What is SSHGuard?
sshguard protects hosts from brute-force attacks against
SSH and other services. It aggregates system logs and blocks repeat
offenders using one of several firewall backends, including
iptables, ipfw, and pf.
Brute-force attacks without SSHGuard
SSHGuard blocks brute-force attacks
sshguard can read log messages from standard input
(suitable for piping from syslog) or monitor one or more log
files. Log messages are parsed, line-by-line, for recognized patterns. If an
attack, such as several login failures within a few seconds, is detected,
the offending IP is blocked. Offenders are unblocked after a set interval,
but can be semi-permanently banned using the blacklist option.
Sshguard Gears
Logging
Sshguard interprets log messages with several formats:
- syslog
- syslog-ng
- metalog
- multilog
- raw log
It can monitor multiple log files at once, and handles log rotation and temporary log files automatically.
Its powerful grammar-based parser makes it straightforward to support several formats and services without increasing complexity.
Parsing
Sshguard protects many services out of the box:
- sshd
- Sendmail
- Exim
- dovecot
- Cucipop
- UWimap (imap, pop)
- vsftpd
- proftpd
- pure-ftpd
- FreeBSD ftpd
- Request new!
You are welcome to propose support for new logging systems and new services.
Blocking
Sshguard operates all the major firewalling systems around:
- PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- netfilter/iptables (Linux)
- IPFIREWALL/ipfw (FreeBSD, Mac OS X)
- IPFILTER (FreeBSD, NetBSD, Solaris)
- IBM AIX's firewall
- tcpd's hosts.allow (boxes without a network-layer firewall)
- Request new!
Sshguard optimizes each blocking backend to squeeze all the firewall's capabilities.
Functional spotlights
- it supports log message authentication
- it features touchiness and automatic blacklisting
- it supports IPv6 addressing natively
- it supports slick multiple-source monitoring
- it supports sophisticated whitelisting
- it recognizes many logging formats transparently
- it handles host names or addresses in log files natively
- it supports per-service and per-address blocking actions
Non-functional spotlights
- it rants for ease of use: the simplest call runs 90% of the functionality
- it is a C application, rather than a script demanding the interpreter
- it maintains thorough documentation and is backed by a receptive team
- it is designed to run in diverse contexts: compiler, OS, logging, firewall
- its foundation is built for great extensibility to new services and firewalls