Re: [SSHGuard-users] Is blacklist permanent? If so move ip addresses to /etc/hosts.deny?

[Kevin B. <kev...@gm...>]

On 2021/03/17 11:58, 81...@2r... wrote:
> 
> Mar 16, 2021, 22:17 by kev...@gm...:
> 
>> On 2021/03/17 02:08, Kevin Zheng wrote:
>>
>>>
>>> SSHGuard remembers the addresses that are blocked permanently by adding
>>> them to the blacklist file, which is written to when an address is
>>> blacklisted and loaded every time SSHGuard stops.
>>>
>>> I'll clear up the man page a bit.
>>>
>>
>> Surely "loaded every time SSHGuard starts": not stops ?
>>
>> Actually writing to point out that one of the "nice" things about
>> that behaviour is that it affords one the opportunity to combine
>> entries from multiple blacklist files ahead of a restart on any
>> given host running SSHGuard.
>>
>> HTH,
>> Kevin
>> 
> I read the manpage incorrectly, so that's my error.  On debian 9 it's clear that blacklist is permanent ("never automatically unblocked") and should be occasionally pruned of stale entries ("but it is good practice to periodically clean out stale blacklist entries.")
> 
> <<-b thresh:file
>                Blacklist an attacker when its dangerousness exceeds thresh.  Blacklisted addresses are added to file so they can be read at the next startup.  Blacklisted  addresses are never automatically unblocked, but it is good practice to periodically clean out stale blacklist entries.
>>>
> Excellent idea to add other blacklists to the blacklist db.  I suppose the snytax could just copy what's already there:
> 
> |unixtime|threshold|failures|ip:
> 
> <<1615817411|100|4|154.209.5.25
> 1615817489|100|4|187.170.234.27
>>>
> 
> Gordon

Not sure I hear the "stale" in

  "... periodically clean out stale blacklist entries ..."

suggestion, on the assumption that once you have been "attacked",
then unless there has been a justification for the access, or a
process whereby you move the blocking closer to the source of the
attack, you would continue to block locally.


As for the melding together of blacklist files, I just cat them and
then run the following AWK script over the concatenated list, with
the idea that you keep a record of the "first/earliest" time you
saw an attack from a given IP.

# munge_blacklists.awk
#
# Takes a list of SSHGuard blacklists
#  and keeps the earliest occurence of duplicated IPs
#
# cat blacklist.*-{1,2} | awk -f munge_blacklists.awk | \
#   sort -n > blacklist.prod_cray
{
   split($0, a, "|")
   if( j[a[4]] > 0)
   {
#DEBUG   print "Dup ", j[a[4]], a[4], a[1]
#     Use the lowest
     if( a[1] > j[a[4]])
     {
       a[1] = j[a[4]]
     }
   }
   j[a[4]] = a[1]
}
END{
   for( b in j)
   {
     printf "%s|100|4|%s\n", j[b], b
   }
}

That might be useful for you: though there will be other ways,
and other languages, that will achieve the same thing.