Blocking addresses with iptables
In this scenario, the host running sshguard runs iptables, that has to be configured for accepting blocking rules from sshguard.
Adding a blocking chain for sshguard
Let iptables create a new chain in which sshguard will append blocking rules:
# for regular IPv4 support: iptables -N sshguard # if you want IPv6 support as well: ip6tables -N sshguard
Update the INPUT chain to also pass the traffic to the sshguard chain at the very end of its processing. Specify in --dport all the ports of services your sshguard protects. If you want to prevent attackers from doing any traffic to the host, remove the option completely:
# block any traffic from abusers iptables -A INPUT -j sshguard ip6tables -A INPUT -j sshguard -- or -- # block abusers only for SSH, FTP, POP, IMAP services (use "multiport" module) iptables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard ip6tables -A INPUT -m multiport -p tcp --destination-ports 21,22,110,143 -j sshguard
Verify that you have NOT a default allow rule passing all ssh traffic higher in the chain. Verify that you have NOT a default deny rule blocking all ssh traffic in your firewall. In either case, you already have the skill to adjust your firewall setup.
Here is a sample ruleset that makes sense:
iptables -N sshguard # block whatever SSHGuard says be bad ... iptables -A INPUT -j sshguard # enable ssh, dns, http, https iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT # and block everything else (default deny) iptables -P INPUT DROP
Making configuration persistent
When rebooting, most systems reset the firewall configuration by default. To preserve your configuration, you usually use the iptables-save and iptables-restore utilities. However, each Linux variant has its own
Latest Releases View all»
F.A.Q. View all»
- What is sshguard?Sshguard is a small program that monitors services running on your machine from the log files. When it ...
- I use IPFW and IPs are not successfully blockedFor minimizing the intrusiveness, sshguard puts blocking rules very low in the IPFW chain (with IDs from 55000 ...
- Sshguard does not workYou have one of these problems: sshguard is not given logs correctly sshguard cannot run the commands for ...