0

I have a question about the setting up/modus operandi of SSHGuard.

I would like to block ssh brute force attacks that happens about 3 times every second. I am on an Amazon instance, password login is disabled and ssh only works with public/private keys.

I would like to use SSHGuard to block the IPs, but I need SSH, HTTP, HTTPS, DNS to be open. The question is, does SSHGuard recognize and block(depending on logfiles) the attack with the following configuration(taken from doc), or does this mean ssh is still open? The documentation is not helpful for me, that is why I am askig.

iptables -N sshguard
# block whatever SSHGuard says be bad ...
iptables -A INPUT -j sshguard
# enable ssh, dns, http, https
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# and block everything else (default deny)
iptables -P INPUT DROP

Thanks in advance.

89c3b1b8-b1ae-11e6-b842-48d705
  • 1,465
  • 1
  • 13
  • 22
user937284
  • 103
  • 2

1 Answers1

0

This is the configuration for iptables - firewall utility. It is not aware of what SSHGuard do.

I see that ports are open (22, 53, 80, 443).

But every(!) incoming packet goes to sshguard table of iptables first. If sshguard let it pass, packet can reach 22, 53, 80 or 443 port. If it is destined for another port, it is dropped.

gevial
  • 1,264
  • 8
  • 13