Sshguard/en

sshguard is an intrusion prevention system that parses server logs, determines malicious activity, and uses the system firewall to block the IP addresses of malicious connections. sshguard is written in C so it does not tax an interpretor.

How it works
sshguard is a simple daemon that continuously tracks one or more log files. It parses the log events that daemons send out in case of failed login attempts and then blocks any further attempts from those connections by updating the system's firewall.

Unlike what the name implies, sshguard does not only parse SSH logs. It also supports many mail systems as well as a few FTP ones. A full listing of supported services can be found on the sshguard.net website.

Emerge
Install :

Also make sure that is installed and used as the system firewall. At the time of writing, sshguard does not yet support.

More information about using and configuring IPtables can also be found on the IPtables article.

Preparing the firewall
When sshguard blocks any malicious users (by blocking their IP addresses), it will use the chain.

Prepare the chain, and make sure it is also triggered when new incoming connections are detected:

Watching logfiles
The basic idea behind sshguard is that the administrator passes on the log file(s) to watch as options to the application - there is no native sshguard configuration file.

On Gentoo, the options can be best configured in the file:

FILES="/var/log/messages /var/log/auth.log"
 * 1) Space-separated list of log files to monitor. (optional, no default)

THRESHOLD=10 BLOCKTIME=60480 DETECTION_TIME=60480
 * 1) How many problematic attempts trigger a block
 * 1) Blocks last at least 24 hours (60480 seconds)
 * 1) Track IP addresses for 24 hours (60480 seconds)

IPV6_SUBNET=64 IPV4_SUBNET=24
 * 1) IPv6 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 128)
 * 1) IPv4 subnet size to block. Defaults to a single address, CIDR notation. (optional, default to 32)

PID_FILE=/run/sshguard.pid }}
 * 1) Full path to PID file (optional, no default)

Make sure that the log files are accessible for the runtime user that sshguard uses.

OpenRC
Have sshguard be started by default by adding it to the default runlevel, and then start it:

Blacklisting hosts
With the blacklisting option after a number of abuses the IP address of the attacker will be blocked permanently. The blacklist will be loaded at each startup and extended with new entries during operation. inserts a new address after it exceeded a threshold of abuses.

Blacklisted addresses are never scheduled to be released (allowed) again.

To enable blacklisting, create an appropriate directory and file:

While defining a blacklist it is important to exclude trusted IP networks and hosts in a whitelist.

To enable whitelisting, create an appropriate directory and file:

The whitelist has to include the loopback interface, and should have at least 1 IP trusted network f.e. 192.0.2.0/24.

Add the blacklist file to the configuration and alter the SSHGUARD_OPTS variable:

THRESHOLD=10 BLOCK_TIME=43200 DETECTION_TIME=604800

IPV4_SUBNET=24 IPV6_SUBNET=64

PID_FILE=/run/sshguard.pid

BLACKLIST_FILE=10:/var/lib/sshguard/blacklist.db WHITELIST_FILE=/etc/sshguard/whitelist }}
 * 1) Add following lines

Restart the daemon to have the changes take effect:

File '/var/log/auth.log' vanished while adding!
When starting up, sshguard reports the following error:

Such an error (the file path itself can be different) occurs when the target file is not available on the system. Make sure that it is created, or update the sshguard configuration to not add it for monitoring.

On a syslog-ng system with OpenRC, the following addition to can suffice:

Reload the configuration for the changes to take effect:

External resources
The sshguard documentation provides all the information needed to further tune the application.