SSH brute force attacks are a common hazard that we may face. These attacks use a series of continuous login attempts in order to acquire an unauthorized access. SSHGuard is a light weight software that is written in C language; this software defends the hosts against brute force attacks. This is accomplished via monitoring and collecting the system logs as well as discovering the attacks. The SSHGuard appears as a best protection.
Let us discuss about how to use the SSHGuard to protect our Linux server from SSH brute force attacks.
Definition of SSH Brute Force Attack
An SSH brute force attack is a hostile and persistent cyberattack that uses SSH to obtain an unauthorized access to a remote server or system. In this form of attack, the attacker uses automated scripts or manual attempts to guess the legitimate usernames and passwords in order to determine the proper combination. The “brute force” phrase refers to the attacker’s approach of testing different username and password combinations until they succeed.
A successful SSH brute force assault can have serious consequences including illegal access to sensitive data and overall system compromise. To defend ourselves against these attacks, we can use a software such as SSHGuard to identify and prevent these types of attacks.
How to Install SSHGuard on Linux
The initial step in securing our Linux server against SSH brute force attacks is the installation of SSHGuard. The process is very easy; we just have to type the following command for SSHGuard installation:
After the installation, we can ensure that SSHGuard starts automatically. We can set it to run at system startup using the following commands:
$ sudo systemctl enable sshguard
How to Configure SSHGuard on Linux
SSHGuard monitors our system logs such as the “/var/log/auth.log” log file as well as the “/var/log/secure” log file and many more files. SSHGuard monitors these files to identify the failed login attempts. Upon detecting the attempts, SSHGuard temporarily bans the remote host for a duration of 120 seconds. This ban duration increases exponentially with each successive failed login.
The behavior and parameters of SSHGuard can be changed by modifying its configuration file using any text editor.
Several important directives are available for customization within SSHGuard’s configuration file. The “BACKEND” directive is responsible for specifying the path to the firewall backend executable. The “BACKEND” directive plays a very important role to determine how SSHGuard interacts with the firewall system. The “THRESHOLD” directive allows us to set the attack score threshold at which SSHGuard will take action and block the potential attackers. Additionally, the “BLOCK_TIME” directive enables us to set the ban time in seconds after each failed login attempt.
Furthermore, the “DETECTION_TIME” directive is responsible to establish the period during which an attacker’s score is retained before it resets.
How to Block the SSH Brute Force Attacks with SSHGuard on Linux
Now, let us talk about how we can block the SSH brute force attacks with SSHGuard on Linux. Here, we are using the iptables as its firewall system. First, we need a root access to run the following commands:
We have to make a new chain rule for SSHguard within the iptables by typing the following command:
Then, we have to update the “INPUT” chain to direct the incoming traffic to the SSHGuard chain.
This command ensures that the incoming traffic passes through SSHGuard’s rules before proceeding further.
We can also block a specific port such as POP port by typing the following command:
The previous command makes sure that this port is protected against brute force attacks.
Finally, to apply the changes, we need to save the newly configured rules.
Conclusion
SSH brute force attacks are very much problematic. SSHGuard is a lightweight software that monitors and responds to unsuccessful login attempts to help defend the Linux systems against brute force assaults. By understanding this article, we can provide a safer and secure environment on Linux.
