Re: [SSHGuard-users] Blacklist behaviour with hell list

[kaycee gb <kis...@ho...>]

Sorry I try again for the list.

Hi,

Le Wed, 5 May 2021 14:08:20 -0700,
Kevin Zheng <kev...@gm...> a écrit :

> Hi there,
> 
> On 5/5/21 12:44 PM, kaycee gb wrote:    
> > The point is that after I remove the attacker's address from firewall rules,
> > new "attacks" are not detected and can go smoothly.
> > 
> > I think it has something to do with the code here:      
>  [...]      
> > 
> > sshguard thinks that address is already blocked but shouldn't that address
> > be released and remove from hell list when blacklisting ?      
> 
> SSHGuard assumes that nobody else is changing the firewall rules under 
> its control while it is running. Under this assumption, it should not be 
> possible for an attacker who is blacklisted to show up again.     

I agree. When an attacker is blacklisted, he can't reach the host and/or any
service, so attacker is not logged and SSHGuard will not do anything. That's
seems correct.

>If this 
> does happen, SSHGuard's current behavior is to warn about it without 
> re-blocking the attacker.    

>From what I see, when an attacker is blacklisted at runtime, and you remove the
rule from firewall after blacklist time, there is no warning at all. 

However, when you restart SSHGuard, blacklist list is populated, firewall rules
are loaded. Then if you remove attacker from firewall rules, SSHGuard does it
jobs in a normal way. I mean, track attacker's cumulative score and warn
about it and blacklist at threshold exceed. 
Then again, after this runtime blacklist, if you remove attacker from firewall,
we have the situation that SSHguard do not warn again. 

> 
> Perhaps this behavior should change.    

The behaviour you describe is correct. I just point out that there is a
difference when blacklisting at runtime compared to when blacklisting at
restart. 

At runtime that does not match, in my opinion, with what you can read in
blocker.c's explanation. 

>     
> > From this, I understand that information about attacker blacklisted is
> > cleared from memory/lists/running process.       
> 
> It looks like an attacker that is blacklisted is not correctly removed 
> from the block list. As you point out, all of this can only happen when 
> SSHGuard blacklists an attacker while it's running (not loaded from the 
> blacklist) and the administrator changes the firewall rules under 
> SSHGuard's control while it is running.    

Blacklisting in sshguard is "forever". It happens often attacker's have dynamic
ips. You may want to put an attacker in blacklist for 2 or 3 days if there are
too many abuses from it. But you may want to allow this ip to access your
services again after that time if there is no more "attacks" during that time
and that without restarting SSHGuard. 

So you considere this IP "safe" again, you remove the ip from firewall, but no
tracking is done anymore for new attacks. 
> 
> What should the correct behavior be?    

Like you said above, the blacklisted IP is not removed from hell list at runtime
blacklist and should be to reflect what you can find in explanation text I
mention above. Except that, about this issue, everything else seems correct at
this time. 

I have some lines of code to "fix" this. I put fix between double quotes
because in my opinion there is something to fix but don't know yet your
position about that. 
> 
> Regards,
> Kevin    

Regards,
K.