Re: [SSHGuard-users] Injecting blacklist content into a runing SSHGuard

[Kevin B. <kev...@gm...>]

On 2020/09/11 02:11, Kevin Zheng wrote:
> On 9/3/20 12:37 AM, Kevin Buckley wrote:
>> What I am thinking about is, rather than combining the two files,
>> I weed out the duplicates from server B and, say, send a SIGnal
>> to SSHGuard that causes it to read new IPs from a known location,
>> poke them into the firewall, and add them to the live blacklist file.
> 
> It sounds like we're trying to accomplish two things here:
> 
> 1. Teach SSHGuard how to re-load a blacklist file while running. It
> doesn't currently know how to do this. This will probably involve a
> not-too-difficult change to sshg-blocker.

Not so sure that is what is required, though I'll happily bow to
your inside knowledge of the application here: for me though:

simply re-reading THE blacklist file opens up all kinds of issues,
not least that SSHGuard could be (should be?) trying to update the
on-disk file with new blocked addresses, just as an external user
tries to add content to it as well, ahead of instigating a re-load.

That's why I feel a separate "injection thread", that allows the
SSHGuard process sole access to its on-disk blaclist file, whilst
then able to accept source info from a second channel, to be a good
thing.

Then again, maybe the external user could add blocks directly into
the "your firewall here" and SSHGuard could be "taught" how to
occasionally sync itself against that?

Just floating ideas though.


> 2. For someone who runs multiple servers, it sounds like addresses that
> are blacklisted in one place should be blacklisted elsewhere.

This one, well, yeah, we had ideas there too.

We actually started talking about propagating the machine-local
blacklist info from SSHGuard out towards "the edge", but the
talking dried up.

Kevin