Menu
▾
▴
Re: [SSHGuard-users] Injecting blacklist content into a runing SSHGuard
|
From: Laurence P. <lpe...@op...> - 2020-09-14 19:12:19
|
>> 2. For someone who runs multiple servers, it sounds like addresses that >> are blacklisted in one place should be blacklisted elsewhere. > >This one, well, yeah, we had ideas there too. > >We actually started talking about propagating the machine-local >blacklist info from SSHGuard out towards "the edge", but the >talking dried up. > >Kevin Propagating toward the edge is pretty trivial. On my systems I just created a little expect script that could log into my router and block or unblock addresses and hooked it into sshguard's firewall script. Something similar would likely work for propagating to other servers as well as long as you don't care about the sshguard instances on the other machines managing the blacklist. Which, considering that anything that makes it clear to the blacklist probably never gets unblocked, there's not much reason to have the local sshguard worry about it. For a way to propagate temporary blocks without much for code changes, just add a special match pattern for a line that's simply a block request and then set sshguard to watch an extra logfile somewhere. When the local sshguard blocks something, use a script to snag its block message from the log output, generate a block request, and push it to the special log files on the other machines. Their local sshguard will then block the offending address temporarily until the number of attacks exceeds whatever those particular nodes have for blacklist threshold. LMP |
