[SSHGuard-users] CIDR addresses in blacklist

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Folks,

Given that our blacklist is now ... large, I'd like to consolidate and
expand the blocking to larger ranges than just a single /32 (or
whatever we've defined for IPV4_SUBNET=)
however merely altering the blacklist to include this fails rather spectacularly

ie a blacklist consisting of

1656637200|100|4|2.184.0.0/19   # AS 58224 - TCI, IR
1656637200|100|4|5.113.160.0/20   # AS 44244 - IRANCELL-AS, IR

throws the following error

iptables v1.4.21: host/network `2.184.0.0/19' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.21: host/network `5.113.160.0/20' not found
Try `iptables -h' or 'iptables --help' for more information.

which when using the null firewall becomes obvious why

sshguard[17076]: Now monitoring attacks.
===>>> Initializing (null) firewall
===>>> Blocking 2.184.0.0/19/32 (null)
===>>> Blocking 5.113.160.0/20/32 (null)

so - is it possible to alter the blacklist handling to one of:
* handle a second (fixed) blacklist file - one that's probably been
hand-curated from existing blocks / threat alerts (and pass these to
$BACKEND to block directly)
* be more CIDR aware - by all means save an entry in $BLACKLIST_FILE
with the default subnet size, but be prepared to read something else
back
* something else?

Because I'm working on blocking entire prefixes, I need something more
dynamic than the hard-coded config values for $IPVx_SUBNET

Many thanks

Andrew

[SSHGuard-users] CIDR addresses in blacklist

Intelligently block brute-force attacks by aggregating system logs

[SSHGuard-users] CIDR addresses in blacklist