Re: [Sshguard-users] Using the sshguard blacklist DB

[Willem J. W. <wj...@di...>]

On 31-8-2015 22:51, James Harris wrote:
> This one can be tricky. Applying the current white-list to the stored
> blocklist seems possible but we shouldn't remove currently white-listed
> addresses from the stored blacklist.  If an address is removed from the
> white-list in the future shouldn't the old block list still apply? 

I think that that would be a sensible modus.

> Just as a general point I would suggest that if you know what addresses
> should be white-listed create a general firewall rule that accepts those
> packets well before they get to the ssh guard block table/rules. For
> example if you are using 10.1.x.x for internal networking then just put
> a 10.1/16 rule early to accept all traffic from those hosts. The
> white-list in sshguard really should be used to not pollute the block
> table from trusted machines and not used to allow traffic. It is there
> so to allow legitimate users to error inputting passwords and not fill
> up the block database. Failures to login are not filtered out of the
> logs so even when there are early rules to allow the traffic sshguard
> can put the addresses on the block list.

I manage whitelists for a large set of servers in several ranges.
And on average are non-routable nets not my biggest problem.
But the whitelist contains mainly groups of gateways allowed to get
access to certain blocks of servers.

And like I to reject the bad guys as soon as possible, and accepting
non-routables early on conflicts with the complete set of rules for this
that are connected to nat. And doing different things to certain
netblock to get them exempt will only create complex rules. With the
danger of errors, and thus leaks.

I see it rather simple:
	whitelist members are not to blocked because they are trusted.
All others are up for possible rejection.
So if I change the whitelist, I'd like that to take priority over
blacklisting. Now it is the other way around: blacklisting has priority.

The other very rude approach would be:
	stop sshguard
	flush table(s)
	remove the blacklist
     OR smart-"grep" whitelist from blacklist
	start sshguard

Now what I suggested (and prefer)  is that sshguard does the smart-grep.

--WjW
	
> 
> 
> 
> On Mon, Aug 31, 2015 at 3:51 AM, Willem Jan Withagen <wj...@di...
> <mailto:wj...@di...>> wrote:
> 
>     Hi,
> 
>     Looking at it, I would not call it a DB.
>     It is mearly a list. Which is actually nice sinec one can then easily
>     browser and grep thru it....
> 
>     I have one feature request for it:
> 
>     Upen (re) start of sshguard, and the list is used to blacklist, it would
>     be nice if the adresses were matched against what is in the whitelist.
> 
>     Now I have to manually go thru the blacklist to remove hosts, I've added
>     to the whitelist, since they are fully trusted.
>     If I don't do that, then the whitelisted host is blacklisted anyways...
> 
>     --WjW
> 
>     ------------------------------------------------------------------------------
>     _______________________________________________
>     Sshguard-users mailing list
>     Ssh...@li...
>     <mailto:Ssh...@li...>
>     https://lists.sourceforge.net/lists/listinfo/sshguard-users
> 
> 
> 
> 
> -- 
> James Harris
> Software Engineer
> jam...@gm... <mailto:jam...@gm...>
> 
> 
> ------------------------------------------------------------------------------
> 
> 
> 
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>