#!/bin/sh # sshguard.conf -- SSHGuard configuration # Full path to backend executable (required, no default) BACKEND="/usr/libexec/sshg-fw-iptables" # Space-separated list of log files to monitor. (optional, no default) FILES="/var/log/core.slackware.uk.net/auth" # Shell command that provides logs on standard output. (optional, no default) # Example 1: ssh and sendmail from systemd journal: #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat" # Example 2: ssh from os_log (macOS 10.12+) #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'" # Block attackers when their cumulative attack score exceeds THRESHOLD. # Most attacks have a score of 10. (optional, default 30) THRESHOLD=10 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. # Subsequent blocks increase by a factor of 1.5. (optional, default 120) BLOCK_TIME=86400 # Remember potential attackers for up to DETECTION_TIME seconds before # resetting their score. (optional, default 1800) DETECTION_TIME=28800 # Size of IPv6 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128) IPV6_SUBNET=128 # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32) IPV4_SUBNET=32 # Full path to PID file (optional, no default) PID_FILE=/run/sshguard.pid # Colon-separated blacklist threshold and full path to blacklist file. # (optional, no default) BLACKLIST_FILE=10:/var/lib/sshguard/blacklist # IP addresses listed in the WHITELIST_FILE are considered to be # friendlies and will never be blocked. WHITELIST_FILE=/etc/sshguard.whitelist # If PARSER is unset, SSHGuard will use the installed sshg-parser as its # parser. Setting PARSER overrides this, so that you can use your own parser. #PARSER= # Run POST_PARSER as a filter after the parser. POST_PARSER must read as input # and produce as output lines in the format used by sshg-parser. This example # implements primitive whitelisting, preventing sshg-blocker from seeing # attacks from 1.2.3.4. Unlike whitelisting, attacks filtered by POST_PARSER # are not logged by SSHGuard. #POST_PARSER="grep -v 1.2.3.4"