From: Kevin Z. <kev...@gm...> - 2022-10-14 17:50:22
|
On 10/13/22 7:17 PM, Kevin Buckley wrote: > It sounds as though the fact that we haven't restarted SSHGuard > in some time, but merely removed "erroneous" entries from the > blacklist DB, and removed the IPTables rule, so as to permit an > IP address access again, will see SSHGuard storing deatils about > the IP address from "way back when". I believe this is accurate. SSHGuard normally forgets about attackers when they stop attacking for some time (-s detection_time). When an attacker is first added to the blacklist (i.e. not a blacklisted address loaded from a file), SSHGuard will not forget the attacker. This means that if you manually remove the blocked address from your firewall and the address makes another attack, you'll get this message. While this is slightly surprising, is there any behavior that needs to be changed? It also sounds like what some want is a way to remember attacks across SSHGuard reboots, while not blacklisting attackers permanently? Or, at least release blacklisted addresses while SSHGuard is running? An experimental branch ('sqlite') exists that persists SSHGuard's attackers across reboots. Regards, Kevin |