Forge Home


Configures sshguard


9,753 latest version

1.8 quality score

Version information

  • 0.0.1 (latest)
released Dec 21st 2012

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'csail-sshguard', '0.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add csail-sshguard
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install csail-sshguard --version 0.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



csail/sshguard — version 0.0.1 Dec 21st 2012


This is the sshguard module and class. It can manage recent versions of sshguard (new enough to support built-in log tailing rather than running on a pipe from syslogd) on FreeBSD and Debian/Ubuntu systems. On FreeBSD, it will require the right firewall class for you depending on the package name you specify (freebsd::ipfw or freebsd::pf) but our implementation of freebsd::pf is a non-functional stub so if you use pf you'll need to roll your own. On Debian systems the sshguard package enables the firewall automatically.

Class parameters

  • ensure: has standard Puppet semantics (including purged support if your package provider supports it) (default present)
  • autoupgrade: true if you want to upgrade to the latest version automatically (default false)
  • package: name of the package you want to install (default sshguard-ipfw on FreeBSD, sshguard elsewhere)
  • service: name of the service that is used to control sshguard
  • watch_logs: array of log files to be scanned for abusive activity (passed as -l arguments of sshguard)
  • safety_thresh: argument to sshguard's -a flag
  • pardon_min_interval: argument to sshguard's -p flag
  • prescribe_interval: argument to sshguard's -s flag (yes, we know it's misspelled)
  • whitelist_file: full path of file where the sshguard whitelist is stored (default is OS-specific)
  • whitelist_dir: name of the directory where whitelist_file is located, which must be explicitly created on some operating systems (default is OS-specific)
  • whitelist_nets: array of strings listing CIDR blocks to be whitelisted whitelist (default empty)
  • whitelist_hosts: array of strings listing IPv4 hosts to be whitelisted (default empty)

We recommend that you keep a global list of local networks and management stations in your Hiera data, and use those to populate the whitelist_nets and whitelist_hosts parameters (which is why they are given separately, since the latter is a special case of the former).


See the file LICENSE.