[SSHGuard-users] "Stale" and "Pardon" Times

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi All,

I've been doing a bit of work with sshguard, lately, which has caused
me to observe attack patterns more closely.

The result of doing so had me increasing the "stale" parameter (-s)
from the default of twenty minutes (set in /etc/default/sshguard) to
35 minutes.  (See below for why.)

Then it occurred to me the initial "pardon" value was 840 seconds (14
minutes), which meant the first two blockings of an offending IP
address would have no effect if their retry rate was out at the edge
of the stale value I set.

That led to me looking at this, in sshguard_options.c:

Perhaps there should be a subsequent test, after the options are all
processed, to make sure pardon > stale and issue a warning if not?
Perhaps also automatically bump pardon by, say, 120 seconds over
stale if that happens?

I increased sshguard's stale argument because the attack pattern was
multiple IPs, with repeated IPs retrying every 32-33 minutes.  The
attackers are becoming more devious.  (I have an idea for countering
that, but I need to give it further thought.)

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

[SSHGuard-users] "Stale" and "Pardon" Times

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] "Stale" and "Pardon" Times