SSHGuard is an automated log watcher which quickly sets up firewall blocks for detected brute-force attacks. It supports not just SSH, but also sendmail, exim, dovecot, Cucipop, UWimap, vsftpd, proftpd, pure-ftpd and FreeBSD ftpd. It understands syslog/-ng, metalog, multilog and raw log formats. And works with netfilter/iptables, PF, ipfw, or just hosts.allow to set up firewalling rules.
Homepage
Download
Recent Releases
1.6.426 Apr 2016 00:58
minor bugfix:
Match Postpre-authentication disconnects.
- bashisms in iptables backend.
- size argument in inet_ntop() call.
- Remove excessive logging when polling from files.
- Keep looking for unreadable files while polling.
- Update Dovecot signature for POP3.
- Match "Connection reset" message for SSH.
- Resurrect PID file option by popular demand.
- Adjust default abuse threshold.
1.6.303 Nov 2015 06:05
minor feature:
Add sample systemd(8) unit file.
- Implement logging as wrappers around syslog(2).
- Improve log and error messages.
- Remove SIGTSTP and SIGCONT handler.
- Remove safe_fgets() and exit on interrupt.
- Terminate state entries for hosts blocked with pf.
- Update and shorten command-line usage.
- Use 'configure' to set feature-test macros.
1.6.214 Oct 2015 00:45
minor documentation:
Make '-w' option backwards-compatible for iptables (James Harris).
- Remove support for ip6fw and 'ipfw-range' option.
- Rewrite ipfw backend using command framework.
1.6.109 Aug 2015 03:15
minor feature:
Accept "Received disconnect" with optional prefix.
- Add support for socklog entries.
- Fix 'ipfw-rules-range' option in configure script.
- Fix build for 'ipfw' and 'hosts' backends.
- Fix integer comparisons of different types.
- Match attacks when syslog debugging is enabled.
1.6.0rc126 Apr 2015 07:25
major feature:
Add rules for Postfix SASL login attempts.
Add support for ISO 8601 timestamps.
Add support for external commands run on firewall events (-e).
Blacklist file is now human-readable.
Check tcpwrapper file permissions regardless of local umask.
Detect additional pre-auth disconnects.
Fix ipfw crash when loading an empty blacklist.
Fix log parsing on days beginning with zero.
Fix log polling on filesystems with many files.
Fix matching for Cyrus IMAP login via SASL.
Fix syslog format detection on hosts with undefined hostname.
Match SSH login failures with "via" suffix.
Remove broken kqueue(2) support.
Tweak option names and help strings.
Update SSH "Bad protocol" signature.
Use case-insensitive "invalid user" signature
Wait for xtables lock when using iptables command.