Menu
▾
▴
Re: [Sshguard-users] SSHGuard blocking my home DSL IP
|
From: Robin S. <ras...@gm...> - 2016-03-19 01:50:49
|
On Fri, Mar 18, 2016 at 7:57 PM, Kevin Zheng <kev...@gm...> wrote:
> Hi Robin,
>
> [snip]
>
> What version of SSHGuard are you running? I'm assuming that turning off
> SSHGuard makes this problem go away?
>
>
1.6.3 (the current version in the FreeBSD ports tree).
> A temporary workaround could be to use whitelisting. But that's not
> super helpful if your IP address at home changes.
>
>
But I found the problem, and I should have seen this earlier: my home IP
was blacklisted because of a few fatfingered attempts at logging in witth
password authentication from my phone.. I could clear the IP out of table
22 by using the VNC connection to my VM, and then things were fine until I
needed to do a reboot (there were a couple of security updates in 10.2
requiring a new kernel). I had already whitelisted my DSL modem's current
IP (which usually is stable unless there's a power outage), but what I
failed to realize is that the blacklist database is loaded at startup
*before* the whitelist file and, in addition, whitelisting doesn't override
the blacklist. There's a bit of code on the web for editing
/var/db/sshguard/blacklist/.db, but I used the cruder method of deleting
the blacklist database and restarting. This does make me wonder: what
exactly is the whilelisting file for, if its entires are not overridden by
whitelisting?
> Have you taken a look at /var/log/auth.log, grepping for your home IP,
> and seeing if any interesting entries turn up?
>
Yes, that's where I found when and why my IP got into the blacklist.
> Older versions of
> SSHGuard treated "reverse getaddrinfo" mismatches as an attack.
>
>
I did think about that, but iit wasn't the problem in my case.
Thanks very much for your reply. In this case, I just didn't take a close
enough look at what was going on,so I feel like an idiot. However, this
passage from the man page for sshguard is a little pussling (under the '-b
thresh:file' option):st
"Blacklisted addresses are added to file so they can be read at
the next startup. Blacklisted addresses are never automatically
unblocked, but it is good practice to periodically clean out
stale blacklist entries."
That passage implies that there is a way to "clean out stale entries" from
the blacklist database other than simply deleting the whole thing. I seem
to have missed what that is. Do you know?
Best,
Robin Smith
|
