sshguard

block brute-force attacks by aggregating system logs

Date: August 16, 2016
Manual group:SSHGuard Manual
Manual section:8
Version: 2.0.0

SYNOPSIS

sshguard [-v] [-h] [-a blacklist-threshold] [-b blacklist-file] [-i pid-file] [-p block-time] [-s detection-time] [-w address | file] [file ...]

DESCRIPTION

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including firewalld, ipfw, ipset, iptables and pf.

sshguard can read log messages from standard input (suitable for piping from syslog or journalctl) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

See http://www.sshguard.net/docs/setup/ for setup instructions.

Other features, attack signatures, and additional documentation can be found at http://www.sshguard.net/.

OPTIONS

-a blacklist-threshold (default 30)
Block an attacker when its dangerousness exceeds blacklist-threshold. Each attack pattern that is matched contributes a fixed dangerousness of 10.
-b blacklist-file
Blacklist an attacker when its dangerousness exceeds blacklist-threshold. Blacklisted addresses are added to blacklist-file so they can be read at the next startup. Blacklisted addresses are never automatically unblocked, but it is good practice to periodically clean out stale blacklist entries.
-i pid-file
Write the PID of sshguard to pidfile.
-p block-time (default 120 secs, or 2 minutes)
Wait at least block-time seconds before releasing a blocked address. Repeat attackers are blocked for 1.5 times longer after each attack. Because sshguard unblocks attackers only at infrequent intervals, this parameter is inexact (actual blocks will be longer).
-s detection-time (default 1800 secs, or 30 minutes)
Forget about an attacker detection-time seconds after its last attempt. Its dangerousness will be reset to zero.
-w ip-address | whitelist-file
Whitelist the given address, hostname, or address block. Alternatively, read whitelist entires from whitelist-file. This option can be given multiple times. See WHITELISTING below for details.
-h
Print usage information and exit.
-v
Print version information and exit.

ENVIRONMENT

SSHGUARD_DEBUG
Enable additional debugging information.

WHITELISTING

sshguard supports IP address whitelisting. Whitelisted addresses are not blocked even if they appear to generate attacks. This is useful for protecting lame LAN users (or external friendly users) from being incidentally blocked.

Whitelist addresses are controlled through the -w command-line option. This option can add explicit addresses, host names and address blocks:

addresses

specify the numeric IPv4 or IPv6 address directly, like:

-w 192.168.1.10

or in multiple occurrences:

-w 192.168.1.10 -w 2001:0db8:85a3:0000:0000:8a2e:0370:7334
host names

specify the host name directly, like:

-w friendhost.enterprise.com

or in multiple occurrences:

-w friendhost.enterprise.com -w friend2.enterprise.com

All IPv4 and IPv6 addresses that the host resolves to are whitelisted. Hosts are resolved to addresses once, when sshguard starts up.

address blocks

specify the IPv4 or IPv6 address block in the usual CIDR notation:

-w 2002:836b:4179::836b:0000/126

or in multiple occurrences:

-w 192.168.0.0/24 -w 1.2.3.128/26
file

When longer lists are needed for whitelisting, they can be wrapped into a plain text file, one address/hostname/block per line, with the same syntax given above.

sshguard can take whitelists from files when the -w option argument begins with a '.' (dot) or '/' (slash).

This is a sample whitelist file (say /etc/friends):

# comment line (a '#' as very first character)
#   a single IPv4 and IPv6 address
1.2.3.4
2001:0db8:85a3:08d3:1319:8a2e:0370:7344
#   address blocks in CIDR notation
127.0.0.0/8
10.11.128.0/17
192.168.0.0/24
2002:836b:4179::836b:0000/126
#   hostnames
rome-fw.enterprise.com
hosts.friends.com

And this is how sshguard is told to make a whitelist up from the /etc/friends file:

sshguard -w /etc/friends

The -w option can be used only once for files. For addresses, host names and address blocks it can be used with any multiplicity, even with mixes of them.

SEE ALSO

Glossary: http://www.sshguard.net/docs/terminology/

Website: http://www.sshguard.net/

sshguard.conf.sample

AUTHORS

Michele Mazzucchi <mij@bitchx.it>, T.J. Jones <tjjones03@gmail.com>, Kevin Zheng <kevinz5000@gmail.com>

Lates Releases View all»

  • Latest releases Latest releases are available from SourceForge. See 'News'.
  • sshguard 1.5 This is a milestone release, coming after 18 months ...
  • sshguard 1.5 Sshguard monitors services through their logging activity. It reacts ...

F.A.Q. View all»

  • What is sshguard?Sshguard is a small program that monitors services running on your machine from the log files. When it ...
  • Sshguard does not workYou have one of these problems: sshguard is not given logs correctly sshguard cannot run the commands for ...
  • What does sshguard do?The short version is: it receives log messages, it detects when a networked service has been abused based ...