FreeBSD/jails/config/hub/sshguard.conf

#!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
#BACKEND="/usr/local/libexec/sshg-fw-hosts"
BACKEND="/usr/local/libexec/sshg-fw-ipfw"
#BACKEND="/usr/local/libexec/sshg-fw-pf"

# Space-separated list of log files to monitor. (optional, no default)
#FILES="/var/log/auth.log /var/log/maillog"
FILES="/var/log/auth.log"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=10

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=1200

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=18000

# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=64

# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=24

#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

# Full path to PID file (optional, no default)
#PID_FILE=/var/run/sshguard.pid

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
updated for FreeBSD 12.2 2021-02-13 11:38:38 -08:00			`#!/bin/sh`
			`# sshguard.conf -- SSHGuard configuration`

			`# Options that are uncommented in this example are set to their default`
			`# values. Options without defaults are commented out.`

			`#### REQUIRED CONFIGURATION ####`
			`# Full path to backend executable (required, no default)`
			`#BACKEND="/usr/local/libexec/sshg-fw-hosts"`
			`BACKEND="/usr/local/libexec/sshg-fw-ipfw"`
			`#BACKEND="/usr/local/libexec/sshg-fw-pf"`

			`# Space-separated list of log files to monitor. (optional, no default)`
			`#FILES="/var/log/auth.log /var/log/maillog"`
			`FILES="/var/log/auth.log"`

			`# Shell command that provides logs on standard output. (optional, no default)`
			`# Example 1: ssh and sendmail from systemd journal:`
			`#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"`
			`# Example 2: ssh from os_log (macOS 10.12+)`
			`#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"`

			`#### OPTIONS ####`
			`# Block attackers when their cumulative attack score exceeds THRESHOLD.`
			`# Most attacks have a score of 10. (optional, default 30)`
. 2021-04-01 01:23:14 -07:00			`THRESHOLD=10`
updated for FreeBSD 12.2 2021-02-13 11:38:38 -08:00
			`# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.`
			`# Subsequent blocks increase by a factor of 1.5. (optional, default 120)`
. 2021-04-01 01:23:14 -07:00			`BLOCK_TIME=1200`
updated for FreeBSD 12.2 2021-02-13 11:38:38 -08:00
			`# Remember potential attackers for up to DETECTION_TIME seconds before`
			`# resetting their score. (optional, default 1800)`
. 2021-04-01 01:23:14 -07:00			`DETECTION_TIME=18000`
updated for FreeBSD 12.2 2021-02-13 11:38:38 -08:00
			`# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)`
. 2021-04-01 01:23:14 -07:00			`IPV6_SUBNET=64`
updated for FreeBSD 12.2 2021-02-13 11:38:38 -08:00
			`# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)`
. 2021-04-01 01:23:14 -07:00			`IPV4_SUBNET=24`
updated for FreeBSD 12.2 2021-02-13 11:38:38 -08:00
			`#### EXTRAS ####`
			`# !! Warning: These features may not work correctly with sandboxing. !!`

			`# Full path to PID file (optional, no default)`
			`#PID_FILE=/var/run/sshguard.pid`

			`# Colon-separated blacklist threshold and full path to blacklist file.`
			`# (optional, no default)`
			`#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db`

			`# IP addresses listed in the WHITELIST_FILE are considered to be`
			`# friendlies and will never be blocked.`
			`#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist`