How to protect SSH remote login in Fedora with SSHGuard and FirewallD

SSHGuard 2介绍了一个新的防火墙后端,使得在使用防火墙工具的Linux发行版中可以更轻松地使用。以下是您如何使用防火墙(如Fedora,CentOS,Rhel)安装和配置Sshguard。

您可以减少对SSH的脚本攻击的数量显着changing the default port number。然而,掩盖了SSH服务的位置不应该是您唯一的防御行。这是Sshwuard进来的地方:它将将重复攻击者的IP地址添加到系统防火墙上,以便在达到SSH服务之前放弃连接。



Start by installing the build dependencies using the below command. If you’re using Ubuntu or another distribution, you’ll find the appropriateapt指挥在INSTALLfile. You can follow along in this tutorial even if you don’t use Fedora, but choose the appropriate firewall backend for your distribution.

dnf安装byacc flex gcc制作wget

Next, you need to download and uncompressed the source from the latest release tarball fromSourceForge。The example commands below downloads版本2.1, extracts it from the package, and changes the working directory to the source directory.

wget "" tar -xzf sshguard-2.1.0.tar.gz cd sshguard-2.1.0/

Make sure you get the latest release version. Once you’ve got your very own copy of the source code from the release tarball, you can proceed to configure and build SSHGuard:

。/configure --prefix="/usr/local/" make


make install cp ./examples/sshguard.conf.sample /usr/local/etc/sshguard.conf cp ./examples/sshguard.service /etc/systemd/system/

Configuring SSHGuard

示例配置文件有足够的内联文档来指导您完成所需的配置选项。您只需配置BACKENDLOGREADER选项。对于Fedora,我们将使用FireWalld作为防火墙后端和Systemd Journal作为日志阅读器。进行以下更改yabo亚博体育下载/usr/local/etc/sshguard.conf.:

BACKEND="/usr/local/libexec/sshg-fw-firewalld" LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"

所有这些journalctlswitches tells the journal to pipe out all messages from thesshdprocess with priority info or higher with basic formatting (syslog-喜欢)。

You can look through the other configuration options in the file to see if you want to make any other changes. You may want to double theredistics_time.code if you’re experiencing slow-paced brute-force attacks.

接下来,您需要在Systemd Unit Service文件中进行一个小小的更改,以解释我们在构建过程中所做的安装前缀。改变execstart.option in/etc/systemd/system/sshguard.serviceto the following:


As you’re all done configuring the systemd unit file for SSHGuard, run the following command to let systemd know that there’s a new unit file:

systemctl daemon-reload


The FirewallD backend in SSHGuard relies on the ipset feature of iptables. Blocked attackers are added to either theSshguard4.对于IPv4或Sshguard6.for IPv6 ipsets. Additionally, SSHGuard will add a firewall rule to FirewallD that tells it to drop connections from any source IP found in either one of these ipsets.

By default, SSHGuard’s drop-rule will be added to the default FirewallD zone. Depending on your firewall zone configuration, you may want to add additional drop rules to other zones. If you only use the default上市zonethen no further configuration is needed.以下命令yabo亚博体育下载将将默认规则添加到区:

防火墙-cmd --permanent --zone =“home” -  rich-trum =“规则源ipset = sshguard4删除”防火墙-cmd -permanent --zone =“home” - 富裕 - 规则=“规则源ipset = sshguard6删除”防火墙-cmd --reload

You can inspect the blocked entries in each ipset using the following commands:

firewall-cmd --permanent --info-ipset="sshguard4" firewall-cmd --permanent --info-ipset="sshguard6"

在此示例中,您可以取消阻止阻止的攻击者10.10.1.10; using the following command:

firewall-cmd --ipset="sshguard6" --permanent --remove-entry=""

Note that SSHGuard’s two ipsets are deleted when SSHGuard flushes its own firewall rules (on exit). This may cause a problem if FirewallD rules are loaded when the ipsets don’t exist yet. To work around this, you can either add the creation of these two ipsets to your permanent FirewallD configuration or you may want to take more control of SSHGuard’s FirewallD backend script. You can copy and modify thesshg-fw-firewalldscript (it’s an easy to follow bash script) and configuring theBACKEND使用自定义防火墙后端的选项。

Starting the service

Now that SSHGuard is installed and configured, you can start the service and check up on it’s status with these commands:

systemctl start sshguard systemctl status sshguard

验证它说active (running)in the output and that you don’t have any errors or warnings in the log output.

To have SSHGuard start at systemboot, run one last command:


Test and verify


journalctl -ef -t sshguard -t sshd

From another machine (or at least IP), try to login to the protected system over SSH using invalid credentials. On the protected system you should see log entries from both SSHGuard and SSH about the unsuccessful login attempts.


You should see login attempts tosshd和log messages from SSHGuard like “Attack from "" on service 100 with danger 10.” After five attacks sshguard should block the attacker with an error saying “阻止“”为600秒(在75秒内的3次攻击,1次滥用75秒后)

您可以重复测试并首先使用ssh -4switch and then repeat the test with thessh 6在尝试假装在受保护的系统登录时切换以验证IPv4和IPv6保护是否正常工作。

You can tweak theBLOCK_TIMEredistics_time.持续时间选择sshguard.confto your liking. Note that theBLOCK_TIMEis doubled on every subsequent block per source IP.

Reboot the system and repeat the test.

如果你不小心锁住你rself out, you can find the commands for releasing yourself from the block in the FirewallD section above.