Web Tool Bag  
Home · Articles · Downloads · Discussion Forum · Web Links · News Categories · Synonyms DatabaseMarch 29 2024 12:00:59
Navigation
Home
Articles
Downloads
Discussion Forum
Web Links
News Categories
Synonyms Database
Search
Users Online
Guests Online: 1
No Members Online

Registered Members: 856
Unactivated Members: 118
Newest Member: lakim
Forum Threads
Newest Threads
Error: Cannot find m...
Uncaught Error: _reg...
Module build failed:...
Installation
mochi script questions
Hottest Threads
Installation [12]
Any questions and... [5]
Captcha picture d... [4]
Integrate with Vi... [4]
Mods: Sucess/Than... [4]
 
Latest Articles
Ubuntu: the vpn conn...
Howto Install HP Pri...
ReactJS progress met...
react-show-more-text
react-collapsible-co...
Sshguard Server protection from bruteforce with Howto sshguard
Sshguard is a log monitor. It protects networked hosts from the today's widespread brute force attacks against services, most notably SSH. It detects such attacks and blocks the author's address with a firewall rule.

How sshguard works

Sshguard monitors servers from their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall.

Messages describing dangerous activity can be easily customized. This makes sshguard usable with any server, and in general anything that logs something. Sshguard supports natively different attack targets, and has the ability to react differently depending on the target service.

Compatibility

Sshguard works on POSIX systems.

Sshguard can interpret log messages with several formats:

  • syslog entries
  • syslog-ng entries
  • metalog entries
  • multilog entries
  • raw log entries

It has a powerful parser that makes it straightforward to add support for more formats. You are welcome to propose support for new logging systems on the bug tracker.

Sshguard can operate all the major firewalling systems:

Its natural scenario is sshguard feeded by syslog, but any combination works as long as sshguard is given log entries in its standard input.

Advantages over similar tools

Many tools exist with the purpose of mitigating the problem of brute force login attacks against a SSH server. Sshguard appears superior to all of them (to all whose I know of) when summing up the features:

There is some functional difference from other tools to sshguard:

  • it supports whitelisting
  • it supports IPv6 natively
  • it can recognize several logging formats transparently (so it does not require filters)
  • it can recognize host names automatically from log files (it's not tricked by addresses in non-IP form)
  • its blocking behaviour is easily customizable and can react differently depending on the attacked service

There is some non-functional difference from other tools to sshguard:

  1. a very large part of these tools are simple scripts. So, they require a permanent interpreter application which usually takes a lot of system memory. Which, on servers, is very precious.
    Sshguard is written in C, and designed to be 0-impact on system resources.
  2. several tools require customization (hack & play).
    Sshguard is designed for extreme ease of use (plug & play).
  3. many tools are OS- or firewall-specific (usually Linux).
    Sshguard is designed to work on many OSes and can operate several firewall systems; see Compatibility.
  4. nearly all tools are constraintly written for their operating scenario.
    Sshguard can be extended for operating with custom/proprietary firewalls with very very few effort.

There are some tools similar to sshguard (unsorted):

Sshguard monitors ssh servers from their logging activity. 
It reacts to messages about dangerous activity by blocking the source
address with the local firewall. Sshguard can operate all the major
firewalling systems:
* PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
* netfilter/iptables (Linux)
* IPFIREWALL/ipfw (FreeBSD, Mac OS X)


Sshguard is reliable, easy to set up and demands very few resources to
the system. WWW: http://sshguard.sourceforge.net



Make it active by putting in /etc/syslog.conf something like:
Make it active by putting in /etc/syslog.conf something like:
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard"
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
Otherwise, run sshguard standalone with (as root):
Otherwise, run sshguard standalone with (as root):
tail -n 0 -f /var/log/auth.log | /usr/local/sbin/sshguard
tail -n 0 -f /var/log/auth.log | /usr/local/sbin/sshguard &

WWW: http://sshguard.sourceforge.net









Posted by admin on October 25 2007 07:26:15 9339 Reads · Print
Ratings
Rating is available to Members only.

Please login or register to vote.

No Ratings have been Posted.
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Which PHP framework do you preffer?

Symfony

Zend

CodeIgniter

PHP on TRAX

eZ Components

Fusebox

PhpOpenbiz

Prado

QPHP

Seagull

You must login to vote.
Shoutbox
You must login to post a message.

Vince
03/10/2011 18:17
Hi, How to remove Register from Login screen? I don't want them to register and have full access! if you leave register then they should not have any rights until the admin assigns them

webtoolz
26/09/2011 08:28
Please describe your problem with more details. Thank you.

bimmer98
22/11/2010 18:31
Help. There was a problem with the request; error regarding feedbackzdr form program

Custom web software development by Devzone Tech
Copyright © 2024 - www.webtoolbag.com