Re: [Sshguard-users] Using the sshguard blacklist DB

[James H. <jam...@gm...>]

This one can be tricky. Applying the current white-list to the stored
blocklist seems possible but we shouldn't remove currently white-listed
addresses from the stored blacklist.  If an address is removed from the
white-list in the future shouldn't the old block list still apply?

Just as a general point I would suggest that if you know what addresses
should be white-listed create a general firewall rule that accepts those
packets well before they get to the ssh guard block table/rules. For
example if you are using 10.1.x.x for internal networking then just put a
10.1/16 rule early to accept all traffic from those hosts. The white-list
in sshguard really should be used to not pollute the block table from
trusted machines and not used to allow traffic. It is there so to allow
legitimate users to error inputting passwords and not fill up the block
database. Failures to login are not filtered out of the logs so even when
there are early rules to allow the traffic sshguard can put the addresses
on the block list.



On Mon, Aug 31, 2015 at 3:51 AM, Willem Jan Withagen <wj...@di...>
wrote:

> Hi,
>
> Looking at it, I would not call it a DB.
> It is mearly a list. Which is actually nice sinec one can then easily
> browser and grep thru it....
>
> I have one feature request for it:
>
> Upen (re) start of sshguard, and the list is used to blacklist, it would
> be nice if the adresses were matched against what is in the whitelist.
>
> Now I have to manually go thru the blacklist to remove hosts, I've added
> to the whitelist, since they are fully trusted.
> If I don't do that, then the whitelisted host is blacklisted anyways...
>
> --WjW
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>



-- 
James Harris
Software Engineer
jam...@gm...