Re: [Sshguard-users] Using the sshguard blacklist DB

[Willem J. W. <wj...@di...>]

On 1-9-2015 01:40, Kevin Zheng wrote:
> On 08/31/2015 03:51, Willem Jan Withagen wrote:
>> Upen (re) start of sshguard, and the list is used to blacklist, it would 
>> be nice if the adresses were matched against what is in the whitelist.
>>
>> Now I have to manually go thru the blacklist to remove hosts, I've added 
>> to the whitelist, since they are fully trusted.
>> If I don't do that, then the whitelisted host is blacklisted anyways...
> 
> In my opinion, the whitelist has one important use case: to prevent you
> from locking yourself out. James makes a good point that it's really a
> better idea to use a firewall rule for this purpose instead. Currently,
> the whitelist is loaded only once at startup, which means that updating
> it requires you to restart SSHGuard.
> 
> On the issue of polluting blacklists, David Winterburn suggested a
> do-not-blacklist list that prevents certain hosts from ever being
> blacklisted, but still blocks regular attacks. This seems like a useful
> feature for SSHGuard; a whitelist can be done in the firewall.
> 
> Comments?

Well, i think I used the wrong wording...
So thanx for the more precise word selection.

I used whitelist for a function you just described as: do-not-balcklist.
And I totally agree....
Most of the time I'm fishing for blocked customers that repeatedly tried
the wrong password to update their website over sftp.
And always the same customers... :(
Sp they are not whitelisted in the FW sense, since they still need to
follow all the FW rules. But I really would like for them not to end up
in the blacklist over and over....

So then reread my request as:
	Once on the do-not-block
	Also do not insert in FW upon restart.

Note that I maintain the FW's with puppet, and during rule updates they
do get restarted./reloaded. Same holds for sshguard, if I update the
do-no-blacklist list, sshguard gets restarted by puppet. So I do not
think of sshguard for once and forever.

--WjW