Re: [SSHGuard-users] "Stale" and "Pardon" Times

[Kevin Z. <kev...@gm...>]

On 3/15/22 10:41 AM, Jim Seymour wrote:
> Perhaps there should be a subsequent test, after the options are all
> processed, to make sure pardon > stale and issue a warning if not?
> Perhaps also automatically bump pardon by, say, 120 seconds over
> stale if that happens?

Do you mean that the stale time should be longer than the pardon time, 
not the other way around?

For context, "pardon time" in the code refers to what is called 
"blocktime" in the man page, which is:

>               Block first-time attackers for blocktime seconds. Subsequent
>               blocks increase in duration by a factor of 1.5. Since sshguard
>               unblocks attackers at random intervals, actual block times may
>               be somewhat longer.

And "stale time" in the code is the "detection_time":

>               Reset an attacker's attack score after detection_time seconds
>               since the last attack. This means that attackers who attack
>               every detection_time seconds are never blocked by sshguard.
>               However, an increased detection_time may have an impact on
>               legitimate users.

So if stale < pardon, each time an attacker gets blocked, it would be 
considered it's first time (because the attacker would have been 
forgotten by the stale threshold).

Regards,
Kevin