SSHGuard is an intrusion prevention utility that parses logs and automatically blocks misbehaving IP addresses with the system firewall. It’s less configurable than the better-known Fail2Ban but has a smaller resource footprint and ships with full IPv6 support. The newly released SSHGuard version 2.0 have been made easier to configure for new users. It also gained support for FirewallD, ipset, and ipfilter firewall backends on Linux; as well as Capsicum sandboxing support on *BSD.
While we’re still waiting for the next release of Fail2Ban with IPv6 support, I took a look around at some of the alternatives and found an interesting option in SSHGuard. I had to address some Linux compatibility issues when getting started with SSHGuard as the development team was mostly focused on FreeBSD. I submitted patches for those issues and got more involved in the development and release of SSHGuard 2.0 in the process.
New in SSHGuard 2 is that all configuration should be done in a new configuration file rather than modifying the init script or adjusting runtime flags. The new
LOGREADER option makes it easier to configure log reading from the systemd journal on Linux and the os_log on macOS. The new permanent configuration scheme should make it easier for distributions to provide a better out-of-the-box experience for their users as well as make it easier for users to change their configuration.
The ipfilter firewall backend for Linux was removed in SSHGuard version 1.7, but has been resurrected in version 2.0.
Also new in SSHGuard 2 is two new firewall backends: FirewallD and ipset for Linux, both contributed by your’s truly. The FirewallD backend will add blocked attackers to an ipset and drop them on the default public firewall zone by default. See the companion tutorial for configuring SSHGuard with FirewallD on Fedora for more details. The ipset backend will add blocked attacks to an ipset, but will not take any actions against these entries by default. (Attackers aren’t blocked!) The ipset backend is intended to be used as a source in custom ipfilter configurations.
SSHGuard 2’s blocker and attack parser have been hardened using the Capsicum capability and sandboxing framework on FreeBSD and OpenBSD. Not all features are available in Capsicum mode, including working with whitelist and blacklist files.
Feature image based on a photo by © 2015 Thaddaeus Lim.