Protecting SSH against brute force attacks

Running a public AWS instance is always asking for unexpected trouble from script kiddies and bots trying to find a vector in to compromise your server.
Sshguard ( monitors your log and alters your IPtables firewall accordingly to help keep persistent brute force attackers at bay.

1. Download the latest version from @

wget -O sshguard-1.5.tar.bz2

2. Unpack

tar jxvf sshguard-1.5.tar.bz2

3. Configure + Make

cd sshguard-1.5
./configure --with-firewall=iptables

4. Install (to /usr/local/sbin/sshguard)

sudo make install

5. /etc/init.d/sshguard (chmod 0755)

! /bin/sh
# this is a concept, elaborate to your taste
case $1 in
/usr/local/sbin/sshguard -a 4 -b 5:/var/sshguard/blacklist.db -l
     /var/log/auth.log &
killall sshguard
echo "Use start or stop"
exit 1

6. /etc/iptables.up.rules

# Firewall
-N sshguard
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport http -j ACCEPT
-A INPUT -p tcp --dport ftp-data -j ACCEPT
-A INPUT -p tcp --dport ftp -j ACCEPT
-A INPUT -p tcp --dport ssh -j sshguard
-A INPUT -p udp --source-port 53 -d 0/0 -j ACCEPT
# Completed

7. Read in the IPtables rules

iptables-restore < /etc/iptables.up.rules

8. Start Sshguard

mkdir /var/sshguard&&/etc/init.d/sshguard start


tail -f /var/log/auth.log
iptables -L -n


5 comments on “Protecting SSH against brute force attacks

    • Yes, this doesn’t preclude any extra defences… but sometimes the origin IP of your SSH client isn’t consistent – think non-static (DHCP) assigned address on an ADSL line, or 20+ support staff accessing AWS instances from home (where the route of your SSH won’t go over your VPN session unless you hopped from an internal trusted box).

  1. i use fail2ban to do just this. the beauty about this app is that it can monitor multiple services/log files and be provided with regex to match hostnames and authentication failures.

    failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from \s*$

    action = iptables[name=SSH, port=22, protocol=tcp]
    sendmail-whois[name=SSH,, sender=fail2ban@server.hostname]

    works very well.

  2. I’m getting an error during the install. I config in the directory “–with-firewall=iptables” which works fine, then I go to install with “make install” and get a bunch of “Entering directory, nothing to be done for …, leaving directory” and no file is present for /etc/init.d/sshguard. I wonder why this is….

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s