What is sshguard?
Sshguard monitors servers from their logging activity. When logs convey that someone is doing a Bad Thing, sshguard reacts by blocking he/she/it for a bit. Sshguard has a touchy personality: when a naughty tyke insists disturbing your host, it reacts harder and harder.
Without sshguard bruteforce is possible.
With sshguard bruteforce is blocked.
Sshguard supports many services out of the box, recognizes several log formats, and can operate many firewall systems. Many users appreciate its ease of use, compatibility and feature richness. See below for a taste.
Sshguard Gears
Logging
Sshguard can interpret log messages with several formats:
- syslog
- syslog-ng
- metalog
- multilog
- raw log
It has a powerful grammar-based parser that makes it straightforward to support several formats and services without increasing complexity.
Parsing
Several services are currently recognized:
You are welcome to propose support for new logging systems and new services (see support page).
Blocking
Sshguard can operate all the major firewalling systems:
- PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- netfilter/iptables (Linux)
- IPFIREWALL/ipfw (FreeBSD, Mac OS X)
- IPFILTER (FreeBSD, NetBSD, Solaris)
- IBM AIX's firewall
- tcpd's hosts.allow (boxes without a network-layer firewall)
Its natural scenario is sshguard fed by syslog, but any combination works as long as sshguard is given log entries in its standard input.
Functional spotlights
- it supports log message authentication
- it features touchiness and automatic blacklisting
- it supports sophisticated whitelisting
- it supports IPv6 addressing natively
- it recognizes many logging formats transparently
- it handles host names or addresses in log files natively
- it supports per-service and per-address blocking actions
Non-functional spotlights
- it rants for ease of use: the simplest call runs 90% of the functionality
- it is a C application, rather than a script demanding the interpreter
- it maintains thorough documentation and is backed by a receptive team
- it is designed to run in diverse contexts: compiler, OS, logging, firewall
- its foundation is built for unbounded extensibility to new services and firewalls