Skip to main content
HashnodeHub & Spoke | Best SD-WAN Blog on Earth

Command Palette

Search for a command to run...

👮Protect Your Linux System with SSHGuard | A Better Alternative to Fail2Ban⛓️‍💥

Discover how SSHGuard efficiently secures Linux servers while keeping logs tidy & outperforming Fail2Ban

Updated
👮Protect Your Linux System with SSHGuard | A Better Alternative to Fail2Ban⛓️‍💥
R
Ronald Bartels

Driving SD-WAN Adoption in South Africa

Securing your Linux server against brute-force attacks and malicious login attempts is a critical task for system administrators. Tools like Fail2Ban are well-known for this purpose, but SSHGuard provides an efficient, lightweight alternative that is particularly adept at keeping your logs clean. Unlike Fail2Ban, which relies heavily on regular expression parsing, SSHGuard integrates seamlessly with nftables (the modern replacement for iptables) and offers high performance with minimal configuration.

In this article, we will explore how SSHGuard works, how to install and configure it on Debian and openSUSE, and why it is a compelling choice over Fail2Ban.

What is SSHGuard?

SSHGuard is a log-based intrusion prevention system that monitors logs for malicious activity, such as repeated failed login attempts or abnormal usage patterns. It dynamically blocks offending IP addresses using firewall rules, helping to mitigate brute-force and other automated attacks.

Unlike Fail2Ban, SSHGuard is designed to consume fewer resources and focuses only on relevant security logs, ensuring better performance and more straightforward operation.

Key Features of SSHGuard:

  • Efficient log parsing: Monitors logs in real-time without overloading the system.

  • Dynamic blocking: Temporarily blocks offending IPs using firewall rules.

  • Broad log compatibility: Works with various logging systems, including syslog, rsyslog, and journald.

  • Supports modern firewalls: Fully compatible with nftables.

  • Self-maintenance: Cleans up stale IPs after their block duration expires.

  • Lightweight: Minimal configuration and system resource usage.

Installing SSHGuard

Here’s how you can install SSHGuard on Debian and openSUSE:

On Debian:

  1. Update the package list:

     sudo apt update

  2. Install SSHGuard:

     sudo apt install sshguard

On openSUSE:

  1. Add the necessary repository if it’s not already available:

     sudo zypper addrepo http://download.opensuse.org/repositories/security/openSUSE_Leap_15.4/security.repo

  2. Refresh the repositories:

     sudo zypper refresh

  3. Install SSHGuard:

     sudo zypper install sshguard

Configuring SSHGuard with nftables

SSHGuard integrates directly with nftables, which is the preferred firewall framework for modern Linux distributions. Unlike the older iptables, nftables offers better performance, easier syntax, and advanced features.

Automatic Integration with nftables

When SSHGuard is installed, it automatically creates the necessary nftables table and chains for blocking IPs. This means you don’t need to manually define these rules as part of the setup process. The default configuration ensures that SSHGuard dynamically adds and removes offending IP addresses from the firewall rules.

Step 1: Configure SSHGuard

  1. Open the SSHGuard configuration file:

     sudo nano /etc/sshguard.conf

  2. Ensure the backend is set to nftables:

     BACKEND="nftables"

  3. Save the file and restart the SSHGuard service to apply changes:

     sudo systemctl restart sshguard

Step 2: Verify nftables Rules

You can check the nftables table and rules created by SSHGuard using:

sudo nft list ruleset

The output will show a dedicated table and chain for SSHGuard, such as inet sshguard, where offending IP addresses are dynamically managed.

Why Choose SSHGuard Over Fail2Ban?

  1. Performance: SSHGuard is highly efficient and consumes fewer resources because it doesn’t rely on complex regex-based log parsing.

  2. Log Clarity: SSHGuard focuses only on security-related entries, keeping logs clean and easy to manage.

  3. Ease of Use: With minimal setup, SSHGuard is up and running quickly.

  4. Better Integration with Modern Firewalls: While Fail2Ban still relies heavily on iptables, SSHGuard has seamless support for nftables.

  5. Lightweight Design: SSHGuard’s streamlined architecture makes it an excellent choice for environments where simplicity and performance are priorities.

Monitoring and Testing SSHGuard

Monitoring:

You can monitor SSHGuard’s activity using:

sudo journalctl -u sshguard

Testing:

Simulate a failed login attempt by attempting to SSH into your server with incorrect credentials multiple times. Then check whether the offending IP is blocked:

sudo nft list table inet sshguard

Wrap

SSHGuard offers a lightweight, efficient, and modern approach to protecting your Linux systems from brute-force and other malicious attacks. By integrating seamlessly with nftables and focusing on log clarity, it provides a robust alternative to tools like Fail2Ban. Whether you’re running a Debian or openSUSE server, SSHGuard is easy to set up and maintain, making it an excellent choice for system administrators looking to enhance their server security.

#sshguard#linux#cybersecurity#ssh

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

H

Hub & Spoke | Best SD-WAN Blog on Earth

830 posts

Driving Software Defined Wide Area Networking (SD-WAN) Adoption in South Africa. The best SD-WAN blog on Earth & in the World that also includes insights on Cybersecurity, IoT, Cloud, & Data Centres!