Manual Reference Pages - SSHGUARD (8)

NAME

sshguard - monitors daemon activity

Synopsis
Description
Usage
See Also

SYNOPSIS

sshguard [-a abuse_tresh-p pardon_min_interval-s stale_tresh]

DESCRIPTION

sshguard protects networked hosts from the today’s widespread brute force attacks against ssh servers. It detects such attacks and blocks the author’s address with a firewall rule.
sshguard is given log messages from the ssh deaemon in its standard input. By mean of a parser, it decides whether an entry is normal activity or attack; in the latter case, it remarks the author’s address. When the number of attacks from one address exceeds a threshold, the address is blocked with the firewall.
sshguard supports the following firewalls:

netfilter/iptables for Linux-based operating systems
Packet Filter (PF) for BSD operating systems (Open, Free, Net, DragonFly -BSD)
IPFirewall (IPFW) for FreeBSD and Mac OS X

USAGE

sshguard is typically feeded log entries by syslog (or syslog-ng) or by tail.
For interfacing sshguard with syslog, a line like this must be included in yslog.conf:
# copy to sshguard entries with auth and authpriv fac., lev. >= info
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
For interfacing sshguard with syslog-ng, configurations like the following must are needed:
# sshguard is a log destination
destination sshguardproc { program("/usr/local/sbin/sshguard"); };
# filter LOG_AUTH messages which also contain "ssh"
filter authssh { facility(auth, authpriv) and match("ssh"); };
# copy filtered logs into the sshguard process
log { source(src); filter(authssh); destination(sshguardproc); };
For making sshguard get entries directly from a log file, run this command:
tail -n0 -f /var/log/auth.log | /usr/local/sbin/sshguard
sshguard does not make use of any configuration file. Instead, a combination of arguments can be passed to its process on the command line, for modifying its default behaviour:

-a num block an address after num attack attempts have been detected. (Default: 4)

-p secs release a blocked address not sooner than secs seconds after being blocked. sshguard will release the address between X and 3/2 * X seconds. (Default: 7*60)

-s secs forget about an address after secs seconds. If host A issues one attack every this many seconds, it will never be blocked. (Default: 20*60)

Manual Reference Pages - SSHGUARD (8)

NAME

CONTENTS

SYNOPSIS

DESCRIPTION

USAGE

SEE ALSO

-a num	block an address after num attack attempts have been detected. (Default: 4)
-p secs	release a blocked address not sooner than secs seconds after being blocked. sshguard will release the address between X and 3/2 * X seconds. (Default: 7*60)
-s secs	forget about an address after secs seconds. If host A issues one attack every this many seconds, it will never be blocked. (Default: 20*60)