Blocking addresses with iptables
In this scenario, the host running sshguard runs iptables, that has to be configured for accepting blocking rules from sshguard.
Adding a blocking chain for sshguard
Let iptables create a new chain in which sshguard will append blocking rules:
# for regular IPv4 support: iptables -N sshguard # if you want IPv6 support as well: ip6tables -N sshguard
Update the INPUT chain to also pass the traffic to the sshguard chain at the very end of its processing. Specify in --dport all the ports of services your sshguard protects. If you want to prevent attackers from doing any traffic to the host, remove the option completely:
# block any traffic from abusers
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard
-- or --
# block abusers only for SSH, FTP, POP, IMAP services (use "multiport" module)
iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.
Here is a sample ruleset that makes sense:
iptables -N sshguard # block whatever SSHGuard says be bad ... iptables -A INPUT -j sshguard # enable ssh, dns, http, https iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # and block everything else (default deny) iptables -P INPUT DROP
Making configuration persistent
When rebooting, most systems reset the firewall configuration by default. To preserve your configuration, you usually use the iptables-save and iptables-restore utilities. However, each Linux variant has its own right way
: