[Sshguard-users] man page discrepencies in touchiness

[Dennis N. <djn...@ya...>]

The man page on the sshguard.net site and as included with the source has a couple small problems in the touchiness section (I'm using sshguard-code-238-trunk). The first problem is this statement:

     For example, if address A attacks repeatedly and the base blocking time is

     420 seconds, A will be blocked for 420 seconds (7 mins) at the first
     abuse, 2*420 (14 mins) the second, 2*2*420 (28 mins) the third ... and
     2^(n-1)*420 the n-th time.

Sticking with the 420 seconds example, inspecting sshguard.c shows that the blockage for the n-th time actually occurs for 1.5^n*420 seconds. This progresses as:

    11,16, 24, 35, 53, 80, ... minutes

which quickly falls behind the man page representation, which progresses as

    7, 14, 28, 56, 112, 224, ... minutes

I wonder if it wouldn't be better to be more aggressive instead of less - say 3*(n-1)*420 seconds, which would be:

    7, 21, 63, 189, 567, 1701, ... minutes

or, expressed differently, approximately

    1/9, 1/3, 1, 3, 9, 27, ... hours

The other problem occurs later in the man page in this statement:

     The -b command line option enables blacklisting and requires the filename
     to use for permanent storage of the blacklist. Optionally, a custom
     blacklist threshold can be prefixed to this path, separated by ’:’.

This might lead you to believe (as it did me) that blacklisting does not occur without the -b option and the blocking time would just keep growing. In truth, with default parameters, blacklisting occurs on the third attack. You can see this in the sshguard log entries that say "for >630secs", then "for >945secs", and then finally "for >0secs", It's not really a full-fledged blacklisting because, lacking any blacklist file, the block stays in force in the firewall only until sshguard is restarted or until a reboot (this may be dependent upon which firewall is used).

Given the above, I've compiled in the 3*(n-1)*420 seconds rule (remember, the 420 part is only an example value, albeit the default value) and provided the -b option on the command line with a count of 7 and an appropriate file name.

I hope this helps someone. I know I've found substantial help in posts from this mailing list.
-dennis