Sshguard: Difference between revisions

From Alpine Linux
(iptables: Chain 'sshguard' has to be created first.)
(1. →‎nftables backend: Added subheading and amended context accordingly; 2. Amended page title from Sshguard to SSHGuard; 3. Style/grammar amendments, including clarification that ipfw and pf are not available on Alpine Linux.)
 
Line 1: Line 1:
[https://www.sshguard.net/ sshguard] protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables, ipfw, and pf.
{{DISPLAYTITLE:SSHGuard}}


sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.
[https://www.sshguard.net/ SSHGuard] protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including '''iptables''' and '''nftables''';  SSHGuard also supports firewalls used elsewhere, including ipfw and pf.


sshguard does not support custom log parsing. Check the website too see which services they support.
SSHGuard can read log messages from standard input (suitable for piping from ''syslog'') or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.
 
SSHGuard does not support custom log parsing. Check the website upstream to see which services they support.


== Installation ==
== Installation ==


Sshguard can use several backends, you can see them with <code>ls /usr/libexec/sshg-fw*</code>. The easiest backend on Alpine is nftables. After you install sshguard, you will need to create a config file or it won't start.
SSHGuard can use several backendsyou can see them listed with {{ic|$ ls /usr/libexec/sshg-fw*}}. The easiest backend on Alpine Linux is [[Nftables|nftables]], but a section is given below for [[Iptables]] also. After either firewall has been installed, install {{Pkg|sshguard}}:


{{Cmd|apk add sshguard nftables}}
{{Cmd|$ doas apk add sshguard}}
 
You will need to create the following configuration file or else SSHGuard won't start.


{{Cat|/etc/sshguard.conf|#!/bin/sh
{{Cat|/etc/sshguard.conf|#!/bin/sh
Line 16: Line 20:
}}
}}


You can view the rules with <code>nft list ruleset</code>
== nftables backend ==
 
The nftables ruleset (tables and sets) required by SSHGuard are created dynamically with this SSHGuard daemon. You can view the rules that are active with:


== Iptables backend ==
{{ic|$ doas nft list ruleset}}


To use the iptables backend, you must first create a chain called "sshguard". Enable the iptables-service to save the rules at shutdown and reload them when booting
== iptables backend ==


{{Cmd|iptables -N sshguard
To use the '''iptables''' backend, you must first create a chain called "sshguard". Enable the iptables-service to save the rules at shutdown and reload them when booting
iptables -A INPUT -j sshguard
rc-update add iptables boot}}


You can view the rules with <code>iptables -L</code>
{{Cmd|$ doas iptables -N sshguard
$ doas iptables -A INPUT -j sshguard
$ doas rc-update add iptables boot}}


You can view the rules with {{ic|$ doas iptables -L}}


[[category:Security]]
[[category:Security]]

Latest revision as of 21:13, 7 January 2026


SSHGuard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables and nftables; SSHGuard also supports firewalls used elsewhere, including ipfw and pf.

SSHGuard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

SSHGuard does not support custom log parsing. Check the website upstream to see which services they support.

Installation

SSHGuard can use several backends; you can see them listed with $ ls /usr/libexec/sshg-fw*. The easiest backend on Alpine Linux is nftables, but a section is given below for Iptables also. After either firewall has been installed, install sshguard:

$ doas apk add sshguard

You will need to create the following configuration file or else SSHGuard won't start.

Contents of /etc/sshguard.conf

#!/bin/sh BACKEND='/usr/libexec/sshg-fw-nft-sets' FILES='/var/log/messages'

nftables backend

The nftables ruleset (tables and sets) required by SSHGuard are created dynamically with this SSHGuard daemon. You can view the rules that are active with:

$ doas nft list ruleset

iptables backend

To use the iptables backend, you must first create a chain called "sshguard". Enable the iptables-service to save the rules at shutdown and reload them when booting

$ doas iptables -N sshguard $ doas iptables -A INPUT -j sshguard $ doas rc-update add iptables boot

You can view the rules with $ doas iptables -L

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Sshguard&oldid=31934"