How to Unblock Your IP Address from SSHguard on Ubuntu 16.04 Xenial Server


10 views

SSHguard is a lightweight intrusion prevention tool that monitors log files for brute-force attacks and automatically blocks suspicious IPs using firewall rules. On Ubuntu 16.04 with default configuration, SSHguard typically integrates with iptables or firewalld to implement blocks.

When you're locked out of your server due to a false positive, follow these steps:

# First, check current blocked IPs in the firewall
sudo iptables -L sshguard --line-numbers

# If your IP appears in the chain, note its line number and remove it
sudo iptables -D sshguard [line_number]

# Alternatively, flush all SSHguard rules (use with caution)
sudo iptables -F sshguard

To prevent future false blocks, add your IP to SSHguard's whitelist:

# Edit the SSHguard configuration file
sudo nano /etc/sshguard/sshguard.conf

# Add your IP to the whitelist section
WHITELIST="192.168.1.100 10.0.0.5"

# Restart SSHguard to apply changes
sudo systemctl restart sshguard

If you can't immediately unblock your IP, consider these alternative access methods:

# Method 1: Use hosting provider's web console
# Most cloud providers offer a web-based SSH console

# Method 2: Connect via VPN
# Configure OpenVPN on another server and connect through it

# Method 3: Use fail2ban's unban action
sudo fail2ban-client set sshguard unbanip [your_ip]

To investigate why your IP was blocked:

# Check SSHguard logs
sudo journalctl -u sshguard -n 50

# Examine authentication attempts
sudo grep sshd /var/log/auth.log | grep [your_ip]

# Check current block duration
sudo sshguard -b

Adjust these parameters in /etc/sshguard/sshguard.conf to reduce false positives:

# Increase threshold before blocking
THRESHOLD=10

# Reduce block duration (default is 420 seconds)
BLOCK_TIME=120

# Enable more verbose logging
LOGLEVEL=3

Create a cron job to monitor and automatically unblock your IP:

#!/bin/bash
# Add this to /usr/local/bin/check_sshguard.sh

YOUR_IP="your_public_ip"
if iptables -L sshguard | grep -q "$YOUR_IP"; then
    logger "Automatically unblocking $YOUR_IP from sshguard"
    iptables -D sshguard -s "$YOUR_IP" -j DROP
fi

# Then add to crontab
# */5 * * * * root /usr/local/bin/check_sshguard.sh

SSHguard automatically blocks IP addresses exhibiting suspicious SSH activity. However, false positives can occur due to:

  • Buggy trigger patterns in default configurations
  • Aggressive threshold settings (even in default configs)
  • Network glitches causing multiple connection attempts

When locked out of your Ubuntu 16.04 server, try these access methods:

# Method 1: Using hosting provider's console
# Most VPS providers offer web-based console access
# Example for DigitalOcean:
# 1. Login to DO dashboard
# 2. Access Droplets → YourServer → Access → Launch Console

# Method 2: Using VPN
# Connect via different IP:
sudo openvpn --config /path/to/alternative.ovpn

Once you regain access, follow these steps:

# Check current block status:
sudo iptables -L SSHGUARD -n --line-numbers

# Verify if your IP appears in the block list
# Example output showing blocked IP 192.168.1.100:
# Chain SSHGUARD (1 references)
# num  target     prot opt source        destination
# 1    DROP       all  --  192.168.1.100 0.0.0.0/0

# Remove the specific rule (replace X with rule number):
sudo iptables -D SSHGUARD X

# Alternative: Flush all SSHguard rules (not recommended)
sudo iptables -F SSHGUARD

To prevent future false positives:

# Whitelist your main IP(s):
# Edit /etc/sshguard/whitelist
# Add your IP (one per line):
192.168.1.100
203.0.113.45

# Adjust sensitivity in /etc/sshguard.conf:
# Change these values (defaults shown):
DETECTION_TIME=120
BLOCK_TIME=120

Create a cron job for emergency self-unblocking:

# Create unblock script at /usr/local/bin/unblock_me.sh
#!/bin/bash
MY_IPS=("192.168.1.100" "203.0.113.45")
for ip in "${MY_IPS[@]}"; do
    sudo iptables -D SSHGUARD -s $ip -j DROP 2>/dev/null
done

# Make executable:
chmod +x /usr/local/bin/unblock_me.sh

# Add to cron (run every 5 minutes):
(crontab -l ; echo "*/5 * * * * /usr/local/bin/unblock_me.sh") | crontab -

Investigate why blocks occur:

# Check SSHguard logs:
journalctl -u sshguard -f

# Monitor authentication attempts:
sudo grep sshd /var/log/auth.log | grep "Failed password"