Re: [SSHGuard-users] Retention time of attacks leading to blocks - measured in days ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 10/13/22 7:17 PM, Kevin Buckley wrote:
> It sounds as though the fact that we haven't restarted SSHGuard
> in some time, but merely removed "erroneous" entries from the
> blacklist DB, and removed the IPTables rule, so as to permit an
> IP address access again, will see SSHGuard storing deatils about
> the IP address from "way back when".

I believe this is accurate.

SSHGuard normally forgets about attackers when they stop attacking for 
some time (-s detection_time). When an attacker is first added to the 
blacklist (i.e. not a blacklisted address loaded from a file), SSHGuard 
will not forget the attacker.

This means that if you manually remove the blocked address from your 
firewall and the address makes another attack, you'll get this message.

While this is slightly surprising, is there any behavior that needs to 
be changed?

It also sounds like what some want is a way to remember attacks across 
SSHGuard reboots, while not blacklisting attackers permanently? Or, at 
least release blacklisted addresses while SSHGuard is running?

An experimental branch ('sqlite') exists that persists SSHGuard's 
attackers across reboots.

Regards,
Kevin

Re: [SSHGuard-users] Retention time of attacks leading to blocks - measured in days ?

Intelligently block brute-force attacks by aggregating system logs

Re: [SSHGuard-users] Retention time of attacks leading to blocks - measured in days ?