sshguard - rc and blacklisting
Per olof Ljungmark
peo at nethead.se
Tue Oct 16 08:43:55 UTC 2018
On 2018-10-16 07:52, Dimitry Andric wrote:
> On 15 Oct 2018, at 17:16, Per olof Ljungmark <peo at nethead.se> wrote:
>>
>> Either I am doing it wrong or sshguard is not properly implemented.
>>
>> 1. In the config file /usr/local/etc/sshguard.conf there is a parameter
>>
>> # Colon-separated blacklist threshold and full path to blacklist file.
>> # (optional, no default)
>> #BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
>>
>> however, the threshold setting does not seem to have any effect. If I
>> change the setting in rc.d/sshguard, it does take effect.
>
> Yes, this is a problem in /usr/local/etc/rc.d/sshguard. It sets the
> default sshguard_blacklist setting to 120:/var/db/sshguard/blacklist.
> To work around it, I have put:
>
> sshguard_blacklist=""
>
> in my rc.conf. Then only the settings in sshguard.conf are used.
Ok, thanks, did not think of that.
>> 2. Looking at /var/db/sshguard/blacklist.db, each row looks like
>> 1539615075|220|4|143.0.65.92
>>
>> There is another setting in the config,
>> # Size of IPv4 subnet to block. Defaults to a single address, CIDR
>> notation. (optional, default to 32)
>> IPV4_SUBNET=32
>>
>> I have tried to alter this setting to /24 and /29, auth.log says
>> Blocking "143.0.65.92/29" forever
>> but blacklist.db does not indiciate any different CDIR than /32.
>
> I have no experience with this setting, and it seems to be pretty new.
> It was not in my sample config file until quite recently, maybe it is
> an upstream problem? Have you looked at their bug tracker?
It seems that this setting is used to control the firewall.
pfctl -t sshguartd -T show will return the correct CDIR value, so my
assumption that it would show in the blacklist file was wrong. The IP
registered in the blacklist db will always be a /32.
Thank you for your input.
//per
More information about the freebsd-ports
mailing list