Gentoo Wiki



SSH Basics

Tips & Tricks

Other Gentoo-wiki SSH



This is a basic howto on how to prevent bruteforce attacks on sshd using sshdfilter. sshdfilter executes sshd itself, and so blocks can be initiated instantly (the program is constantly monitoring the log messages produced by sshd). It also logs all attempts and a supplied Logwatch script can give you periodical summaries. If it discovers an attack attempt (by default, one attempt to log on with an invalid username, or three attempts to log on with a valid username), it creates an iptables rule which blocks the IP address of the attacker from connecting to the sshd port.

Note: This article assumes you have OpenSSH installed and iptables (HOWTO Iptables for newbies) is working.


An ebuild is available in bug# 120764 on Remember to pick the latest version (at the moment 1.5.5). Download the ebuild and place it in you portage overlay folder. (see HOWTO Installing 3rd Party Ebuilds) There is also a contributed patch called gentoo.partconf, which should be added to files/. Then unmask sshdfilter and finally it sshdfilter using emerge -avu sshdfilter.

Creating the iptables chain

This is now handled by the ebuild. Simply run emerge --config sshdfilter to generate and save the needed iptables. Edit /etc/sshdfilterrc to suit your needs: nano -w /etc/sshdfilterrc.

Creating sshdfilter initscript

There is no init-script created for sshdfilter, so you'll have to create one yourself. What I did was to copy the sshd initscript and edit it to start sshdfilter instead of sshd:

 cp /etc/init.d/sshd /etc/init.d/sshdfilter
 nano -w /etc/init.d/sshdfilter

Change from:

File: /etc/init.d/sshdfilter


File: /etc/init.d/sshdfilter

Starting sshdfilter daemon

First we need to stop sshd and prevent it from starting on the next boot: /etc/init.d/sshd stop && rc-update del sshd. Now we will start sshdfilter and add it to the default runlevel: /etc/init.d/sshdfilter start && rc-update add sshdfilter default.


To check if everything works as planned: cat /var/log/messages | grep sshdfilt. You should see something like:

Jan 23 00:26:30 ande sshdfilt[10365]: sshdfilter 1.4.2 starting up, running sshd proper

When sshdfilter blocks an IP, you will see something like this in /var/log/messages:

Jan  4 00:01:02 ande sshdfilt[27447]: Illegal user name, instant block of
Retrieved from ""

Last modified: Tue, 09 Sep 2008 22:43:00 +0000 Hits: 12,837