sshguard-users

[SSHGuard-users] "Stale" and "Pardon" Times

[Jim S. <jse...@Li...>]

Hi All,

I've been doing a bit of work with sshguard, lately, which has caused
me to observe attack patterns more closely.

The result of doing so had me increasing the "stale" parameter (-s)
from the default of twenty minutes (set in /etc/default/sshguard) to
35 minutes.  (See below for why.)

Then it occurred to me the initial "pardon" value was 840 seconds (14
minutes), which meant the first two blockings of an offending IP
address would have no effect if their retry rate was out at the edge
of the stale value I set.

That led to me looking at this, in sshguard_options.c:

Perhaps there should be a subsequent test, after the options are all
processed, to make sure pardon > stale and issue a warning if not?
Perhaps also automatically bump pardon by, say, 120 seconds over
stale if that happens?

I increased sshguard's stale argument because the attack pattern was
multiple IPs, with repeated IPs retrying every 32-33 minutes.  The
attackers are becoming more devious.  (I have an idea for countering
that, but I need to give it further thought.)

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

Re: [SSHGuard-users] "Stale" and "Pardon" Times

[Kevin Z. <kev...@gm...>]

On 3/15/22 10:41 AM, Jim Seymour wrote:
> Perhaps there should be a subsequent test, after the options are all
> processed, to make sure pardon > stale and issue a warning if not?
> Perhaps also automatically bump pardon by, say, 120 seconds over
> stale if that happens?

Do you mean that the stale time should be longer than the pardon time, 
not the other way around?

For context, "pardon time" in the code refers to what is called 
"blocktime" in the man page, which is:

>               Block first-time attackers for blocktime seconds. Subsequent
>               blocks increase in duration by a factor of 1.5. Since sshguard
>               unblocks attackers at random intervals, actual block times may
>               be somewhat longer.

And "stale time" in the code is the "detection_time":

>               Reset an attacker's attack score after detection_time seconds
>               since the last attack. This means that attackers who attack
>               every detection_time seconds are never blocked by sshguard.
>               However, an increased detection_time may have an impact on
>               legitimate users.

So if stale < pardon, each time an attacker gets blocked, it would be 
considered it's first time (because the attacker would have been 
forgotten by the stale threshold).

Regards,
Kevin

Re: [SSHGuard-users] "Stale" and "Pardon" Times

[Jim S. <jse...@Li...>]

On Wed, 23 Mar 2022 10:18:54 -0700
Kevin Zheng <kev...@gm...> wrote:

> On 3/15/22 10:41 AM, Jim Seymour wrote:
> > Perhaps there should be a subsequent test, after the options are
> > all processed, to make sure pardon > stale and issue a warning if
> > not? Perhaps also automatically bump pardon by, say, 120 seconds
> > over stale if that happens?  
> 
> Do you mean that the stale time should be longer than the pardon
> time, not the other way around?

Nope :)

Because, as I noted: If stale time > pardon time and their attack
rate interval is longer than pardon time, then they'll get however
many bites of the apple they get until pardon time eventually
increases far enough.

E.g.:

    Initial pardon time: 840 sec.
    Stale time: 1200 sec.
    Attack interval: 1000 sec.

They trigger a block.  It's put in place for ~840 sec., then released.
±160 sec. later they strike again.  Then, after three more hits
(assuming default dangerousness: 10, and accumulated dangerousness
is reset when the block is released [another assumption on my part]),
they get blocked for 1680 sec.  *Then*, only after another four shots
at the target, are they actually blocked.

> 
> For context, "pardon time" in the code refers to what is called 
> "blocktime" in the man page, which is:
> 
[snip]
> 
> And "stale time" in the code is the "detection_time":
> 
[snip]
> 
> So if stale < pardon, each time an attacker gets blocked, it would
> be considered it's first time (because the attacker would have been 
> forgotten by the stale threshold).

Ah.  My bad.  I'd *assumed* "stale" wouldn't get reset until "stale
time" after a block was removed.

Doing so would solve both problems, no?

Unless I'm misunderstanding how these times are used and I'm
completely off in the weeds  :)

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.