Re: [SSHGuard-users] BLACKLIST_FILE

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 01/06/17 20:55, Doug Niven wrote:
> Thanks for your help getting SSHGuard working for me last weekend in
> MacOS Sierra, it’s working well.

Glad to hear.

> I do see the following in the .conf file, which I’ve uncommented:
>
> # Colon-separated blacklist threshold and full path to blacklist
> file. # (optional, no default)
> BLACKLIST_FILE=90:/usr/local/etc/blacklist
>
> However, on all of our machines, the blacklist remains empty and
> untouched. Am I missing a step to make this work? These machines get
> hammered pretty hard, and even in my testing with SSH Brute Enforcer
> (https://github.com/R4stl1n/SSH-Brute-Forcer) I don’t see any changes
> to this file.

I'm not sure what's going on here. If you look at SSHGuard's own log 
messages, do you ever see 'blocking [address] forever'?

> Also: if I manually add an IP or range to the blacklist, will this
> also be sent to PF somehow?

No. SSHGuard will only read the blacklist file when you restart it. It 
blocks everything in the blacklist at startup.

Best,
Kevin

-- 
Kevin Zheng
kev...@gm... | ke...@be... | PGP: 0xC22E1090

Re: [SSHGuard-users] BLACKLIST_FILE

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] BLACKLIST_FILE