#!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
# Example 1: iptables backend
#BACKEND="/usr/libexec/sshg-fw-iptables"
# Example 2: firewalld backend; for firewalld configuration instructions see
# https://www.ctrl.blog/entry/how-to-sshguard-firewalld.html#sshguard-section-firewalld
#BACKEND="/usr/libexec/sshg-fw-firewalld"

# Space-separated list of log files to monitor. (optional, no default)
#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800

# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=128

# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=32

# When set, sandboxed processes drop permissions by changing to this user.
# (optional, no default)
#SSHGUARD_USER=nobody

#### EXTRAS ####
# Full path to PID file (optional, no default)
#PID_FILE=/run/sshguard.pid

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
#BLACKLIST_FILE=90:/var/lib/sshguard/enemies

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
#WHITELIST_FILE=/etc/friends

# If PARSER is unset, SSHGuard will use the installed sshg-parser as its
# parser. Setting PARSER overrides this, so that you can use your own parser.
#PARSER=

# Run POST_PARSER as a filter after the parser. POST_PARSER must read as input
# and produce as output lines in the format used by sshg-parser. This example
# implements primitive whitelisting, preventing sshg-blocker from seeing
# attacks from 1.2.3.4. Unlike whitelisting, attacks filtered by POST_PARSER
# are not logged by SSHGuard.
#POST_PARSER="grep -v 1.2.3.4"

# When set, write Prometheus-compatible statistics to .prom files in this
# directory every minute. These metrics can be exported using node_exporter's
# textfile collector.
#STATS_DIR="/var/metrics"