Re: [SSHGuard-users] Blacklist behaviour with hell list

[Kevin Z. <kev...@gm...>]

Hi there,

On 5/5/21 12:44 PM, kaycee gb wrote:
> The point is that after I remove the attacker's address from firewall rules,
> new "attacks" are not detected and can go smoothly.
> 
> I think it has something to do with the code here:
>>     /* address already blocked? (can happen for 100 reasons) */$
>>     if (blocklist_contains(attack)) {$
>>         sshguard_log(LOG_INFO, "%s has already been blocked.",$
>>                 attack.address.value);$
>>         return;$
>>     }
> 
> sshguard thinks that address is already blocked but shouldn't that address be
> released and remove from hell list when blacklisting ?

SSHGuard assumes that nobody else is changing the firewall rules under 
its control while it is running. Under this assumption, it should not be 
possible for an attacker who is blacklisted to show up again. If this 
does happen, SSHGuard's current behavior is to warn about it without 
re-blocking the attacker.

Perhaps this behavior should change.

> From this, I understand that information about attacker blacklisted is cleared
> from memory/lists/running process. 

It looks like an attacker that is blacklisted is not correctly removed 
from the block list. As you point out, all of this can only happen when 
SSHGuard blacklists an attacker while it's running (not loaded from the 
blacklist) and the administrator changes the firewall rules under 
SSHGuard's control while it is running.

What should the correct behavior be?

Regards,
Kevin