1SSHGUARD(8)                     SSHGuard Manual                    SSHGUARD(8)
2
3
4

NAME

6       sshguard - block brute-force attacks by aggregating system logs
7

SYNOPSIS

9       sshguard  [-hv]  [-a  threshold] [-b threshold:blacklist_file] [-i pid‐
10       file] [-p blocktime] [-s detection_time] [-w address |  whitelist_file]
11       [file ...]
12

DESCRIPTION

14       sshguard  protects hosts from brute-force attacks against SSH and other
15       services. It aggregates system logs and blocks repeat  offenders  using
16       one of several firewall backends.
17
18       sshguard  can  monitor log files.  Log messages are parsed line-by-line
19       for recognized patterns. An attack is detected  when  several  patterns
20       are  matched  in a set time interval. Attackers are blocked temporarily
21       but can also be semi-permanently banned using the blacklist option.
22

OPTIONS

24       -a threshold (default 30)
25              Block attackers  when  their  cumulative  attack  score  exceeds
26              threshold.  Most attacks have a score of 10.
27
28       -b threshold:blacklist_file
29              Blacklist  an  attacker when its score exceeds threshold. Black‐
30              listed addresses are loaded from and added to blacklist-file.
31
32       -i pidfile
33              Write the PID of sshguard to pidfile.
34
35       -p blocktime (default 120)
36              Block attackers for initially blocktime seconds after  exceeding
37              threshold. Subsequent blocks increase by a factor of 1.5.
38
39              sshguard  unblocks  attacks at random intervals, so actual block
40              times will be longer.
41
42       -s detection_time (default 1800)
43              Remember potential attackers for up  to  detection_time  seconds
44              before resetting their score.
45
46       [-w address | whitelist_file]
47              Whitelist  a single address, hostname, or address block given as
48              address. This option can be given multiple times. Alternatively,
49              provide   an   absolute  path  to  a  whitelist_file  containing
50              addresses to whitelist. See WHITELISTING.
51
52       -h     Print usage information and exit.
53
54       -v     Print version information and exit.
55

ENVIRONMENT

57       SSHGUARD_DEBUG
58              Set to enable verbose output from sshg-blocker.
59

FILES

61       %PREFIX%/etc/sshguard.conf
62              See sample configuration file.
63

WHITELISTING

65       Whitelisted addresses are never blocked. Addresses can be specified  on
66       the command line or be stored in a file.
67
68       On  the  command  line, give the -w option one or more times with an IP
69       address, CIDR address block, or hostname as an argument. Hostnames  are
70       resolved once at startup. If a hostname resolves to multiple addresses,
71       all of them are whitelisted. For example:
72
73          sshguard -w 192.168.1.10 -w 192.168.0.0/24 -w friend.example.com
74              -w 2001:0db8:85a3:0000:0000:8a2e:0370:7334
75              -w 2002:836b:4179::836b:0000/126
76
77       If the argument to -w begins with a forward slash ('/') or  dot  ('.'),
78       the argument is treated as the path to a whitelist file.
79
80       The  whitelist  file  contains  comments  (lines  beginning  with '#'),
81       addresses, address blocks, or hostnames, one per line.
82

SEE ALSO

84       sshguard-setup(7)
85
86
87
88
892.4                              May 23, 2019                      SSHGUARD(8)
Impressum