What is SSHGuard?
sshguard protects hosts from brute-force attacks against
SSH and other services. It aggregates system logs and blocks repeat
offenders using one of several firewall backends, including
iptables
, ipfw
, and pf
.


sshguard can read log messages from standard input
(suitable for piping from syslog
) or monitor one or more log
files. Log messages are parsed, line-by-line, for recognized patterns. If an
attack, such as several login failures within a few seconds, is detected,
the offending IP is blocked. Offenders are unblocked after a set interval,
but can be semi-permanently banned using the blacklist option.
SSHGuard Features
Logging
SSHGuard recognizes logs in several formats:
- cockpit
- Common Log Format
- macOS log (new in 2.0)
- metalog
- multilog
- raw log files
- syslog
- syslog-ng
- systemd journal (new in 2.0)
It can monitor multiple log files at once and handles log rotation and temporary log files automatically.
Parsing
SSHGuard recognizes attacks against:
Blocking
SSHGuard can integrate with many firewall backends including:
- FirewallD (Linux, new in 2.0)
- ipfw (FreeBSD, macOS)
- IPFILTER (FreeBSD, NetBSD, Solaris)
- netfilter/iptables (Linux)
- netfilter/ipset (Linux, new in 2.0)
- PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- tcpd's hosts.allow (boxes without a network-layer firewall)
- IBM AIX's firewall
Functional spotlights
- Touchiness and automatic blacklisting
- Full IPv6 support
- Monitors multiple log files
- Small system footprint
- Sophisticated whitelisting
- Recognizes many logging formats transparently
- Handles host names or addresses in log files
Non-functional spotlights
- Easy to set up, simple one-line command to use
- Written in small, portable C and Bourne shell with ~3000 LOC
- Simple, extensible firewall interface