What is sshguard?

Sshguard monitors servers from their logging activity. When logs convey that someone is doing a Bad Thing, sshguard reacts by blocking he/she/it for a bit. Sshguard has a touchy personality: when a naughty tyke insists disturbing your host, it reacts firmer and firmer.

Without sshguard Without sshguard bruteforce is possible.
With sshguard With sshguard bruteforce is blocked.

Sshguard supports many services out of the box, recognizes several log formats, and can operate many firewall systems. Many users appreciate its ease of use, compatibility and feature richness. See below for a taste.

Sshguard Gears


Sshguard interprets log messages with several formats:

  • syslog
  • syslog-ng
  • metalog
  • multilog
  • raw log

It can monitor multiple log files at once, and handles log rotation and temporary log files automatically.

Its powerful grammar-based parser makes it straightforward to support several formats and services without increasing complexity.


Sshguard protects many services out of the box:

You are welcome to propose support for new logging systems and new services.


Sshguard operates all the major firewalling systems around:

Sshguard optimizes each blocking backend to squeeze all the firewall's capabilities.

Functional spotlights

  • it supports log message authentication
  • it features touchiness and automatic blacklisting
  • it supports IPv6 addressing natively
  • it supports slick multiple-source monitoring
  • it supports sophisticated whitelisting
  • it recognizes many logging formats transparently
  • it handles host names or addresses in log files natively
  • it supports per-service and per-address blocking actions

Non-functional spotlights

  1. it rants for ease of use: the simplest call runs 90% of the functionality
  2. it is a C application, rather than a script demanding the interpreter
  3. it maintains thorough documentation and is backed by a receptive team
  4. it is designed to run in diverse contexts: compiler, OS, logging, firewall
  5. its foundation is built for great extensibility to new services and firewalls