Sshguard technology reference

Sshguard characteristics:

• a single threaded process handles all patrolling: log activity monitoring and firewall blocking/releasing
• a zero configuration interface. Good defaults are defined, which can be customized with simple command line arguments
• very low footprint
• firewall interfacing is modular
• a context-free parser performs log analysis for detecting attacks

Sshguard uses a C linked list library (SimCList) for storing efficiently the list of address statuses, without intrinsic bounds.

Firewall backends

Sshguard supports natively all the most popular host firewalls, currently:

• netfilter / iptables (Linux' firewall)
• PF, the Packet Filter (from OpenBSD, available on many BSD variants)
• IPFW, the IP FireWall (from FreeBSD)
• IPFILTER (available on FreeBSD, NetBSD and Solaris)
• tcpd's hosts.allow (see hosts_options(5))

More firewall backends can be easily implemented, see extending sshguard backends.

If you implement a module for a firewall backend that I'm not aware of, please let me know (mij@bitchx.it).

Blocking policy and behaviour

Blocking attackers is done this way:

1. if n ≥ abuse_threshold attack entries appear in the log activity within s ≤ stale_threshold seconds from the same source, then the source is blocked
2. a blocked source keeps blocked for at least pardon_threshold seconds, and for at most pardon_threshold + pardon_threshold/2 seconds. For deeper effectivenes, the actual amount of time is chosen randomly every time within these bounds.

Every time sshguard is signalled for exiting, it flushes the list of blocked addresses for consistency.

Attacks

sshguard 0.x used to use regular expressions to detect attacks, just like many similar log-based blocking tools.

In sshguard 1.x, attack patterns are detected through a way more powerful and more complex parser. For this reason, a tracker is available for attack patterns, with which users can propose new patterns for inclusion in the next release.