Date: | March 16, 2021 |
---|---|
Manual group: | SSHGuard Manual |
Manual section: | 8 |
Version: | 2.4 |
sshguard [-hv] [-a threshold] [-b threshold:blacklist_file] [-i pidfile] [-p blocktime] [-s detection_time] [-w address | whitelist_file] [file ...]
sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends.
sshguard can monitor log files and the standard output of running a shell command. Log messages are parsed line-by-line for recognized attack patterns. Attackers are blocked when enough attack patterns are detected in a configurable time interval. Attackers are blocked temporarily but can also be permanently blocked using the blacklist option.
sshguard must be configured before its first run. See sshguard-setup(7).
Whitelisted addresses are never blocked. Addresses can be specified on the command line or be stored in a file.
On the command line, give the -w option one or more times with an IP address, CIDR address block, or hostname as an argument. Hostnames are resolved once at startup. If a hostname resolves to multiple addresses, all of them are whitelisted. For example:
sshguard -w 192.168.1.10 -w 192.168.0.0/24 -w friend.example.com -w 2001:0db8:85a3:0000:0000:8a2e:0370:7334 -w 2002:836b:4179::836b:0000/126
If the argument to -w begins with a forward slash ('/') or dot ('.'), the argument is treated as the path to a whitelist file.
The whitelist file contains comments (lines beginning with '#'), addresses, address blocks, or hostnames, one per line.
sshguard-setup(7)