SSHGuard

Note

Our web host is recovering from a failure. Our usual website will be back shortly.

Contents

Started for SSH, now protects a wide range of services out of the box!

SSHGuard protects hosts from brute-force attacks by:

What is SSHGuard?

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf. Brute-force attacks Brute-force attacks without SSHGuard Attacks are blocked SSHGuard blocks brute-force attacks

sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

Logging

SSHGuard recognizes logs in several formats:

  • cockpit
  • Common Log Format
  • macOS log (new in 2.0)
  • metalog
  • multilog
  • raw log files
  • syslog
  • syslog-ng
  • systemd journal (new in 2.0)

It can monitor multiple log files at once and handles log rotation and temporary log files automatically.

Parsing

SSHGuard recognizes attacks against:

  • OpenSSH
  • Sendmail
  • Exim
  • Dovecot
  • Cucipop
  • UWimap (imap, pop)
  • vsftpd
  • Postfix
  • proftpd
  • pure-ftpd
  • FreeBSD ftpd

Blocking

SSHGuard can integrate with many firewall backends including:

  • FirewallD (Linux, new in 2.0)
  • ipfw (FreeBSD, macOS)
  • IPFILTER (FreeBSD, NetBSD, Solaris)
  • netfilter/iptables (Linux)
  • netfilter/ipset (Linux, new in 2.0)
  • PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
  • tcpd's hosts.allow (boxes without a network-layer firewall)
  • IBM AIX's firewall

Functional spotlights

  • Touchiness and automatic blacklisting
  • Full IPv6 support
  • Monitors multiple log files
  • Small system footprint
  • Sophisticated whitelisting
  • Recognizes many logging formats transparently
  • Handles host names or addresses in log files

Non-functional spotlights

  • Easy to set up, simple one-line command to use
  • Written in small, portable C and Bourne shell with ~3000 LOC
  • Simple, extensible firewall interface

Want to contribute? Join our mailing lists and find out how to contribute.

Download

Support

Mailing Lists

Send your bug reports, feature requests, questions, or comments to the user mailing list. Package maintainers should subscribe to the package maintainer mailing list.

Issue Tracker

Browse or submit bug reports and feature requests on the issue tracker on Bitbucket.