What is SSHGuard?
sshguard protects hosts from brute-force attacks against
SSH and other services. It aggregates system logs and blocks repeat
offenders using one of several firewall backends, including
sshguard can read log messages from standard input
(suitable for piping from
syslog) or monitor one or more log
files. Log messages are parsed, line-by-line, for recognized patterns. If an
attack, such as several login failures within a few seconds, is detected,
the offending IP is blocked. Offenders are unblocked after a set interval,
but can be semi-permanently banned using the blacklist option.
Sshguard interprets log messages with several formats:
- raw log
It can monitor multiple log files at once, and handles log rotation and temporary log files automatically.
Its powerful grammar-based parser makes it straightforward to support several formats and services without increasing complexity.
Sshguard protects many services out of the box:
- UWimap (imap, pop)
- FreeBSD ftpd
- Request new!
You are welcome to propose support for new logging systems and new services.
Sshguard operates all the major firewalling systems around:
- PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- netfilter/iptables (Linux)
- IPFIREWALL/ipfw (FreeBSD, Mac OS X)
- IPFILTER (FreeBSD, NetBSD, Solaris)
- IBM AIX's firewall
- tcpd's hosts.allow (boxes without a network-layer firewall)
- Request new!
Sshguard optimizes each blocking backend to squeeze all the firewall's capabilities.
- it supports log message authentication
- it features touchiness and automatic blacklisting
- it supports IPv6 addressing natively
- it supports slick multiple-source monitoring
- it supports sophisticated whitelisting
- it recognizes many logging formats transparently
- it handles host names or addresses in log files natively
- it supports per-service and per-address blocking actions
- it rants for ease of use: the simplest call runs 90% of the functionality
- it is a C application, rather than a script demanding the interpreter
- it maintains thorough documentation and is backed by a receptive team
- it is designed to run in diverse contexts: compiler, OS, logging, firewall
- its foundation is built for great extensibility to new services and firewalls