Menu
▾
▴
Re: [SSHGuard-users] Dynamic whitelisting IPs (Dialup/ADSL/mobile users)
|
From: Kevin Z. <kev...@gm...> - 2018-07-23 16:29:10
|
On 7/23/18 5:44 AM, hvjunk wrote: > >> On 23 Jul. 2018, at 14:36 , hvjunk <hv...@gm...> wrote: >> >> Good day, >> >> Other than an update of the whitelist file, and restarting sshguard >> (with all the current blocks being removed), is there another >> mechanism to dynamically update whitelist IPs? >> >> The “challenge” is that I have dynamically assigned IPs, like >> mobile devices, that have (for various reasons) trigged the >> sshguard blocking. I could do the updates of the whitelist file in >> some way out of band, but the problem is the current blocks are >> then removed and “forgotten”, which I would prefer not to happen, >> and I don’t want to open up/whitelist /16 sized netblocks to not >> restart the sshguard process. Currently, no. But there are plans to persist blocks across restarts via a new save file, and the same mechanism might allow runtime changes to the whitelist. >> Perhaps would the developers accept a “sshguard-control” type >> API/interface/program pull request? That seems a bit complicated. Maybe changes to the file and having SSHGuard reload it would be better? > After I sent this, I saw the source code also makes use of ipset(s), > and I wondered perhaps to change the sshguard rules, to also have a > whitelist, together with the blacklist that would be bypassing the > sshguard block chain? Yes, you can work around the issue by whitelisting your addresses in the firewall. SSHGuard will attempt to block these addresses but if your rules have higher priority, they won't be blocked. -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
