"The short version is: it receives log messages, it detects when
a networked service has been abused based on them, and blocks the
address of who abused it; after some time, it releases the
"The full version is: sshguard runs on a machine as a small
daemon, and receives log messages (in a number of ways, e.g. from
syslog). When it determines that address X did something bad to
service Y, it fires a rule in the machine's firewall (one of the
many supported) for blocking X. Sshguard keeps X blocked for some
time, then releases it automatically.
"Please note that despite of his name sshguard detects attacks
for many services out of the box, not only SSH but also several
ftpds, Exim and dovecot. It can operate all the major firewalling
systems, and features support for IPv6, whitelisting, suspension,
and log message authentication"