Ansible Role: sshguard

This Ansible role installs and sets up sshguard on Debian and RHEL/CentOS systems.

Requirements

For RHEL/CentOS systems, this role needs geerlingguy.repo-epel to install and set up the EPEL (Extra Packages for Enterprise Linux) repository.

Besides that, only Ansible version 2.2 or higher is required.

Tested On

• Debian 9 and 10
• Ubuntu 16.04 and 18.04
• RHEL/CentOS 7 and 9

Role Variables

These are the important variables for this role:

• sshguard_block_time: Time (in seconds) to block attackers after they exceed the threshold. Blocks increase by a factor of 1.5; default is 120.
• sshguard_detection_time: Time (in seconds) to remember potential attackers before resetting their score; default is 1800.
• sshguard_threshold: Score threshold that, when exceeded, will cause an attacker to be blocked. Most attacks score 10; default threshold is 30.
• sshguard_whitelist: A list of trusted IP addresses that will never be blocked.
  • comment: Description (optional)
  • address: An individual IPv4 or IPv6 address, address blocks in CIDR notation, or hostnames.

Example Playbook

---
- name: test-playbook | Test sshguard role
  hosts: all
  become: yes
  become_user: root
  vars:
    - sshguard_whitelist:
        - comment: IPv4 localhost
          address: 127.0.0.0/8
        - address: 127.0.0.1/32
        - comment: IPv6 localhost
          address: ::1
  roles:
    - nephosolutions.sshguard

License

This Ansible role is available under the Apache-2.0 License. See the LICENSE file for more information.