https://www.sshguard.net/

  * Home
  * Download
  * Documentation
  * News
  * F.A.Q.
  * Support

SSHGuard protects hosts from brute-force attacks by:

  * Monitoring system logs
  * Detecting attacks
  * Blocking attackers using a firewall

Started for SSH, now protects a wide range of services out of the
box!

---------------------------------------------------------------------

What is SSHGuard?

sshguard protects hosts from brute-force attacks against SSH and
other services. It aggregates system logs and blocks repeat offenders
using one of several firewall backends, including iptables, ipfw, and
pf.

Brute-force attacks Brute-force attacks without SSHGuard
Attacks are blocked SSHGuard blocks brute-force attacks

sshguard can read log messages from standard input (suitable for
piping from syslog) or monitor one or more log files. Log messages
are parsed, line-by-line, for recognized patterns. If an attack, such
as several login failures within a few seconds, is detected, the
offending IP is blocked. Offenders are unblocked after a set
interval, but can be semi-permanently banned using the blacklist
option.

SSHGuard Features

Logging

SSHGuard recognizes logs in several formats:

  * cockpit
  * Common Log Format
  * macOS log (new in 2.0)
  * metalog
  * multilog
  * raw log files
  * syslog
  * syslog-ng
  * systemd journal (new in 2.0)

It can monitor multiple log files at once and handles log rotation
and temporary log files automatically.

Parsing

SSHGuard recognizes attacks against:

  * OpenSSH
  * Sendmail
  * Exim
  * Dovecot
  * Cucipop
  * UWimap (imap, pop)
  * vsftpd
  * Postfix
  * proftpd
  * pure-ftpd
  * FreeBSD ftpd

Blocking

SSHGuard can integrate with many firewall backends including:

  * FirewallD (Linux, new in 2.0)
  * ipfw (FreeBSD, macOS)
  * IPFILTER (FreeBSD, NetBSD, Solaris)
  * netfilter/iptables (Linux)
  * netfilter/ipset (Linux, new in 2.0)
  * PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
  * tcpd's hosts.allow (boxes without a network-layer firewall)
  * IBM AIX's firewall

Functional spotlights

  * Touchiness and automatic blacklisting
  * Full IPv6 support
  * Monitors multiple log files
  * Small system footprint
  * Sophisticated whitelisting
  * Recognizes many logging formats transparently
  * Handles host names or addresses in log files

Non-functional spotlights

  * Easy to set up, simple one-line command to use
  * Written in small, portable C and Bourne shell with ~3000 LOC
  * Simple, extensible firewall interface

  * Download
      + Source code
      + Git repository
  * Documentation
      + FAQs
  * Support
      + Mailing lists

Want to contribute?

Join our mailing list and find out how to contribute.

Site crafted by phretor