What is sshguard?
Sshguard monitors servers from their logging activity. When logs convey that someone is doing a Bad Thing, sshguard reacts by blocking he/she/it for a bit. Sshguard has a touchy personality: when a naughty tyke insists disturbing your host, it reacts firmer and firmer.
Without sshguard bruteforce is possible.
With sshguard bruteforce is blocked.
Sshguard supports many services out of the box, recognizes several log formats, and can operate many firewall systems. Many users appreciate its ease of use, compatibility and feature richness. See below for a taste.
Sshguard Gears
Logging
Sshguard interprets log messages with several formats:
- syslog
- syslog-ng
- metalog
- multilog
- raw log
It can monitor multiple log files at once, and handles log rotation and temporary log files automatically.
Its powerful grammar-based parser makes it straightforward to support several formats and services without increasing complexity.
Parsing
Sshguard protects many services out of the box:
- sshd
- Sendmail
- Exim
- dovecot
- Cucipop
- UWimap (imap, pop)
- vsftpd
- proftpd
- pure-ftpd
- FreeBSD ftpd
- Request new!
You are welcome to propose support for new logging systems and new services.
Blocking
Sshguard operates all the major firewalling systems around:
- PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- netfilter/iptables (Linux)
- IPFIREWALL/ipfw (FreeBSD, Mac OS X)
- IPFILTER (FreeBSD, NetBSD, Solaris)
- IBM AIX's firewall
- tcpd's hosts.allow (boxes without a network-layer firewall)
- Request new!
Sshguard optimizes each blocking backend to squeeze all the firewall's capabilities.
Functional spotlights
- it supports log message authentication
- it features touchiness and automatic blacklisting
- it supports IPv6 addressing natively
- it supports slick multiple-source monitoring
- it supports sophisticated whitelisting
- it recognizes many logging formats transparently
- it handles host names or addresses in log files natively
- it supports per-service and per-address blocking actions
Non-functional spotlights
- it rants for ease of use: the simplest call runs 90% of the functionality
- it is a C application, rather than a script demanding the interpreter
- it maintains thorough documentation and is backed by a receptive team
- it is designed to run in diverse contexts: compiler, OS, logging, firewall
- its foundation is built for great extensibility to new services and firewalls