Linux Commands

How to Block SSH Brute Force Attacks Using SSHGuard

SSH brute force attacks are a common hazard that we may face. These attacks use a series of continuous login attempts in order to acquire an unauthorized access. SSHGuard is a light weight software that is written in C language; this software defends the hosts against brute force attacks. This is accomplished via monitoring and collecting the system logs as well as discovering the attacks. The SSHGuard appears as a best protection.

Let us discuss about how to use the SSHGuard to protect our Linux server from SSH brute force attacks.

Definition of SSH Brute Force Attack

An SSH brute force attack is a hostile and persistent cyberattack that uses SSH to obtain an unauthorized access to a remote server or system. In this form of attack, the attacker uses automated scripts or manual attempts to guess the legitimate usernames and passwords in order to determine the proper combination. The “brute force” phrase refers to the attacker’s approach of testing different username and password combinations until they succeed.

A successful SSH brute force assault can have serious consequences including illegal access to sensitive data and overall system compromise. To defend ourselves against these attacks, we can use a software such as SSHGuard to identify and prevent these types of attacks.

How to Install SSHGuard on Linux

The initial step in securing our Linux server against SSH brute force attacks is the installation of SSHGuard. The process is very easy; we just have to type the following command for SSHGuard installation:

$ sudo apt install sshguard

After the installation, we can ensure that SSHGuard starts automatically. We can set it to run at system startup using the following commands:

$ sudo systemctl start sshguard

$ sudo systemctl enable sshguard

How to Configure SSHGuard on Linux

SSHGuard monitors our system logs such as the “/var/log/auth.log” log file as well as the “/var/log/secure” log file and many more files. SSHGuard monitors these files to identify the failed login attempts. Upon detecting the attempts, SSHGuard temporarily bans the remote host for a duration of 120 seconds. This ban duration increases exponentially with each successive failed login.

The behavior and parameters of SSHGuard can be changed by modifying its configuration file using any text editor.

$ sudo vi /etc/sshguard/sshguard.conf

Several important directives are available for customization within SSHGuard’s configuration file. The “BACKEND” directive is responsible for specifying the path to the firewall backend executable. The “BACKEND” directive plays a very important role to determine how SSHGuard interacts with the firewall system. The “THRESHOLD” directive allows us to set the attack score threshold at which SSHGuard will take action and block the potential attackers. Additionally, the “BLOCK_TIME” directive enables us to set the ban time in seconds after each failed login attempt.

Furthermore, the “DETECTION_TIME” directive is responsible to establish the period during which an attacker’s score is retained before it resets.

How to Block the SSH Brute Force Attacks with SSHGuard on Linux

Now, let us talk about how we can block the SSH brute force attacks with SSHGuard on Linux. Here, we are using the iptables as its firewall system. First, we need a root access to run the following commands:

We have to make a new chain rule for SSHguard within the iptables by typing the following command:

# iptables -N sshguard

Then, we have to update the “INPUT” chain to direct the incoming traffic to the SSHGuard chain.

# iptables -A INPUT -j sshguard

This command ensures that the incoming traffic passes through SSHGuard’s rules before proceeding further.

We can also block a specific port such as POP port by typing the following command:

# iptables -A INPUT -m multiport -p tcp --destination-ports 110 -j sshguard

The previous command makes sure that this port is protected against brute force attacks.

Finally, to apply the changes, we need to save the newly configured rules.

# iptables-save > /etc/iptables/iptables.rules


SSH brute force attacks are very much problematic. SSHGuard is a lightweight software that monitors and responds to unsuccessful login attempts to help defend the Linux systems against brute force assaults. By understanding this article, we can provide a safer and secure environment on Linux.

Similar Posts