[Sshguard-users] Why did this get blacklisted?

[David K. K. <dk...@gm...>]

I've just started using sshguard and I want to implement blacklisting for
repetitive attacks. I'm a little confused about the following:

First, here's what's running:
 /usr/local/sbin/sshguard -l /var/log/messages -l /var/log/authlog -w
192.168.0.0/24 -b50:/var/db/sshguard.db

In /var/log/authlog, I found the following sequence:

Mar 28 01:05:46 onett sshd[27466]: Did not receive identification string
from 191.238.52.115
Mar 28 01:37:44 onett sshguard[17709]: Offender '191.238.52.115:4' scored
110 danger in 1 abuses (threshold 50) -> blacklisted.
Mar 28 01:37:44 onett sshguard[17709]: Blocking 191.238.52.115:4 for
>0secs: 110 danger in 1 attacks over 0 seconds (all: 110d in 1 abuses over
0s).

So it looks like I got one "failure to identify" then about 25 minutes
later sshguard blacklisted that IP permanently. Perhaps I have set up my
blacklist badly, but shouldn't something like this be considered a pretty
low-level issue, not requiring a blacklist?

I've verified that the IP shown is in the sshguard table and strings shows
it in /var/db/sshguard.db.

The system is OpenBSD 5.4 and I'm using PF.