Sshguard

SSHGuard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using one of several firewall backends, including iptables and nftables; SSHGuard also supports firewalls used elsewhere, including ipfw and pf.

SSHGuard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.

SSHGuard does not support custom log parsing. Check the website upstream to see which services they support.

Installation

SSHGuard can use several backends; you can see them listed with $ ls /usr/libexec/sshg-fw*. The easiest backend on Alpine Linux is nftables, but a section is given below for Iptables also. After either firewall has been installed, install sshguard:

$ doas apk add sshguard

You will need to create the following configuration file or else SSHGuard won't start.

Contents of /etc/sshguard.conf

#!/bin/sh
BACKEND='/usr/libexec/sshg-fw-nft-sets'
FILES='/var/log/messages'

nftables backend

The nftables ruleset (tables and sets) required by SSHGuard are created dynamically with this SSHGuard daemon. You can view the rules that are active with:

$ doas nft list ruleset

iptables backend

To use the iptables backend, you must first create a chain called "sshguard". Enable the iptables-service to save the rules at shutdown and reload them when booting

$ doas iptables -N sshguard $ doas iptables -A INPUT -j sshguard $ doas rc-update add iptables boot

You can view the rules with $ doas iptables -L