[SSHGuard-users] Thank you for the help. Blacklist permanent; Can it be commented out?

[<81...@2r...>]

Hello, list,

You guys rock, than you.  My confusion is lifting.  So blacklist is permanent, and it is read each time sshguard starts.  So:

-Can the blacklist db be "commented out" to release ip's?  It's ordered by unix time on Debian 9, earliest on top, latest on bottom.   If so I might try a script that checks blacklist once a month, and either removes or comments out entries over 30 days old.

-If nftables works on debian 9 and integrates with sshguard, I will definitely move to it and purge iptables and ufw.  Before doing that I will place the blacklist ips in hosts.deny, along with a current list of bogons.  I may try to use the .deb package for Debian 10 for sshguard, and hope it automatically points to nftables as a backend.

-I won't use the "hosts" backend, but rather use a firewall backend.  My recollection is that hosts.deny is only read by apps compiled with tcpd.  ACL access might have a better way to do this, but any firewall will block and drop blacklisted ip addresses for any daemon that might be listening, tcpd enabled or not.

-I like the CIDR notation block of ips using /24 notation.  If I can routinely rotate and remove stale blocked ip's I will try that.  I could also use the whitelist to prevent being locked out.

-Any advantage of using standard input and a log?  If I gave the options "-l - /var/log/auth.log" would sshguard monitor both standard input and auth.log?

I'm surprised at how clever the "script kiddies" must be to avoid an immediate block.  Whatever they're using for random spaces the attacks just under some threshold.  This server shows 0 failures for registered users with faillog -a, but the blacklist has grown to 61 ips, and the firewall table is dropping 77 ips  when I run:
 
iptables --list sshguard --line-number --numeric | less

Those must be small numbers compared to what most of you see, but this is a small server with very few daemons listening for ports.

Gordon