sshguard - block brute-force attacks by aggregating system logs

sshguard [-hv] [-a threshold] [-b threshold:blacklist_file] [-i pidfile] [-p blocktime] [-s detection_time] [-w address | whitelist_file] [file ...]

sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends.

sshguard can monitor log files. Log messages are parsed line-by-line for recognized patterns. An attack is detected when several patterns are matched in a set time interval. Attackers are blocked temporarily but can also be semi-permanently banned using the blacklist option.

Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
Write the PID of sshguard to pidfile.
Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.

sshguard unblocks attacks at random intervals, so actual block times will be longer.

Remember potential attackers for up to detection_time seconds before resetting their score.
[-w address | whitelist_file]
Whitelist a single address, hostname, or address block given as address. This option can be given multiple times. Alternatively, provide an absolute path to a whitelist_file containing addresses to whitelist. See WHITELISTING.
Print usage information and exit.
Print version information and exit.

Set to enable verbose output from sshg-blocker.

See sample configuration file.

Whitelisted addresses are never blocked. Addresses can be specified on the command line or be stored in a file.

On the command line, give the -w option one or more times with an IP address, CIDR address block, or hostname as an argument. Hostnames are resolved once at startup. If a hostname resolves to multiple addresses, all of them are whitelisted. For example:

sshguard -w -w -w

-w 2001:0db8:85a3:0000:0000:8a2e:0370:7334
-w 2002:836b:4179::836b:0000/126

If the argument to -w begins with a forward slash ('/') or dot ('.'), the argument is treated as the path to a whitelist file.

The whitelist file contains comments (lines beginning with '#'), addresses, address blocks, or hostnames, one per line.


May 23, 2019 2.4