Menu
▾
▴
Re: [SSHGuard-users] sshguard-users Digest, Vol 74, Issue 3
|
From: Doug N. <dn...@uc...> - 2017-01-16 19:18:35
|
Hi Kevin, You mention SSHGuard’s “own log messages” but I don’t see any mention of that on the man page or reference to it in the sshguard.conf file. Please let me know what flag I need to startup the daemon so that it has its own log file (which is one reason we like Fail2ban). Cheers, Doug > On Jan 9, 2017, at 10:08 PM, ssh...@li... wrote: > > Message: 2 > Date: Sun, 8 Jan 2017 12:59:36 -0600 > From: Kevin Zheng <kev...@gm...> > Subject: Re: [SSHGuard-users] BLACKLIST_FILE > To: ssh...@li... > Message-ID: <f24...@gm...> > Content-Type: text/plain; charset=utf-8; format=flowed > > On 01/06/17 20:55, Doug Niven wrote: >> Thanks for your help getting SSHGuard working for me last weekend in >> MacOS Sierra, it?s working well. > > Glad to hear. > >> I do see the following in the .conf file, which I?ve uncommented: >> >> # Colon-separated blacklist threshold and full path to blacklist >> file. # (optional, no default) >> BLACKLIST_FILE=90:/usr/local/etc/blacklist >> >> However, on all of our machines, the blacklist remains empty and >> untouched. Am I missing a step to make this work? These machines get >> hammered pretty hard, and even in my testing with SSH Brute Enforcer >> (https://github.com/R4stl1n/SSH-Brute-Forcer) I don?t see any changes >> to this file. > > I'm not sure what's going on here. If you look at SSHGuard's own log > messages, do you ever see 'blocking [address] forever'? > >> Also: if I manually add an IP or range to the blacklist, will this >> also be sent to PF somehow? > > No. SSHGuard will only read the blacklist file when you restart it. It > blocks everything in the blacklist at startup. > > Best, > Kevin |
