About sshguard

Sshguard is a log monitor. It protects networked hosts from the today's widespread brute force attacks against services, most notably SSH. It detects such attacks and blocks the author's address with a firewall rule.

Sshguard is BSD licensed; you can download sshguard for free.

How sshguard works

Sshguard monitors servers from their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall.

Messages describing dangerous activity can be easily customized. This makes sshguard usable with any server, and in general anything that logs something. Sshguard supports natively different attack targets, and has the ability to react differently depending on the target service.

Compatibility

Sshguard works on POSIX systems.

Sshguard can interpret log messages with several formats:

• syslog entries
• syslog-ng entries
• metalog entries
• multilog entries
• raw log entries

It has a powerful grammar-based parser that makes it straightforward to support several formats and services without increasing complexity. Several services are currently recognized:

• sshd
• dovecot
• proftpd
• pure-ftpd
• FreeBSD ftpd
• UWimap (imap, pop)

You are welcome to propose support for new logging systems and new services (see support page).

Sshguard can operate all the major firewalling systems:

• PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
• netfilter/iptables (Linux)
• IPFIREWALL/ipfw (FreeBSD, Mac OS X)
• IPFILTER (FreeBSD, NetBSD, Solaris)
• IBM AIX's firewall
• tcpd's hosts.allow (boxes without a network-layer firewall)

Its natural scenario is sshguard feeded by syslog, but any combination works as long as sshguard is given log entries in its standard input.

Advantages over similar tools

Many tools exist with the purpose of mitigating the problem of brute force login attacks against a SSH server. Sshguard appears superior to all of them (to all whose I know of) when summing up the features:

There is some functional difference from other tools to sshguard:

• it supports whitelisting
• it supports IPv6 natively
• it can recognize several logging formats transparently (so it does not require filters)
• it can recognize host names automatically from log files (it's not tricked by addresses in non-IP form)
• its blocking behaviour is easily customizable and can react differently depending on the attacked service

There is some non-functional difference from other tools to sshguard:

1. a very large part of these tools are simple scripts. So, they require a permanent interpreter application which usually takes a lot of system memory. Which, on servers, is very precious.
   Sshguard is written in C, and designed to be 0-impact on system resources.
2. several tools require customization (hack & play).
   Sshguard is designed for extreme ease of use (plug & play).
3. many tools are OS- or firewall-specific (usually Linux).
   Sshguard is designed to work on many OSes and can operate several firewall systems; see Compatibility.
4. nearly all tools are constraintly written for their operating scenario.
   Sshguard can be extended for operating with custom/proprietary firewalls with very very few effort.

There are some tools similar to sshguard (unsorted):

• sshit
• blocksshd
• crackblock
• ssh-faker
• shellter
• sshutout

Packages, documentation and support

There are some sshguard packages for easy installation on your operating system.

There is a thorough sshguard documentation for you to read.

If docs do not answer your questions, there are mailing lists for you at the support at the support page.

del.icio.us