What is SSHGuard?

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.

Brute-force attacks without SSHGuard

SSHGuard blocks brute-force attacks

sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

SSHGuard Features

Logging

SSHGuard recognizes logs in several formats:

cockpit
Common Log Format
macOS log (new in 2.0)
metalog
multilog
raw log files
syslog
syslog-ng
systemd journal (new in 2.0)

It can monitor multiple log files at once and handles log rotation and temporary log files automatically.

Parsing

SSHGuard recognizes attacks against:

OpenSSH
Sendmail
Exim
Dovecot
Cucipop
UWimap (imap, pop)
vsftpd
Postfix
proftpd
pure-ftpd
FreeBSD ftpd

Blocking

SSHGuard can integrate with many firewall backends including:

FirewallD (Linux, new in 2.0)
ipfw (FreeBSD, macOS)
IPFILTER (FreeBSD, NetBSD, Solaris)
netfilter/iptables (Linux)
netfilter/ipset (Linux, new in 2.0)
PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
tcpd's hosts.allow (boxes without a network-layer firewall)
IBM AIX's firewall

Functional spotlights

Touchiness and automatic blacklisting
Full IPv6 support
Monitors multiple log files
Small system footprint
Sophisticated whitelisting
Recognizes many logging formats transparently
Handles host names or addresses in log files

Non-functional spotlights

Easy to set up, simple one-line command to use
Written in small, portable C and Bourne shell with ~3000 LOC
Simple, extensible firewall interface