[Sshguard-users] confused about what to expect

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,
I'm trying to use sshguard in docker on a Kubernetes cluster.
I have used blackhole script so far and it looks like sshguard is more advanced, but I can't seem to see it's effect:
I have it running right now on my cluster, with the docker flag for the container to be privileged. 
I run sshguard without any flags so far. sending journalctl data to it with 
/bin/sh -c 'journalctl --no-pager -q -f -t sshd | sed -u "s/\\[[0-9]*\\]//" | docker run -i --name sshguard --rm --net=host --privileged mischief/sshguard:1.6.0'
the 'sed' part is meant to strip the PID info as I understand sshguard tries to match PIDs but CoreOS uses inetd sshd and sshguard would reject that
Prior I have set: /usr/sbin/iptables -D INPUT -j sshguard/usr/sbin/ip6tables -D INPUT -j sshguard/usr/sbin/iptables -A INPUT -j sshguard/usr/sbin/ip6tables -A INPUT -j sshguard
I would expect sshguard to create iptables rules, but I don't see any even though my journalctl logs show attacks happening.I would like to know:
1) what should the rules look like?
I see:
$ iptables --listChain INPUT (policy ACCEPT)target     prot opt source               destinationsshguard   all  --  anywhere             anywhere
Chain FORWARD (policy ACCEPT)target     prot opt source               destinationDOCKER     all  --  anywhere             anywhereACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHEDACCEPT     all  --  anywhere             anywhereACCEPT     all  --  anywhere             anywhere
Chain OUTPUT (policy ACCEPT)target     prot opt source               destination
Chain DOCKER (1 references)target     prot opt source               destination
Chain sshguard (1 references)target     prot opt source               destination

$ iptables --list-rules-P INPUT ACCEPT-P FORWARD ACCEPT-P OUTPUT ACCEPT-N DOCKER-N sshguard-A INPUT -j sshguard-A FORWARD -o docker0 -j DOCKER-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i docker0 ! -o docker0 -j ACCEPT-A FORWARD -i docker0 -o docker0 -j ACCEPT

in journalctl I get a lot of attempts to ssh onto my server, for example:
Jan 21 04:57:21 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:63369).Jan 21 04:57:23 coreos sshd[7899]: Failed password for root from 183.3.202.107 port 63369 ssh2Jan 21 04:57:23 coreos sshd[7899]: Failed password for root from 183.3.202.107 port 63369 ssh2Jan 21 04:57:23 coreos sshd[7899]: Failed password for root from 183.3.202.107 port 63369 ssh2Jan 21 04:57:24 coreos sshd[7899]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:24 coreos sshd[7899]: Disconnected from 183.3.202.107 [preauth]Jan 21 04:57:24 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:24051).Jan 21 04:57:26 coreos sshd[7903]: Failed password for root from 183.3.202.107 port 24051 ssh2Jan 21 04:57:26 coreos sshd[7903]: Failed password for root from 183.3.202.107 port 24051 ssh2Jan 21 04:57:27 coreos sshd[7903]: Failed password for root from 183.3.202.107 port 24051 ssh2Jan 21 04:57:27 coreos sshd[7903]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:27 coreos sshd[7903]: Disconnected from 183.3.202.107 [preauth]Jan 21 04:57:27 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:38955).Jan 21 04:57:30 coreos sshd[7960]: Failed password for root from 183.3.202.107 port 38955 ssh2Jan 21 04:57:30 coreos sshd[7960]: Failed password for root from 183.3.202.107 port 38955 ssh2Jan 21 04:57:31 coreos sshd[7960]: Failed password for root from 183.3.202.107 port 38955 ssh2Jan 21 04:57:31 coreos sshd[7960]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:31 coreos sshd[7960]: Disconnected from 183.3.202.107 [preauth]Jan 21 04:57:31 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:57043).Jan 21 04:57:33 coreos sshd[8004]: Failed password for root from 183.3.202.107 port 57043 ssh2Jan 21 04:57:34 coreos sshd[8004]: Failed password for root from 183.3.202.107 port 57043 ssh2Jan 21 04:57:35 coreos sshd[8004]: Failed password for root from 183.3.202.107 port 57043 ssh2Jan 21 04:57:35 coreos sshd[8004]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:35 coreos sshd[8004]: Disconnected from 183.3.202.107 [preauth]Jan 21 04:57:35 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:21575).Jan 21 04:57:38 coreos sshd[8008]: Failed password for root from 183.3.202.107 port 21575 ssh2Jan 21 04:57:38 coreos sshd[8008]: Failed password for root from 183.3.202.107 port 21575 ssh2Jan 21 04:57:39 coreos sshd[8008]: Failed password for root from 183.3.202.107 port 21575 ssh2Jan 21 04:57:39 coreos sshd[8008]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:39 coreos sshd[8008]: Disconnected from 183.3.202.107 [preauth]Jan 21 04:57:40 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:42026).Jan 21 04:57:41 coreos sshd[8012]: Failed password for root from 183.3.202.107 port 42026 ssh2Jan 21 04:57:42 coreos sshd[8012]: Failed password for root from 183.3.202.107 port 42026 ssh2Jan 21 04:57:43 coreos sshd[8012]: Failed password for root from 183.3.202.107 port 42026 ssh2Jan 21 04:57:43 coreos sshd[8012]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:43 coreos sshd[8012]: Disconnected from 183.3.202.107 [preauth]Jan 21 04:57:43 coreos systemd[1]: Started OpenSSH per-connection server daemon (183.3.202.107:58053).Jan 21 04:57:46 coreos sshd[8017]: Failed password for root from 183.3.202.107 port 58053 ssh2Jan 21 04:57:47 coreos sshd[8017]: Failed password for root from 183.3.202.107 port 58053 ssh2Jan 21 04:57:47 coreos sshd[8017]: Failed password for root from 183.3.202.107 port 58053 ssh2Jan 21 04:57:47 coreos sshd[8017]: Received disconnect from 183.3.202.107: 11:  [preauth]Jan 21 04:57:47 coreos sshd[8017]: Disconnected from 183.3.202.107 [preauth]

2) How is the 'score' calculated? I see the default is 40, but what does 40 equate to in terms of number of attempts etc?
3) Does sshguard logs banned addresses somewhere?

I would like to make sure it is working as expected!
Thanks for clarifying these points.

[Sshguard-users] confused about what to expect

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] confused about what to expect