Menu
▾
▴
Re: [SSHGuard-users] CIDR addresses in blacklist
|
From: Kevin B. <kev...@gm...> - 2022-07-05 02:25:51
|
On 2022/07/02 01:15, Kevin Zheng wrote: > Hi Andrew, > > Thanks for reporting the issue. After taking a look, it seems that the > whitelist parser needs to be taught about parsing CIDR. You mean the blacklist parser? > The relevant functions are whitelist_add(), whitelist_add_ipv4() and > whitelist_add_ipv6() in src/blocker/sshguard_whitelist.c, if you want to > try to take a look before I (hopefully eventually) get around to it. > > Regards, > Kevin Wanted ask a question about the blocking logic here, as I think it adds to the discussion of the question Andrew (my colleague) raises, as regards "ranges" in the blacklist file not being handled in the same way (indeed, make that: not being handled at all!) as ranges in the whitelist file. So, when SSHGuard sees a range specified in the whitelist, does it keep the range within its memory, so that it does checking against the ranges, or does it populate its memory with every individual IP address within a range? In the case of the blacklist though, where it adds new permanently blocked entries, both into the backed firewall and onto its blacklist files, it will clearly only ever operate on a single IP address at a time, because it's only ever interactively blocking one address (or, if you like a /32) at a time. As was seen with issues in loading blacklist entries into a FirewallD backend, where it appears to take a long time, compared to say IPTables, to add a large number of individual entries from the SSHGuard blackist, SSHGuard will still treat "threat activty", from any blacklisted addresses that it hasn't seen yet, as normal, so if they are "unsophisticated" attacks, they'll still get blocked. Furthermore, if one was to whitelist an individual IP address from a blacklisted range, what DROPs would end up being placed into the backend firewall, ahead of the "ALLOW sshd port traffic rule" entry? In the way I think of it, SSHGuard doesn't add "jump past the blacklisted DROps to the "ALLOW sshd port traffic rule" entries, but in order to not have to split the blacklist ranges to handle a whitelisted IP address, it might have to do something like that ? Similarly, if it "sees" a whitelist file entry that is from within a blackist file range, should it not then rewrite the blackist file, so that it matches the DROP rules within the backend firewall? Another Kevin |
