Menu
▾
▴
Re: [SSHGuard-users] Dynamic whitelisting IPs (Dialup/ADSL/mobile users)
|
From: hvjunk <hv...@gm...> - 2018-07-23 18:30:58
|
> On 23 Jul 2018, at 18:29 , Kevin Zheng <kev...@gm...> wrote: > > On 7/23/18 5:44 AM, hvjunk wrote: >> >>> On 23 Jul. 2018, at 14:36 , hvjunk <hv...@gm...> wrote: >>> >>> Good day, >>> >>> Other than an update of the whitelist file, and restarting sshguard >>> (with all the current blocks being removed), is there another >>> mechanism to dynamically update whitelist IPs? >>> >>> The “challenge” is that I have dynamically assigned IPs, like >>> mobile devices, that have (for various reasons) trigged the >>> sshguard blocking. I could do the updates of the whitelist file in >>> some way out of band, but the problem is the current blocks are >>> then removed and “forgotten”, which I would prefer not to happen, >>> and I don’t want to open up/whitelist /16 sized netblocks to not >>> restart the sshguard process. > > Currently, no. But there are plans to persist blocks across restarts via > a new save file, and the same mechanism might allow runtime changes to > the whitelist. I would be the first to raise my hand for beta testing please ;) > >>> Perhaps would the developers accept a “sshguard-control” type >>> API/interface/program pull request? > > That seems a bit complicated. Maybe changes to the file and having > SSHGuard reload it would be better? Hmm.. that is/was my first thought too about the whitelist file, but then I got reminded about my problem, and that is that I’ll have to have a history file somewhere to note the previous IPs for an interface/client to remove, which means that the file would need to be able to have comments at the end etc. to make it easy/simple to track the client’s old IP to remove etc. That is why an dynamic control/insert mechanism was what I though would be simpler to control from other scripts etc. where you don’t need to sed/ex/awk the whitelist file > >> After I sent this, I saw the source code also makes use of ipset(s), >> and I wondered perhaps to change the sshguard rules, to also have a >> whitelist, together with the blacklist that would be bypassing the >> sshguard block chain? > > Yes, you can work around the issue by whitelisting your addresses in the > firewall. SSHGuard will attempt to block these addresses but if your > rules have higher priority, they won't be blocked. /me thinking wondering about using the ipset elsewhere in code… there is a “nomatch” option to ipset where we could insert it into the ipset with nomatch as an option. let me test/check that method |
