.

Checking with:

monit status

should show sshguard as running and monitored.

Postfix

sshguard is able to block brute force attempts that look like:

Oct  4 09:04:58 sims postfix/smtpd[11393]: warning: unknown[141.221.9.21]: SASL LOGIN authentication failed: Invalid authentication mechanism

However, on some systems (such as Debian) these SASL bruteforce messages appear in /var/log/mail.log instead of /var/log/auth.log. To make sshguard scan other filenames, including the /var/log/mail.log file, you would have to edit /etc/default/sshguard and add the name of the file to the LOGFILES directive:

# list of log files to scan delimited by space
LOGFILES="/var/log/auth.log /var/log/mail.log"

and then restart sshguard.