The philosophy and mechanics of sshguard stand upon a few prominent concepts. Understanding these concepts substantially helps the user to gain confidence and command of the tool. This page lists the terms used to signify these concepts, and details their meaning. These terms are used uniformly throughout the website, the documentation, the source code and sshguard's logging activity.

Prominent terms in sshguard

Some terms contain a cApitalized letter; they want to help you bind them with their respective command line argument. Cfr with sshguard's man page.

log source
a source of log entries that sshguard is instructed to monitor; currently either a file, a FIFO, or sshguard's standard input. See the Log Sucker.
anything that can be target of an attack. For example, a software process running on the system. See sshguard services.
attack signature
the rules through which sshguard recognizes a log entry as an attack. By extension, an instance of such entry. See sshguard's attack signatures.
the occurrence of one event tag (log message) recognized as harmful, in any log source.
the entity (IP address) that generated an attack. Each attack is associated with an attacker.
attack density
attack dangerousness
a (positive, integer) value associated with an attack to identify how dangerous the attack is. See sshguard's attack signatures. Intuitively, one attacker is blocked with few very dangerous attacks, or many very light ones.
cumulative danger
the sum of the dangerousness of all attacks a specific attacker committed. When the cumulative danger exceeds a safety threshold, within a the forget time, the attacker is blocked.
sAfety threshold
the maximum cumulative danger commited by an attacker (within the forget time) before it gets blocked.
preScribe time
the time (number of seconds) sshguard takes to forget about an attacker since its last attack.
An attacker that has been blocked in the past.
the event where an attacker's cumulative danger surpasses the safety threshold. After an abuse, an attacker becomes an offender. After an abuse, the attacker is blocked, and its cumulative danger is reset to zero.

If you believe anything in this page is missing or can be explained better, please write to

Lates Releases View all»

  • Latest releases Latest releases are available from SourceForge. See 'News'.
  • sshguard 1.5 This is a milestone release, coming after 18 months ...
  • sshguard 1.5 Sshguard monitors services through their logging activity. It reacts ...

F.A.Q. View all»

  • What is sshguard?Sshguard is a small program that monitors services running on your machine from the log files. When it ...
  • Sshguard does not workYou have one of these problems: sshguard is not given logs correctly sshguard cannot run the commands for ...
  • What does sshguard do?The short version is: it receives log messages, it detects when a networked service has been abused based ...