Sshguard Server protection from bruteforce with Howto sshguard
Posted by admin on October 25 2007 10:26:15
Sshguard is a log monitor. It protects networked hosts from the today's widespread brute force attacks against services, most notably SSH. It detects such attacks and blocks the author's address with a firewall rule.

How sshguard works

Sshguard monitors servers from their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall.

Messages describing dangerous activity can be easily customized. This makes sshguard usable with any server, and in general anything that logs something. Sshguard supports natively different attack targets, and has the ability to react differently depending on the target service.

Compatibility

Sshguard works on POSIX systems.

Sshguard can interpret log messages with several formats:

It has a powerful parser that makes it straightforward to add support for more formats. You are welcome to propose support for new logging systems on the bug tracker.

Sshguard can operate all the major firewalling systems:

Its natural scenario is sshguard feeded by syslog, but any combination works as long as sshguard is given log entries in its standard input.

Advantages over similar tools

Many tools exist with the purpose of mitigating the problem of brute force login attacks against a SSH server. Sshguard appears superior to all of them (to all whose I know of) when summing up the features:

There is some functional difference from other tools to sshguard:

There is some non-functional difference from other tools to sshguard:

  1. a very large part of these tools are simple scripts. So, they require a permanent interpreter application which usually takes a lot of system memory. Which, on servers, is very precious.
    Sshguard is written in C, and designed to be 0-impact on system resources.
  2. several tools require customization (hack & play).
    Sshguard is designed for extreme ease of use (plug & play).
  3. many tools are OS- or firewall-specific (usually Linux).
    Sshguard is designed to work on many OSes and can operate several firewall systems; see Compatibility.
  4. nearly all tools are constraintly written for their operating scenario.
    Sshguard can be extended for operating with custom/proprietary firewalls with very very few effort.

There are some tools similar to sshguard (unsorted):

Sshguard monitors ssh servers from their logging activity. 
It reacts to messages about dangerous activity by blocking the source
address with the local firewall. Sshguard can operate all the major
firewalling systems:
* PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
* netfilter/iptables (Linux)
* IPFIREWALL/ipfw (FreeBSD, Mac OS X)


Sshguard is reliable, easy to set up and demands very few resources to
the system. WWW: http://sshguard.sourceforge.net



Make it active by putting in /etc/syslog.conf something like:
Make it active by putting in /etc/syslog.conf something like:
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard"
auth.info;authpriv.info     |exec /usr/local/sbin/sshguard
Otherwise, run sshguard standalone with (as root):
Otherwise, run sshguard standalone with (as root):
tail -n 0 -f /var/log/auth.log | /usr/local/sbin/sshguard
tail -n 0 -f /var/log/auth.log | /usr/local/sbin/sshguard &

WWW: http://sshguard.sourceforge.net