sshguard

Configures sshguard
MIT Computer Science & Artificial Intelligence Lab

MIT Computer Science & Artificial Intelligence Lab

csail

8,859 downloads

8,859 latest version

1.8 quality score

Version information

  • 0.0.1 (latest)
released Jul 3rd 2019

Start using this module

Documentation

csail/sshguard — version 0.0.1 Jul 3rd 2019

sshguard

This is the sshguard module and class. It can manage recent versions of sshguard (new enough to support built-in log tailing rather than running on a pipe from syslogd) on FreeBSD and Debian/Ubuntu systems. On FreeBSD, it will require the right firewall class for you depending on the package name you specify (freebsd::ipfw or freebsd::pf) but our implementation of freebsd::pf is a non-functional stub so if you use pf you'll need to roll your own. On Debian systems the sshguard package enables the firewall automatically.

Class parameters

  • ensure: has standard Puppet semantics (including purged support if your package provider supports it) (default present)
  • autoupgrade: true if you want to upgrade to the latest version automatically (default false)
  • package: name of the package you want to install (default sshguard-ipfw on FreeBSD, sshguard elsewhere)
  • service: name of the service that is used to control sshguard
  • watch_logs: array of log files to be scanned for abusive activity (passed as -l arguments of sshguard)
  • safety_thresh: argument to sshguard's -a flag
  • pardon_min_interval: argument to sshguard's -p flag
  • prescribe_interval: argument to sshguard's -s flag (yes, we know it's misspelled)
  • whitelist_file: full path of file where the sshguard whitelist is stored (default is OS-specific)
  • whitelist_dir: name of the directory where whitelist_file is located, which must be explicitly created on some operating systems (default is OS-specific)
  • whitelist_nets: array of strings listing CIDR blocks to be whitelisted whitelist (default empty)
  • whitelist_hosts: array of strings listing IPv4 hosts to be whitelisted (default empty)

We recommend that you keep a global list of local networks and management stations in your Hiera data, and use those to populate the whitelist_nets and whitelist_hosts parameters (which is why they are given separately, since the latter is a special case of the former).

License

See the file LICENSE.

Contact

vendor-puppet@csail.mit.edu

Support

None.