[SSHGuard-users] Injecting blacklist content into a runing SSHGuard

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Apologies if I have missed details about this functionality in the docs.
I think the "log polling" code may already be where one would want to
start from but my reading suiggests that you would have to start SSHGuard
in that mode,  and there are caveats about doing both polling file and
consuming "system logs".

The scenario:

I start up SSH Guard on server A.

At some time later, a colleague brings me a blacklist from another
server, say server B.

Clearly, I can take  server A's live blacklist, combine* it with
server B's, stop server A's SSHGuard, put the combined file in
place and restart SSHGuard.

* combine, as in: weed out duplicates; go for the earliest seen
    for any IP addresses in both files, etc, whatever

What I am thinking about is, rather than combining the two files,
I weed out the duplicates from server B and, say, send a SIGnal
to SSHGuard that causes it to read new IPs from a known location,
poke them into the firewall, and add them to the live blacklist file.

I thought about an SSHGuard "utility" that takes a blacklist file
and creates a set of IPTables (if that's your poison) commands
that one then could poke into the firewall, however that sees
your on-disk blacklist file no-longer consistent with the rules
on the SSHGuard IPT Chain.

Any thoughts or anything similar out there?
Kevin

[SSHGuard-users] Injecting blacklist content into a runing SSHGuard

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] Injecting blacklist content into a runing SSHGuard