March 6, 2007

sshguard: Protection for OpenSSH

Author: Joe Barr

Are you concerned about brute force dictionary attacks on SSH? Given the popularity of these attacks, you should be. sshguard is a new tool to help protect against such attacks. Although it is still in beta stage, it appears to work well.

OpenSSH provides a secure alternative to clear-text logins used by first-generation network protocols like Telnet and FTP. But it's not enough simply to use SSH instead of Telnet -- you have to use it wisely. If you use weak passwords with SSH, a brute force dictionary attack will reveal your secrets as easily as if your password were sent in clear text.

sshguard protects you from brute force attacks on port 22. It watches SSH login attempts and inserts a rule in your firewall to block the IP addresses of attackers. By default, sshguard will block an attacker (insert a rule in the firewall to block the attacker's IP address) after four unsuccessful attempts within a 20-minute period. Blocked IP addresses are allowed past the firewall again after a random interval of between 7 and 10.5 minutes.


Here's how to install sshguard on a typical Linux system. Download the latest version and decompress it with the command tar xjf sshguard-0.9.tar.bz2. From there the installation instructions vary by platform, so peruse the README you'll find in the sshguard-0.9 directory, even if you're following the instructions here.

To compile sshguard, enter the command python -Q FIREWALLTYPE=iptables. Once it's compiled, install it by running as root the command python -Q FIREWALLTYPE=iptables install.

About the author

Michele Mazzucchi, a 24-year-old IT consultant and graduate student from Italy, says he created sshguard because "none of the tools available were good enough for me: not cross-firewall, or too intrusive into the system, or poorly reliable, or combinations of these."

In the future he plans to add things like:

  • more firewall back ends (such as remote appliances)
  • support for hostnames in log entries instead of simple IP addresses
  • context-free "attack" specifications

Michele says he is looking for people to help package the project for the most popular platforms. He is doing the FreeBSD port himself, but he needs use help with packaging for Debian, Gentoo, Fedora, and others. You can contact him via the project homepage.

There are still three things you need to do before sshguard is ready to use. First, create a new dynamic rule for sshguard for iptables. Enter these commands as root:

iptables -N sshguard
iptables -A INPUT -p tcp --dport 22 -j sshguard

Now make sure sshguard learns of login attempts. There's more than one way to do this (see the README), but let's try what the developers say is the easiest, most efficient way, by using the tail command:

tail -n0 -F /var/log/auth.log | /usr/local/sbin/sshguard &

You'll want to make the tail command survive a reboot. On a single-user system like mine, you can add the command to the .bashrc file in your home directory. For multi-user systems, consult your local sysadmin.

Lastly, since sshguard needs to be able to tell iptables to add and drop dynamic rules, it needs permission to do so. Use the chmod command to make the program run as root:

chmod +s /usr/local/sbin/sshguard

Does it work?

Now you're ready to test the program. Restart sshd with the command sudo /usr/sbin/sshd, then use SSH to log into your test machine from another machine. That login attempt will, if the installation has gone correctly, kick start sshguard into action. Verify that it has by entering the following command and checking for an instance of sshguard running. It should look something like this:

ps ax |grep sshguard
27729 pts/1  Sl   0:00 /usr/local/sbin/sshguard

I tested from another machine on my LAN, purposely entering an invalid password at each prompt. After four such attempts, I could no longer reach the sshguarded desktop box from the machine I was testing on, just as advertised. A few minutes later, I could once again try to log in. The dynamic blocking rules for iptables appeared to work just as they should.

sshguard's documentation is a bit sparse at this point in the program's development, but the tool is nevertheless usable. If you've been looking for a way to handle SSH brute force attacks, sshguard is a good place to start.


  • Security
Click Here!