How to install sshguard(with email notifications)

How to install sshguard(with email notifications)

sshguard is a nice, smaller alternative to fail2ban that serves the same purpose: stop people and bots from brute-forcing their way into your server. The biggest difference is that sshguard uses significantly less resources than fail2ban, which I believe is due to the fact that it’s written in C, and is compiled rather than interpreted.

Installion

While you can just install with a simple:

sudo apt install sshguard

I found that this does not give the flexibility I want. I cannot configure sshguard to send emails upon blocking an IP, and the version in the repositories did not seem to actually block ips. So, I built it from the source, which wasn’t hard at all. Just run the following:

cd /tmp
wget https://goo.gl/DfBv9M -O sshguard.tar.gz
tar xzvf sshguard.tar.gz 
cd sshguard-2.1.0/
./configure --prefix=/usr/local
make
sudo make install

Configuration

Now, go to /usr/local/libexec, and edit the sshg-fw-iptables file to your liking. I added:

printf "Dear $(hostname) admin,\nThe ip address $1 has tried to hack into your VPS. sshguard has blocked it, and here is some IP info:\n\n$(/usr/local/bin/iplookup $1 silent)\n\nIf you would like to report this IP, click on the following link: https://www.abuseipdb.com/report?ip=$1\n\nRegards,\nYour Linux VPS" | mail -s "$1 blocked by sshguard" -a "From: VPS<[email protected]$(hostname)>" [email protected]

to the fw_block function. This script utilizes my iplookup script, and sends an email containing a link to report the IP.

Next, copy the sample config file:

sudo cp /tmp/sshguard-2.1.0/examples/sshguard.conf.sample /usr/local/etc/sshguard.conf

and edit it to your liking. Be sure to at least set the following:

BACKEND="/usr/local/libexec/sshg-fw-iptables"
FILES="/var/log/auth.log"

and everything else can stay the default. Now, to add this as a service, run:

sudo cp /tmp/sshguard-2.1.0/examples/sshguard.service /lib/systemd/system/sshguard.service

and comment out the following line:

ExecStartPre=-/usr/sbin/iptables -N sshguard

Now, run:

sudo systemctl daemon-reload

and restart the service:

sudo service sshguard restart

To get sshguard to run on boot, just run:

sudo systemctl enable sshguard

To check up on how sshguard is doing, just run:

sudo service sshguard status

This will show you some IP addresses that are attacking your server, and those that have been blocked by sshguard.

Update: I have disabled email notifications because sshguard will send multiple notifications for the same IP. This is not sshguard’s fault, but it got really annoying.

iptables

Now, you need to configure the iptables rules. This is fairly simple; all you need is to run the following:

sudo iptables -N sshguard
sudo iptables -I INPUT -j sshguard
sudo ip6tables -N sshguard
sudo ip6tables -I INPUT -j sshguard

Basically, this just sends everything through the sshguard rules before allowing or denying any IP addresses.

Sources: sshguard

Leave a Reply(Markdown is On)

%d bloggers like this: