What is SSHGuard?

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.

Brute-force attacks Brute-force attacks without SSHGuard
Attacks are blocked SSHGuard blocks brute-force attacks

sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

SSHGuard Features

Logging

SSHGuard recognizes logs in several formats:

  • cockpit
  • Common Log Format
  • macOS log (new in 2.0)
  • metalog
  • multilog
  • raw log files
  • syslog
  • syslog-ng
  • systemd journal (new in 2.0)

It can monitor multiple log files at once and handles log rotation and temporary log files automatically.

Parsing

SSHGuard recognizes attacks against:

Blocking

SSHGuard can integrate with many firewall backends including:

Functional spotlights

  • Touchiness and automatic blacklisting
  • Full IPv6 support
  • Monitors multiple log files
  • Small system footprint
  • Sophisticated whitelisting
  • Recognizes many logging formats transparently
  • Handles host names or addresses in log files

Non-functional spotlights

  • Easy to set up, simple one-line command to use
  • Written in small, portable C and Bourne shell with ~3000 LOC
  • Simple, extensible firewall interface