SSHGuardis an intrusion prevention utility that parses logs and automatically blocks misbehaving IP addresses with the system firewall. It’s less configurable than the better-knownFail2Banbut has a smaller resource footprint and ships with full IPv6 support.
The newly released SSHGuard version 2.0 have been made easier to configure for new users. It also gained support for FirewallD, ipset, and ipfilter firewall backends on Linux; as well as Capsicum sandboxing support on *BSD.
While we’re still waiting for the next release ofFail2Ban with IPv6 support, I took a look around at some of the alternatives and found an interesting option in SSHGuard.
I needed to address some Linux compatibility issues when getting started with SSHGuard as the development team was mostly focused on FreeBSD. I submitted patches for those issues and got more involved in the development and release of SSHGuard 2.0 in the process.
New in SSHGuard 2 is that all configuration should be done ina new configuration filerather than modifying the init script or adjusting runtime flags. The new
LOGREADERoption makes it easier to configure log reading from the systemd journal on Linux and the os_log on macOS.
The new permanent configuration scheme should make it easier for distributions to provide a better out-of-the-box experience for their users as well as make it easier for users to change their configuration.
The ipfilter firewall backend for Linux was removed in SSHGuard version 1.7, but has been resurrected in version 2.0.
Also new in SSHGuard 2 is two new firewall backends:FirewallD and ipsetfor Linux, both contributed by yours truly. The FirewallD backend will add blocked attackers to an ipset and drop them on the defaultpublic防火墙zone by default.
See the companion tutorial forconfiguring SSHGuard with FirewallD on Fedorafor more details. The ipset backend will add blocked attacks to an ipset, but will not take any actions against these entries by default. (Attackers aren’t blocked!) The ipset backend is intended to be used as a source in custom ipfilter configurations.
SSHGuard 2’s blocker and attack parser have been hardened using theCapsicum capability and sandboxingframework on FreeBSD and OpenBSD. Not all features are available in Capsicum mode, including working with allow and block list files.