[How to] Block ssh brute-force attack using sshguard in linux

In case your Linux box have provided a ssh function and connect to a public internet IP directly, in most case you will face a lot of brute-force attack. For this case, sshguard can help to lower the rate of the attack.

How it works
For simply, sshguard read logs from sshd and block suspicious attack by iptables.

In order to view if you are being attacked:
$journalctl -axe
...
 5▒▒▒ 19 12:28:10 localhost sshd[22109]: Connection closed by 70.60.248.30 [preauth] <==== Port Scan
 5▒▒▒ 19 12:28:34 localhost sshd[22111]: Did not receive identification string from 195.154.55.58
 5▒▒▒ 19 12:28:35 localhost sshd[22112]: Invalid user ubnt from 195.154.55.58
 5▒▒▒ 19 12:28:35 localhost sshd[22112]: input_userauth_request: invalid user ubnt [preauth]
 5▒▒▒ 19 12:28:36 localhost sshd[22112]: pam_tally(sshd:auth): pam_get_uid; no such user
 5▒▒▒ 19 12:28:36 localhost sshd[22112]: pam_unix(sshd:auth): check pass; user unknown
 5▒▒▒ 19 12:28:36 localhost sshd[22112]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhos
 5▒▒▒ 19 12:28:38 localhost sshd[22112]: Failed password for invalid user ubnt from 195.154.55.58 port 54126 ssh2
 5▒▒▒ 19 12:28:38 localhost sshd[22112]: error: Received disconnect from 195.154.55.58: 3: com.jcraft.jsch.JSchException: Auth
 5▒▒▒ 19 12:28:38 localhost sshd[22112]: Disconnected from 195.154.55.58 [preauth]
 5▒▒▒ 19 12:28:39 localhost sshd[22115]: Invalid user admin from 195.154.55.58
 5▒▒▒ 19 12:28:39 localhost sshd[22115]: input_userauth_request: invalid user admin [preauth]
 5▒▒▒ 19 12:28:40 localhost sshd[22115]: pam_tally(sshd:auth): pam_get_uid; no such user <=== Attack
 5▒▒▒ 19 12:28:40 localhost sshd[22115]: pam_unix(sshd:auth): check pass; user unknown
 5▒▒▒ 19 12:28:40 localhost sshd[22115]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhos
 5▒▒▒ 19 12:28:42 localhost sshd[22115]: Failed password for invalid user admin from 195.154.55.58 port 51840 ssh2
 5▒▒▒ 19 12:28:43 localhost sshd[22115]: error: Received disconnect from 195.154.55.58: 3: com.jcraft.jsch.JSchException: Auth
 5▒▒▒ 19 12:28:43 localhost sshd[22115]: Disconnected from 195.154.55.58 [preauth]
 5▒▒▒ 19 12:28:44 localhost sshd[22117]: pam_tally(sshd:auth): Tally overflowed for user root <=== Attack
 5▒▒▒ 19 12:28:44 localhost sshd[22117]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhos
 5▒▒▒ 19 12:28:46 localhost sshd[22117]: Failed password for root from 195.154.55.58 port 54190 ssh2 <=== Attack
... 

Installation

Very simple
# pacman -S sshguard
# iptables -N sshguard
# iptables -A INPUT -p tcp --dport 22 -j sshguard
# iptables-save > /etc/iptables/iptables.rules
# systemctl start sshguard.service
# systemctl enable sshguard.service


And you may find from the log
$journalctl -axe 
 5▒▒▒ 19 12:28:46 localhost sshguard[26588]: Blocking 195.154.55.58:4 for >630secs: 40 danger in 4 attacks over 12 seconds (all 

Nice and done