Forge Home


Configures sshguard


9,894 latest version

1.8 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.0.1 (latest)
released Dec 21st 2012

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'csail-sshguard', '0.0.1'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add csail-sshguard
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install csail-sshguard --version 0.0.1

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



csail/sshguard — version 0.0.1 Dec 21st 2012


This is the sshguard module and class. It can manage recent versions of sshguard (new enough to support built-in log tailing rather than running on a pipe from syslogd) on FreeBSD and Debian/Ubuntu systems. On FreeBSD, it will require the right firewall class for you depending on the package name you specify (freebsd::ipfw or freebsd::pf) but our implementation of freebsd::pf is a non-functional stub so if you use pf you'll need to roll your own. On Debian systems the sshguard package enables the firewall automatically.

Class parameters

  • ensure: has standard Puppet semantics (including purged support if your package provider supports it) (default present)
  • autoupgrade: true if you want to upgrade to the latest version automatically (default false)
  • package: name of the package you want to install (default sshguard-ipfw on FreeBSD, sshguard elsewhere)
  • service: name of the service that is used to control sshguard
  • watch_logs: array of log files to be scanned for abusive activity (passed as -l arguments of sshguard)
  • safety_thresh: argument to sshguard's -a flag
  • pardon_min_interval: argument to sshguard's -p flag
  • prescribe_interval: argument to sshguard's -s flag (yes, we know it's misspelled)
  • whitelist_file: full path of file where the sshguard whitelist is stored (default is OS-specific)
  • whitelist_dir: name of the directory where whitelist_file is located, which must be explicitly created on some operating systems (default is OS-specific)
  • whitelist_nets: array of strings listing CIDR blocks to be whitelisted whitelist (default empty)
  • whitelist_hosts: array of strings listing IPv4 hosts to be whitelisted (default empty)

We recommend that you keep a global list of local networks and management stations in your Hiera data, and use those to populate the whitelist_nets and whitelist_hosts parameters (which is why they are given separately, since the latter is a special case of the former).


See the file LICENSE.