Menu
▾
▴
Re: [Sshguard-users] SSHGuard blocking my home DSL IP
|
From: <li...@la...> - 2016-03-19 08:39:08
|
With the blacklist in plain text now, I have a suggestion. If ultimately the blacklist is going to get an automatic prune mode, i.e. it becomes dynamic, would it be possible to have a second blacklist used by sshguard but not created by sshguard. For instance, you have a list of known bad actors that you don't even want to give the chance to be blocked. Or in the case of Tor, you have a list created by "other means" that contains the current Tor exit nodes. "Other means" is the problem of the sys admin. Just specify the format. But since the second blacklist file could be dynamic, it would need to be read periodically by sshguard. Original Message From: Kevin Zheng Sent: Friday, March 18, 2016 9:31 PM To: ssh...@li... Reply To: ssh...@li... Subject: Re: [Sshguard-users] SSHGuard blocking my home DSL IP On 03/18/2016 18:50, Robin Smith wrote: > But I found the problem, and I should have seen this earlier: my home IP > was blacklisted because of a few fatfingered attempts at logging in > witth password authentication from my phone.. I could clear the IP out > of table 22 by using the VNC connection to my VM, and then things were > fine until I needed to do a reboot (there were a couple of security > updates in 10.2 requiring a new kernel). I had already whitelisted my > DSL modem's current IP (which usually is stable unless there's a power > outage), but what I failed to realize is that the blacklist database is > loaded at startup *before* the whitelist file and, in addition, > whitelisting doesn't override the blacklist. There's a bit of code on > the web for editing /var/db/sshguard/blacklist/.db, but I used the > cruder method of deleting the blacklist database and restarting. This > does make me wonder: what exactly is the whilelisting file for, if its > entires are not overridden by whitelisting? Right. By default, the FreeBSD rc.d script enables blacklisting. The stuff you found on the web applies to earlier versions of SSHGuard, where the blacklist file is an opaque binary. Now it's plain text; open it up using a text editor and delete the lines you don't want. Remember that you'll need to restart SSHGuard for it to load the new blacklist. Currently, the blacklist is loaded before the whitelist is. If an address appears in the whitelist, it will not be blocked or blacklisted, but if it's already in the blacklist the whitelist won't unblock it. So you'll have to delete yourself from the blacklist. I consider this behavior buggy but haven't gotten around to fixing it. > Thanks very much for your reply. In this case, I just didn't take a > close enough look at what was going on,so I feel like an idiot. However, > this passage from the man page for sshguard is a little pussling (under > the '-b thresh:file' option):st > > "Blacklisted addresses are added to file so they can be read at > the next startup. Blacklisted addresses are never automatically > unblocked, but it is good practice to periodically clean out > stale blacklist entries." > > That passage implies that there is a way to "clean out stale entries" > from the blacklist database other than simply deleting the whole thing. > I seem to have missed what that is. Do you know? Yep, it's plain text now! In the next major release I hope to automatically prune the blacklist. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140 _______________________________________________ Sshguard-users mailing list Ssh...@li... https://lists.sourceforge.net/lists/listinfo/sshguard-users |
