Sshguard FAQ

Check out these FAQ before contacting the mailing list for help.

sshguard does not work

You have one of these problems:

sshguard is not given logs correctly
sshguard cannot run the commands for blocking

Let's debug. How do you pass logs to sshguard?

syslog: kill all sshguard instances on your system (killall sshguard), then try to make sshd log something (e.g. try a login via ssh) and check if syslog has raised a new instance for it. If no new instance appears you have misconfigured syslog.
tail: check that the log file you're polling from is receiving sshd log entries.

Next, go on with the firewall. Check the paths first: where is iptables, or pfctl, or ipfw? You may need to specify their path explicitly from ./configure if they are not in standard paths nor in system's PATH. Then, are you running sshguard with enough permissions to run it? Supervisor permissions are needed.

Sshguard debugging messages are very useful for understanding problems. See latter in this FAQ for how to access them.

If you want a deeper tweaking, be inspired by this thread recounting a debug session.

sshguard does not detect some attacks on my system

This is possible. Many OSes log attacks with custom messages. Many use PAM, some do not, some do with different implementations. You can suggest the attack strings that are not recognized for inclusion in the next versions. Your reports are welcome.

I use IPFW and IPs are not successfully blocked

For minimizing the intrusiveness, sshguard puts blocking rules very low in the IPFW chain (with IDs from 55000 and 55050). If you have an accept rule before this positions, all traffic will pass before reaching the blocking rules, as IPFW has a first-match-win policy. Move the accept rule for ssh after ID 55050.

can I run sshguard on Solaris?

Support for IP Filter is included from version 1.1.

how can I make sshguard log some debug messages?

By default, sshguard logs everything to syslog. It always logs debug messages. You just need to tell syslog (or syslog-ng) not to strip them off (lower their cut level). For syslog, change the syslog.conf configuration file and add a destination for all log messages with priority debug:

    *.=debug   /var/log/debug.log

For syslog-ng, edit the syslog-ng.conf configuration file and add

    destination debuglog { file("/var/log/debug.log"); };
    filter debug { level(debug); };
    log { source(src); filter(debug); destination(debuglog); };

Remind to restart syslog or syslog-ng after these changes. You get debug messages in /var/log/debug.log.

Otherwise, with sshguard ≥ 1.1 you can tell sshguard to log everything to standard output for easier reading. Use tail+tee for feeding it logs from a log file, like:

        tail -n0 -F /var/log/auth.log | tee -a /dev/stderr | /usr/local/sbin/sshguard -d

or call sshguard and paste input directly to it from the keyboard:

        /usr/local/sbin/sshguard -d

Get back to the sshguard support page.