The philosophy and mechanics of sshguard stand upon a few prominent concepts. Understanding these concepts substantially helps the user to gain confidence and command of the tool. This page lists the terms used to signify these concepts, and details their meaning. These terms are used uniformly throughout the website, the documentation, the source code and sshguard's logging activity.
Prominent terms in sshguard
Some terms contain a cApitalized letter; they want to help you bind them with their respective command line argument. Cfr with sshguard's man page.
- log source
- a source of log entries that sshguard is instructed to monitor; currently either a file, a FIFO, or sshguard's standard input. See the Log Sucker.
- anything that can be target of an attack. For example, a software process running on the system. See sshguard services.
- attack signature
- the rules through which sshguard recognizes a log entry as an attack. By extension, an instance of such entry. See sshguard's attack signatures.
- the occurrence of one event tag (log message) recognized as harmful, in any log source.
- the entity (IP address) that generated an attack. Each attack is associated with an attacker.
- attack density
- attack dangerousness
- a (positive, integer) value associated with an attack to identify how dangerous the attack is. See sshguard's attack signatures. Intuitively, one attacker is blocked with few very dangerous attacks, or many very light ones.
- cumulative danger
- the sum of the dangerousness of all attacks a specific attacker committed. When the cumulative danger exceeds a safety threshold, within a the forget time, the attacker is blocked.
- sAfety threshold
- the maximum cumulative danger commited by an attacker (within the forget time) before it gets blocked.
- preScribe time
- the time (number of seconds) sshguard takes to forget about an attacker since its last attack.
- An attacker that has been blocked in the past.
- the event where an attacker's cumulative danger surpasses the safety threshold. After an abuse, an attacker becomes an offender. After an abuse, the attacker is blocked, and its cumulative danger is reset to zero.
If you believe anything in this page is missing or can be explained better, please write to email@example.com.
Lates Releases View all»
F.A.Q. View all»
- Sshguard does not workYou have one of these problems: sshguard is not given logs correctly sshguard cannot run the commands for ...
- What does sshguard do?The short version is: it receives log messages, it detects when a networked service has been abused based ...
- How do I enable monitoring for service X?You don't. Sshguard enables monitoring for all supported services straight out of the box. If you think ...