Menu
▾
▴
Re: [SSHGuard-users] Retention time of attacks leading to blocks - measured in days ?
|
From: kaycee gb <kis...@ho...> - 2022-10-13 19:43:12
|
Le Thu, 13 Oct 2022 15:41:12 +0800, Kevin Buckley <kev...@gm...> a écrit : > If what our logs are telling us is correct, we have recenty seen > an IP address blacklisted as follows > > Blocking "IP.AD.RE.SS/32" forever \ > (4 attacks in 6 secs, after 3 abuses over 9652777 secs.) > > I was slightly surprised to see that 3 abuses timespan of > 111-or-so DAYS, given we are invoking SSHGuard with > > -a 40 > -p 420 > -s 1200 > -b 100:/path/to/blacklist > > Given that invocation, what's likely to be remembering an > IP address for 9652777 seconds ? > > > > _______________________________________________ > sshguard-users mailing list > ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users Hi, It may be related to an "issue" I had with blacklisted addresses. In my workflow, I unblacklist/free addresses after some time from firewall. Initially I had problems to make it work correctly because SSHGuard do not releases IP's counters for blocked IP's (temporarily or forever). I think I talked about that here some time ago. IIRC there are 2 tables in SSHGuard. One for attacks count and one for blocking. I do not have the exact names now. Attacks count is reseted, not the other, so blocking count is held and increasing forever and it may result in what you see I think. K. |
