How to Secure Your SSH Server with SSHGuard and Port Knocking
Keeping your SSH server safe from brute-force attacks is critical for maintaining server integrity. Two powerful tools — SSHGuard and Port Knocking — can drastically reduce unauthorized access attempts, giving you multiple layers of protection.
In this guide, we’ll walk through setting up both methods on Ubuntu, so you can harden your SSH service against intrusions.
Why Combine SSHGuard and Port Knocking?
Think of SSHGuard as the bouncer at your server’s door — it spots suspicious login attempts and blocks offenders.
Port Knocking is more like a secret handshake — your server only opens the door when it recognizes the correct knock sequence.
By using both, you get:
- Real-time brute-force attack prevention
- Hidden entry points for extra stealth
- Automatic blocking of malicious IPs
- Flexible integration with firewalls (UFW or iptables)
Setting Up SSHGuard
SSHGuard monitors log files for repeated failed login attempts and automatically blocks offending IPs.
1. Install SSHGuard
sudo apt install sshguard
2. Enable and Start the Service
sudo systemctl enable --now sshguard.service
3. Configure SSHGuard
Edit the configuration file:
sudo nano /etc/sshguard/sshguard.conf
Key parameters:
- BACKEND — Firewall backend (
sshg-fw-nft-setsfor nftables,sshg-fw-iptablesfor iptables). - LOGREADER — How logs are processed.
- THRESHOLD — Failed attempts before blocking an IP.
- BLOCK_TIME — Duration of the block (seconds).
- DETECTION_TIME — Time window to track failed attempts.
- WHITELIST_FILE — Path to trusted IP addresses that are never blocked.
Restart SSHGuard after changes:
sudo systemctl restart sshguard
Integrating SSHGuard with Firewalls
Option 1: SSHGuard + UFW
- Set the backend:
/usr/libexec/sshguard/sshg-fw-nft-sets
- Edit UFW rules:
sudo nano /etc/ufw/before.rules
Add:
-A ufw-before-input -j SSHGUARD
-A ufw-before-output -j SSHGUARD
-A ufw-before-forward -j SSHGUARD
- Restart UFW:
sudo systemctl restart ufw
Option 2: SSHGuard + iptables
- Create a chain:
sudo iptables -N sshguard
- Redirect SSH traffic:
sudo iptables -A INPUT -p tcp --dport 22 -j sshguard
- Save rules:
sudo apt install iptables-persistent
sudo iptables-save -f /etc/iptables/rules.v4
- View blocked IPs:
sudo iptables -L sshguard -n
Whitelisting Trusted IPs
Add safe IP addresses to:
/etc/sshguard/whitelist
Example:
192.168.0.34
192.168.0.0/24
myhost.domain.com
Then restart SSHGuard:
sudo systemctl restart sshguard
Setting Up Port Knocking
Port Knocking adds another layer by keeping your SSH port closed until a specific sequence of port hits is received.
1. Install knockd
sudo apt install knock-server
2. Manage the Service
sudo systemctl start knockd
sudo systemctl enable knockd
3. Prepare Firewall Rules
Allow existing connections:
iptables -A INPUT -i <interface> -m state --state ESTABLISHED,RELATED -j ACCEPT
Block new ones by default:
iptables -A INPUT -j DROP
4. Configure knockd
Edit:
sudo nano /etc/knockd.conf
Example:
[options]
logfile = /var/log/knockd.log
interface = eth0
[openSSH]
sequence = 661,671,681
seq_timeout = 5
tcpflags = syn
cmd_timeout = 30
start_command = /sbin/iptables -I INPUT -i eth0 -s %IP% -p tcp --dport 22 -j ACCEPT
stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 22 -j ACCEPT
Restart knockd:
sudo systemctl restart knockd
Connecting with Port Knocking
From your client:
knock target.host 661 671 681
ssh user@target.host
If the sequence matches, your SSH port will temporarily open.
Final Thoughts
By combining SSHGuard and Port Knocking, you create a layered defense:
- Attackers can’t brute-force SSH because repeated failures get them banned.
- They won’t even see the SSH port unless they know the exact knock sequence.
🔐 Security Tip:
Always pair these tools with strong SSH keys, disabled root login, and updated firewall rules.
Ready to lock down your SSH server? Start with SSHGuard, add Port Knocking, and sleep better knowing your server’s doors are truly guarded.
🚀 Explore more guides on our blog 👉 blog.1it.pro
📧 Contact us: admin@1it.pro for expert IT guidance.
🌐 Explore more: Visit 1it.pro for top-tier IT solutions.