What is SSHGuard?

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.

Brute-force attacks Brute-force attacks without SSHGuard
Attacks are blocked SSHGuard blocks brute-force attacks

sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

Sshguard Gears


Sshguard interprets log messages with several formats:

  • syslog
  • syslog-ng
  • metalog
  • multilog
  • raw log

It can monitor multiple log files at once, and handles log rotation and temporary log files automatically.

Its powerful grammar-based parser makes it straightforward to support several formats and services without increasing complexity.


Sshguard protects many services out of the box:

You are welcome to propose support for new logging systems and new services.


Sshguard operates all the major firewalling systems around:

Sshguard optimizes each blocking backend to squeeze all the firewall's capabilities.

Functional spotlights

  • it supports log message authentication
  • it features touchiness and automatic blacklisting
  • it supports IPv6 addressing natively
  • it supports slick multiple-source monitoring
  • it supports sophisticated whitelisting
  • it recognizes many logging formats transparently
  • it handles host names or addresses in log files natively
  • it supports per-service and per-address blocking actions

Non-functional spotlights

  1. it rants for ease of use: the simplest call runs 90% of the functionality
  2. it is a C application, rather than a script demanding the interpreter
  3. it maintains thorough documentation and is backed by a receptive team
  4. it is designed to run in diverse contexts: compiler, OS, logging, firewall
  5. its foundation is built for great extensibility to new services and firewalls