Sentry: Bruteforce Attack Blocker

sentry – safe and effective protection against bruteforce attacks. It detects and prevents bruteforce attacks against sshd using minimal system resources.


To prevent inadvertant lockouts, Sentry auto-whitelists IPs that have
connected more than 3 times and succeeded at least once. Now that
forgetful colleague behind the office NAT router won’t get us locked out
of our system. Again. Nor the admin whose script just failed to login
12 times in 2 seconds.

Sentry includes support for adding IPs to a firewall. Support for
IPFW, PF, ipchains is included. Firewall support is disabled by default.
Firewall rules may terminate existing session(s) to the host (attn.
IPFW users). Get your IPs whitelisted (connect 3x or use –whitelist)
before enabling the firewall option.


Sentry is written in perl, which is installed nearly everywhere you find sshd. It has no
dependencies. Installation and deployment is extremely simple.


Sentry supports blocking connection attempts using tcpwrappers and several
popular firewalls. It is easy to extend sentry to support additional
blocking lists.

Sentry was written to protect the SSH daemon but also blocks on FTP
and MUA logs. As this was written, the primary attack platform in use is
bot nets comprised of exploited PCs on high-speed internet connections.
These bots are used for carrying out SSH attacks as well as spam
delivery. Blocking bots prevents multiple attack vectors.
The programming style of sentry makes it easy to insert code for additonal functionality.


The primary goal of Sentry is to minimize the resources an attacker
can steal, while consuming minimal resources itself. Most bruteforce
blocking apps (denyhosts, fail2ban, sshdfilter) expect to run as a
daemon, tailing a log file. That requires a language interpreter to
always be running, consuming at least 10MB of RAM. A single hardware
node with dozens of virtual servers will lose hundreds of megs to daemon
protection. Sentry uses resources only when connections are made.

Once an IP is blacklisted for abuse, whether by tcpd or a firewall, the resources it can consume are practically zero.


$ /var/db/sentry/sentry.pl -r --ip=
   9 connections from
       and it is whitelisted


$ /var/db/sentry/sentry.pl -r
  -------- summary ---------
  1614 unique IPs have connected 76525 times
  1044 IPs are blacklisted
    18 IPs are whitelisted


$ /var/db/sentry/sentry.pl -r
 -------- summary ---------
 1240 unique IPs have connected 285554 times
   40 IPs are blacklisted
    4 IPs are whitelisted


$ /var/db/sentry/sentry.pl -r
-------- summary ---------
3484 unique IPs have connected 15391 times
1127 IPs are blacklisted
   6 IPs are whitelisted

Download and

Ehacking Staff
With more than 50 global partners, we are proud to count the world’s leading cybersecurity training provider. EH Academy is the brainchild of Ehacking, which has been involved in the field of training since the past Five years and continues to help in creating professional IT experts.

Most Popular

What Makes ICS/OT Infrastructure Vulnerable?

Infrastructure security for operational technologies (OT) and industrial control systems (ICS) varies from IT security in several ways, with the inverse confidentiality, integrity, and...

Everything You Must Know About IT/OT Convergence

What is an Operational Technology (OT)? Operational technology (OT) is a technology that primarily monitors and controls physical operations. It can automate and control machines,...

Understand the OT Security and Its Importance

This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can...

What is Deepfake, and how does it Affect Cybersecurity?

Producing deepfake is easy. It is hard to detect. They operate with a description of reality rather than reality itself (e.g., a video). Any...