# 👮Protect Your Linux System with SSHGuard | A Better Alternative to Fail2Ban⛓️‍💥

Securing your Linux server against brute-force attacks and malicious login attempts is a critical task for system administrators. Tools like Fail2Ban are well-known for this purpose, but SSHGuard provides an efficient, lightweight alternative that is particularly adept at keeping your logs clean. Unlike Fail2Ban, which relies heavily on regular expression parsing, SSHGuard integrates seamlessly with `nftables` (the modern replacement for `iptables`) and offers high performance with minimal configuration.

In this article, we will explore how SSHGuard works, how to install and configure it on Debian and openSUSE, and why it is a compelling choice over Fail2Ban.

---

### What is SSHGuard?

SSHGuard is a log-based intrusion prevention system that monitors logs for malicious activity, such as repeated failed login attempts or abnormal usage patterns. It dynamically blocks offending IP addresses using firewall rules, helping to mitigate brute-force and other automated attacks.

Unlike Fail2Ban, SSHGuard is designed to consume fewer resources and focuses only on relevant security logs, ensuring better performance and more straightforward operation.

#### Key Features of SSHGuard:

* **Efficient log parsing**: Monitors logs in real-time without overloading the system.
    
* **Dynamic blocking**: Temporarily blocks offending IPs using firewall rules.
    
* **Broad log compatibility**: Works with various logging systems, including `syslog`, `rsyslog`, and `journald`.
    
* **Supports modern firewalls**: Fully compatible with `nftables`.
    
* **Self-maintenance**: Cleans up stale IPs after their block duration expires.
    
* **Lightweight**: Minimal configuration and system resource usage.
    

---

### Installing SSHGuard

Here’s how you can install SSHGuard on Debian and openSUSE:

#### On Debian:

1. Update the package list:
    
    ```plaintext
    sudo apt update
    ```
    
2. Install SSHGuard:
    
    ```plaintext
    sudo apt install sshguard
    ```
    

#### On openSUSE:

1. Add the necessary repository if it’s not already available:
    
    ```plaintext
    sudo zypper addrepo http://download.opensuse.org/repositories/security/openSUSE_Leap_15.4/security.repo
    ```
    
2. Refresh the repositories:
    
    ```plaintext
    sudo zypper refresh
    ```
    
3. Install SSHGuard:
    
    ```plaintext
    sudo zypper install sshguard
    ```
    

---

### Configuring SSHGuard with nftables

SSHGuard integrates directly with `nftables`, which is the preferred firewall framework for modern Linux distributions. Unlike the older `iptables`, `nftables` offers better performance, easier syntax, and advanced features.

#### Automatic Integration with nftables

When SSHGuard is installed, it automatically creates the necessary `nftables` table and chains for blocking IPs. This means you don’t need to manually define these rules as part of the setup process. The default configuration ensures that SSHGuard dynamically adds and removes offending IP addresses from the firewall rules.

#### Step 1: Configure SSHGuard

1. Open the SSHGuard configuration file:
    
    ```plaintext
    sudo nano /etc/sshguard.conf
    ```
    
2. Ensure the backend is set to `nftables`:
    
    ```plaintext
    BACKEND="nftables"
    ```
    
3. Save the file and restart the SSHGuard service to apply changes:
    
    ```plaintext
    sudo systemctl restart sshguard
    ```
    

#### Step 2: Verify nftables Rules

You can check the `nftables` table and rules created by SSHGuard using:

```plaintext
sudo nft list ruleset
```

The output will show a dedicated table and chain for SSHGuard, such as `inet sshguard`, where offending IP addresses are dynamically managed.

---

### Why Choose SSHGuard Over Fail2Ban?

1. **Performance**: SSHGuard is highly efficient and consumes fewer resources because it doesn’t rely on complex regex-based log parsing.
    
2. **Log Clarity**: SSHGuard focuses only on security-related entries, keeping logs clean and easy to manage.
    
3. **Ease of Use**: With minimal setup, SSHGuard is up and running quickly.
    
4. **Better Integration with Modern Firewalls**: While Fail2Ban still relies heavily on `iptables`, SSHGuard has seamless support for `nftables`.
    
5. **Lightweight Design**: SSHGuard’s streamlined architecture makes it an excellent choice for environments where simplicity and performance are priorities.
    

---

### Monitoring and Testing SSHGuard

#### Monitoring:

You can monitor SSHGuard’s activity using:

```plaintext
sudo journalctl -u sshguard
```

#### Testing:

Simulate a failed login attempt by attempting to SSH into your server with incorrect credentials multiple times. Then check whether the offending IP is blocked:

```plaintext
sudo nft list table inet sshguard
```

---

### Wrap

SSHGuard offers a lightweight, efficient, and modern approach to protecting your Linux systems from brute-force and other malicious attacks. By integrating seamlessly with `nftables` and focusing on log clarity, it provides a robust alternative to tools like Fail2Ban. Whether you’re running a Debian or openSUSE server, SSHGuard is easy to set up and maintain, making it an excellent choice for system administrators looking to enhance their server security.

---
