Photo by Marius Haakestad on Unsplash

How to install sshguard(with email notifications)

Bob Kfir
Bob Kfir
May 22, 2018 · 2 min read

sshguard is a nice, smaller alternative to fail2ban that serves the same purpose: stop people and bots from brute-forcing their way into your server. The biggest difference is that sshguard uses significantly less resources than fail2ban, which I believe is due to the fact that it’s written in C, and is compiled rather than interpreted.

Installing sshguard

While you can just install with a simple:

sudo apt install sshguard

I found that this does not give the flexibility I want. I cannot configure sshguard to send emails upon blocking an IP, and the version in the repositories did not seem to actually block IP addresses. So, I decided to build it from the source, which wasn’t hard at all. To do so, just run the following:

cd /tmp
wget https://goo.gl/DfBv9M -O sshguard.tar.gz
tar xzvf sshguard.tar.gz
cd sshguard-2.1.0/
./configure --prefix=/usr/local
make
sudo make install

Configuration

Now, go to /usr/local/libexec(using the cd command), and edit the sshg-fw-iptables file to your liking. I added:

printf "Dear $(hostname) admin,\nThe ip address $1 has tried to hack into your VPS. sshguard has blocked it, and here is some IP info:\n\n$(/usr/local/bin/iplookup $1 silent)\n\nIf you would like to report this IP, click on the following link: https://www.abuseipdb.com/report?ip=$1\n\nRegards,\nYour Linux VPS" | mail -s "$1 blocked by sshguard" -a "From: VPS<sshguard@$(hostname)>" admin@yourdomain.com

to the fw_block function. This script utilizes my iplookup script, and sends an email containing a link to report the IP.

Next, copy the sample config file:

sudo cp /tmp/sshguard-2.1.0/examples/sshguard.conf.sample /usr/local/etc/sshguard.conf

and edit it to your liking. Be sure to at least set the following:

BACKEND="/usr/local/libexec/sshg-fw-iptables"
FILES="/var/log/auth.log"

and everything else can stay the default. Now, to add this as a service, run:

sudo cp /tmp/sshguard-2.1.0/examples/sshguard.service /lib/systemd/system/sshguard.service

and comment out the following line:

ExecStartPre=-/usr/sbin/iptables -N sshguard

Now, run:

sudo systemctl daemon-reload

and restart the service:

sudo service sshguard restart

To get sshguard to start on boot, just run:

sudo systemctl enable sshguard

To check up on how sshguard is doing, just run:

sudo service sshguard status

This will show you some IP addresses that are attacking your server, and those that have been blocked by sshguard.

Update: I have disabled email notifications because sshguard will send multiple notifications for the same IP(each time it is blocked after being unblocked). This is not sshguard’s fault, but it got really annoying.

iptables

Now, you need to configure the iptables rules. This is fairly simple; all you need is to run the following:

sudo iptables -N sshguard
sudo iptables -I INPUT -j sshguard
sudo ip6tables -N sshguard
sudo ip6tables -I INPUT -j sshguard

Basically, this just sends everything through the sshguard rules to ensure offending IPs are blocked.

Sources: sshguard

Bob Kfir’s Tech Blog

A technology blog with an emphasis on cybersecurity and privacy.

Bob Kfir

Written by

Bob Kfir

I’m a writer and a programmer. Most of what I write is about technology (often privacy and cybersecurity) and/or writing. You can learn more at www.bobkfir.com

Bob Kfir’s Tech Blog

A technology blog with an emphasis on cybersecurity and privacy.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade