Spread the love
Block SSH Brute Force Attacks Using SSHGuard | Unixmen

SSHGuard is an open-source daemon that is used to enhance the security of ssh as well as other network protocols. Moreover, it is used to prevent brute force attacks. It will continuously monitor and keep the track record of the system logs which helps in tracking the continuous login attempts or malicious activity. Once it detects such activity then it will immediately block the IP using firewall backends such as pf, iptables, and ipfw. Then it will unblock the IP after a set interval of time. Several log formats such as raw log file, Syslog-ng, and Syslog are supported by SSHGuard as well as provide extra layer protection to several services postfix, Sendmail, vsftpd, etc. including ssh.

In this tutorial, you will learn to install SSHGuard and configure the system to prevent brute force attacks in Ubuntu 20.04. Let’s begin with the installation.

SSHGuard Installation

You can install the sshguard from the apt package manager; you simply need to execute the following installation command in your terminal. First, we always need to update the package info before any package installation using apt.

$ sudo apt update
$ sudo apt install sshguard

After successful SSHGuard installation, you can check the status of SSHGuard using the systemctl daemon. You will get to see the output similar to the following example.

$ sudo systemctl status sshguard
SSHGuard active and running

Configuring SSHGuard On Ubuntu

The default remote host ban period is of 120 seconds and each successive failed login attempt will increase ban time by a factor of 1.5. You can configure the SSHGuard sshguard.conf file which you can find in the following path.

$ sudo vim /etc/sshguard/sshguard.conf

As you can see in the above example there are many directives with its default value. Let’s highlight some directives and what it is actually for.

Then, let’s work out with a system firewall. To block the brute force attack you need to configure the firewall in the following way.

$ sudo vim /etc/ufw/before.rules

Then, add the following line of code in the open file just like the example given below.

:sshguard - [0:0]
-A ufw-before-input -p tcp --dport 22 -j sshguard
Code language: CSS (css)
Configure before.rules

Now, write and quit the file and restart the firewall.

$ sudo systemctl restart ufw

Once everything is set up your system is ready to persist the brute force attacks.

Whitelisting Blocked Hosts

The whitelist will allow the blocked hosts to re-login to the system without any restriction. To whitelist, the specific host then specifies the IP of the host in the file located at the following destination.

$ sudo vim /etc/sshguard/whitelist
Whitelist IP addresses in SSHGuard

Now, once you added the IP to the whitelist file, restart the SSHGuard daemon and firewall backend to apply the changes.


In this tutorial, I’ve shown you how to install SSHGuard and how to configure the security software to make the system capable of persisting the brute force attack and adding an additional layer of security.

Another interesting article may be: How to Install and Use Ubuntu Linux Screenshot Tools

Leave a Reply