Sshguard monitors servers from their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall.
Messages describing dangerous activity can be easily customized. This makes sshguard usable with any server, and in general anything that logs something. Sshguard supports natively different attack targets, and has the ability to react differently depending on the target service.
Sshguard works on POSIX systems.
Sshguard can interpret log messages with several formats:
It has a powerful parser that makes it straightforward to add support for more formats. You are welcome to propose support for new logging systems on the bug tracker.
Sshguard can operate all the major firewalling systems:
Its natural scenario is sshguard feeded by syslog, but any combination works as long as sshguard is given log entries in its standard input.
Many tools exist with the purpose of mitigating the problem of brute force login attacks against a SSH server. Sshguard appears superior to all of them (to all whose I know of) when summing up the features:
There is some functional difference from other tools to sshguard:
There is some non-functional difference from other tools to sshguard:
There are some tools similar to sshguard (unsorted):
Sshguard monitors ssh servers from their logging activity.
It reacts to messages about dangerous activity by blocking the source
address with the local firewall. Sshguard can operate all the major
firewalling systems:
* PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
* netfilter/iptables (Linux)
* IPFIREWALL/ipfw (FreeBSD, Mac OS X)
Sshguard is reliable, easy to set up and demands very few resources to
the system. WWW: http://sshguard.sourceforge.net
Make it active by putting in /etc/syslog.conf something like:
Make it active by putting in /etc/syslog.conf something like:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard"
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
Otherwise, run sshguard standalone with (as root):
Otherwise, run sshguard standalone with (as root):
tail -n 0 -f /var/log/auth.log | /usr/local/sbin/sshguard
tail -n 0 -f /var/log/auth.log | /usr/local/sbin/sshguard &
WWW: http://sshguard.sourceforge.net