[SSHGuard-users] inet question

[Doug D. <do...@sa...>]

I am using sshguard with inet with FreeBSD jails. Having multiple [virtual] 
servers with differing blocking requirements this is really the only option. It 
appears to me that with the switch from BerkleyDB to a flat file that the 
blacklist is implemented by using the /etc/hosts.allow entries.

Whether I am correct or not here is what happens on two systems:

   host 1: sshguard-1.5_2
      blacklist: 7,151 entries
      hosts.allow: 30 lines; max of 270 IPs (9/line) with very little overlap

   host 2: sshguard-2.1.0_1
      blacklist: 3,251 lines
      hosts.allow: 338 line; max of 3,042 entries

first line in hosts.allow:
   ALL : 218.92.1.141 121.22.80.117 118.25.63.24 219.234.88.119 167.114.235.137 \
         185.143.223.191 61.184.247.8 115.238.245.4 : DENY

This entire line is in /var/db/sshguard/:

   1544124029|100|4|218.92.1.141     December 6, 2018 7:20:29 PM
   1544126972|100|4|121.22.80.117    December 6, 2018 8:09:32 PM
   1544128387|100|4|118.25.63.24         |
   1544130000|100|4|219.234.88.119       V
   1544135312|100|4|167.114.235.137
   1544135835|100|4|185.143.223.191
   1544136112|100|4|61.184.247.8
   1544137146|100|4|115.238.245.4    December 6, 2018 10:59:06

Taking a random entry, say line 2,800 from blacklist:
   1545136493|100|4|51.38.186.48     December 18, 2018 12:34:53 PM
   1545136864|100|4|182.162.96.184
   1545136941|100|4|212.88.123.198

All three are in hosts.allow

So is /var/db/sshguard/blacklist.db redundant or can hosts.allow be pruned? This 
is the better answer to me. Also as blacklist.db is a flat file I assume the 
epoch time is the time of the blacklisting and not the last reference.



_____
Douglas Denault
http://www.safeport.com
do...@sa...
Voice: 301-217-9220
   Fax: 301-217-9277