This wiki was updated to MediaWiki 1.37. If you notice any issues, please report them to admin[at]

SDB:Install and configure sshguard

Jump to: navigation, search
Icon-obsolete.png This article or section refers to the version '11.1' and it is now obsolete!
Please refer to this article's discussion page for more information.
sshguard can help you to make your SSH servers more secure then they already are. This article explains how to get, install and configure sshguard.


sshguard works independently of the SSHD daemon and scripts. It monitors multiple system logs out of the box. When a multiple invalid log-in attempts occur, there will be an entry made for your firewall, to block the attacker in the future. Although created to secure SSH servers, it now supports many more protocol servers.

Sshguard is being actively maintained. It supports IPv6, whitelists and log authentication, interfaces with all the major firewall systems.


Sshguard is not available in the openSUSE repositories.Therefore, obtain a copy of the sshguard software from SourceForge, or another reliable source. Preferably (if available), get the RPM version for easy installation. Install the RPM package on the SSH server you wish to protect. Most easily, this can be done by using:

$ rpm -Uvh sshguard-package-name.rpm

Firewall configuration

The SuSEfirewall2 firewalling system is very powerful, but unfortunately, may not be obvious where to place additional rules so that they are permanent and interoperate with the built-in openSUSE firewall configuration tools.

1. Edit the /etc/sysconfig/scripts/SuSEfirewall2-custom file. Add these lines to the fw_custom_before_port_handling section before the "true" statement:
   ## For SSHguard, regular IPv4 support:
   iptables -N sshguard
2. To the same file, add these lines to the fw_custom_before_denyall section before the "true" statement:
   ## For SSHguard
   iptables -A INPUT -j sshguard
3. Activate the firewall rule customizations by adding this line to the /etc/sysconfig/SuSEfirewall2 file.
4. Restart the firewall by using the following commands, or wait until the system is reset later.
$ /etc/init.d/SuSEfirewall2_init restart

AppArmor configuration

AppArmor is the next-generation chroot that keeps a service process or daemon from doing more than it should if it comes under attack. Rather than risk disabling this valuable service, it is relatively easy to reconfigure it to allow sshguard to perform its work.

1. Add the following lines to the /etc/apparmor.d/sbin.syslog-ng file:
   # allow syslog-ng to launch and pipe information to sshguard
   /usr/sbin/sshguard pxr,
   /bin/bash ix,
2. Create the following file and save it as /etc/apparmor.d/usr.sbin.sshguard:
   #include <tunables/global>
   /usr/sbin/sshguard {
     #include <abstractions/base>
     /usr/sbin/iptables Ux,

Now reboot your system.


In older versions of sshguard it was required the configure syslog-ng to export the messages to sshguard. This is no longer needed. Sshguard takes care of this automatically

See also

External links