Revision as of 12:21, June 27, 2014 by Oleg (Talk | contribs)


Source Repository:Repository:Gentoo Portage Tree

Summary: protects hosts from brute force attacks against ssh

Use Flags

Enable ipfilter firewall support (only for *bsd)



Project Unfork Status

Here's an update on Project Unfork, plus other neat things.
2015-10-03 by Drobbins

IP Space Migration Continues

All Funtoo user containers in the 8.28 IP space will be moving into our new IP space (172.97) over the next few days. If you have DNS set up -- be sure to watch your container and update to the new IP! DNS will be updated after the move.
2015-08-27 by Drobbins

Funtoo Hosting IP Move

Funtoo user containers with IPs in the 72.18.x.x range will be gradually migrating to new IP addresses this week. If you have DNS entries for your containers, please be aware that your DNS will need to be updated.
2015-08-11 by Drobbins



We welcome improvements to this page. To edit this page, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.

sshguard is an intrusion prevention system. sshguard parses server logs, determines malicious activity, and then bans malicious users via firewall rules. sshguard is written in C so it does not tax an interprator.



To install sshguard:

# emerge app-admin/sshguard


sshguard does not have a configuration file. sshguard is controlled by flags passed to it upon execution.

/etc/conf.d/sshguard is where flags & log path can be passed to the sshguard service.


/etc/conf.d/sshguard - overly strict rules
SSHGUARD_OPTS="-p 3600 -s 3600 -a 20"


sshguard will fail to start unless it has proper authorization logs to monitor.

/etc/conf.d/sshguard - syslog-ng log location
SSHGUARD_OPTS="${SSHGUARD_OPTS} -l /var/log/messages"


IP v4

Generate blank iptables rules, and start iptables as outlined here.

Insert these rules to allow sshguard to ban malicious users.

# iptables -N sshguard

&& to block all trafic from offenders

# iptables -A INPUT -j sshguard

Boot Service


To start sshguard immediately:

# rc-service sshguard start

To start sshguard upon reboot:

# rc-update add sshguard default

External Resources