Menu
▾
▴
Re: [SSHGuard-users] inet question
|
From: Kevin Z. <kev...@gm...> - 2018-12-30 21:36:48
|
Hi Doug, I noticed that you're running two different versions of SSHGuard. In 1.5, the port you install determines how SSHGuard blocks attacks. In 2.1, you need to specify the backend you use by yourself. SSHGuard uses blacklist.db to keep track of hosts it has blacklisted, because with firewalls like pf and ipfw, SSHGuard removes all of its blocks (including those that it has blacklisted) when it exits. While it's running, everything in blacklist.db should also be in hosts.allow. When SSHGuard exits, hosts.allow should be cleared. blacklist.db tells SSHGuard what addresses to add back once it starts again. So, they're not redundant. Is that what you're asking? Regards, Kevin On 12/30/18 2:39 PM, Doug Denault wrote: > I am using sshguard with inet with FreeBSD jails. Having multiple > [virtual] servers with differing blocking requirements this is really > the only option. It appears to me that with the switch from BerkleyDB to > a flat file that the blacklist is implemented by using the > /etc/hosts.allow entries. > > Whether I am correct or not here is what happens on two systems: > > host 1: sshguard-1.5_2 > blacklist: 7,151 entries > hosts.allow: 30 lines; max of 270 IPs (9/line) with very little > overlap > > host 2: sshguard-2.1.0_1 > blacklist: 3,251 lines > hosts.allow: 338 line; max of 3,042 entries > > first line in hosts.allow: > ALL : 218.92.1.141 121.22.80.117 118.25.63.24 219.234.88.119 > 167.114.235.137 \ > 185.143.223.191 61.184.247.8 115.238.245.4 : DENY > > This entire line is in /var/db/sshguard/: > > 1544124029|100|4|218.92.1.141 December 6, 2018 7:20:29 PM > 1544126972|100|4|121.22.80.117 December 6, 2018 8:09:32 PM > 1544128387|100|4|118.25.63.24 | > 1544130000|100|4|219.234.88.119 V > 1544135312|100|4|167.114.235.137 > 1544135835|100|4|185.143.223.191 > 1544136112|100|4|61.184.247.8 > 1544137146|100|4|115.238.245.4 December 6, 2018 10:59:06 > > Taking a random entry, say line 2,800 from blacklist: > 1545136493|100|4|51.38.186.48 December 18, 2018 12:34:53 PM > 1545136864|100|4|182.162.96.184 > 1545136941|100|4|212.88.123.198 > > All three are in hosts.allow > > So is /var/db/sshguard/blacklist.db redundant or can hosts.allow be > pruned? This is the better answer to me. Also as blacklist.db is a flat > file I assume the epoch time is the time of the blacklisting and not the > last reference. > > > > _____ > Douglas Denault > http://www.safeport.com > do...@sa... > Voice: 301-217-9220 > Fax: 301-217-9277 > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
