Sshguard: Difference between revisions

From Alpine Linux
(1. →‎nftables backend: Added subheading and amended context accordingly; 2. Amended page title from Sshguard to SSHGuard; 3. Style/grammar amendments, including clarification that ipfw and pf are not available on Alpine Linux.)
(Removed {{DISPLAYTITLE:SSHGuard}} as DISPLAYTITLE is not currently changing page title from Sshguard to SSHGuard (upstream name) - see discussion at Display title - amend to SSHGuard; otherwise, page appears under "Categories: Pages with ignored display titles".)
 
Line 1: Line 1:
{{DISPLAYTITLE:SSHGuard}}


[https://www.sshguard.net/ SSHGuard] protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including '''iptables''' and '''nftables''';  SSHGuard also supports firewalls used elsewhere, including ipfw and pf.
[https://www.sshguard.net/ SSHGuard] protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including '''iptables''' and '''nftables''';  SSHGuard also supports firewalls used elsewhere, including ipfw and pf.

Latest revision as of 18:20, 17 January 2026

SSHGuard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables and nftables; SSHGuard also supports firewalls used elsewhere, including ipfw and pf.

SSHGuard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

SSHGuard does not support custom log parsing. Check the website upstream to see which services they support.

Installation

SSHGuard can use several backends; you can see them listed with $ ls /usr/libexec/sshg-fw*. The easiest backend on Alpine Linux is nftables, but a section is given below for Iptables also. After either firewall has been installed, install sshguard:

$ doas apk add sshguard

You will need to create the following configuration file or else SSHGuard won't start.

Contents of /etc/sshguard.conf

#!/bin/sh BACKEND='/usr/libexec/sshg-fw-nft-sets' FILES='/var/log/messages'

nftables backend

The nftables ruleset (tables and sets) required by SSHGuard are created dynamically with this SSHGuard daemon. You can view the rules that are active with:

$ doas nft list ruleset

iptables backend

To use the iptables backend, you must first create a chain called "sshguard". Enable the iptables-service to save the rules at shutdown and reload them when booting

$ doas iptables -N sshguard $ doas iptables -A INPUT -j sshguard $ doas rc-update add iptables boot

You can view the rules with $ doas iptables -L

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Sshguard&oldid=31974"