Sshguard protects networked hosts from the today's widespread brute force attacks against ssh servers. It detects such attacks and blocks the author's address with a firewall rule.
This project is BSD licensed.
How sshguard works
Sshguard monitors ssh servers from their logging activity. It reacts to messages about dangerous activity by blocking the source address with the local firewall.
Messages describing dangerous activity can be easily customized with regular expressions; this makes sshguard theorically usable with any login server, and in general anything that logs something, although no experiments have been made outside ssh.
Sshguard can operate all the major firewalling systems:
- PF (OpenBSD, FreeBSD, NetBSD, DragonFly BSD)
- netfilter/iptables (Linux)
- IPFIREWALL/ipfw (FreeBSD, Mac OS X)
Features:
- a very large part of these tools are simple scripts. So, they require a permanent interpreter application which usually takes a lot of system memory. Which, on servers, is very precious.
- Sshguard is written in C, and designed to be 0-impact on system resources.
- several tools require customization (hack & play).
- Sshguard is designed for extreme ease of use (plug & play).
- many tools are OS- or firewall-specific (usually Linux).
- Sshguard is designed to work on many OSes and can operate several firewall systems; see Compatibility.
- nearly all tools are constraintly written for their operating scenario.
- Sshguard can be extended for operating with custom/proprietary firewalls with very very few effort.
What is new in this release:
- This release includes many new features (touchiness, automatic permanent blacklisting, IPv6 whitelisting, and more), many bugfixes to the logic, and some fixes and additions to the log analyzer.
What is new in version 1.4 RC5:
- fix handling of IPv6 with IPFW under Mac OS X Leopard (thanks David Horn)
- fix cmdline argument BoF exploitable by local users when sshguard is setu$
- support blocking IPv6 addrs in hosts.allow backend
- fix using services other than ssh in hosts.allow
- support log formats of new versions of ProFTPd
- changed firewall backends to block traffic from attacker to all services
- whitelist localhost a priori
What is new in version 1.4 RC4:
- various fixes to blacklisting module
- provide default for blacklisting threshold in command line option
- man page revisions
- parser accepts "-" and "_" chars in process names
- correctly handle abuse threshold = 1 (thanks K. Tipping)
- some fixes to SimCList
What is new in version 1.4 RC3:
- sshguard ignores interrupted fgets() and reloads more seldom (thanks Keven Tipping)
- support non-POSIX libCs that require getopt.h (thanks Nobuhiro Iwamatsu)
- modify iptables insertion policy to comply with further filtering rules (thanks Sebastien Koechlin)
- update to simclist 1.4.1 which defines EPROTO for OSes that lacks it (eg OpenBSD)
- fix detection of hostnames in ProFTPd message
- fix a possible infinite loop on blacklisted addresses
What is new in version 1.4 RC2:
- Fix compiler flags for new version of simclist.
- Move list_find() -> list_locate() according to API changes in simclist (thanks Dmitry).
What is new in version 1.4 RC1:
- Touchiness was added, so repeated abusers are blocked for longer and longer.
- Experimental blacklisting was added to store frequent abusers for permanent blocking.
- The documentation was updated.
What is new in version 1.3:
- Fix autoconf problem; automatically detect when ipfw supports IPv6 (thanks David Horn); be sensitive to proftpd messages to auth facility, not daemon (thanks Andy Berkvam); add sshd pattern for "Bad protocol" and "Did not receive identif string".
What is new in version 1.2:
- Support for Cyrus IMAP.
- Support for SSH "possible break-in attempt" messages.
- Updated support for dovecot to include the logging format of new versions.
- A fix for the IPF backend causing sshguard to not update /etc/ipf.rules (disallow IPv6).
- Detection of passwords when sshd doesn't log anything more than PAM has been fixed.
Comments not found