You are not logged in.
- Topics: Active | Unanswered
#1 2016-04-11 09:58:23
- WalrusTheSailor
- Member
- Registered: 2014-10-22
- Posts: 10
Sshguard: directly ban instead of blocking first
I'm trying out sshguard to ban some IPs that fail to login after a couple of attempts.
On the wiki page it suggests to add -a 1 -b 10:(...) to make it aggressive, which means banning IPs after a single attempt:
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 1 -b 10:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10However, sshguard won't start using this, as it tells the minimal abuse threshold (-a) should be at least 10. The problem is that I don't want it to first block someone; I want it to ban without first blocking an IP.
Does anyone know a way to ban an IP after, say, three consecutive failed SSH login attempts?
Thanks,
TheSailor
Offline
#2 2016-04-12 13:27:50
- WalrusTheSailor
- Member
- Registered: 2014-10-22
- Posts: 10
Re: Sshguard: directly ban instead of blocking first
I've asked the question at the sshguard mailing list.
I'll post any updates here.
Last edited by WalrusTheSailor (2016-04-12 13:28:47)
Offline
#3 2016-04-12 15:26:11
- WalrusTheSailor
- Member
- Registered: 2014-10-22
- Posts: 10
Re: Sshguard: directly ban instead of blocking first
It's solved!
The solution is setting the abuse threshold (-a) to the same value as the ban threshold (-b):
ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 30 -b 30:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10Offline
#4 2016-04-18 19:04:56
- OlafLostViking
- Member
- From: Lost
- Registered: 2013-01-30
- Posts: 59
Re: Sshguard: directly ban instead of blocking first
Thanks for posting your solution. Could you be so kind to add "[SOLVED]" to the title of your first post so that others know that they won't need to drop in to help? Thank you!
Last edited by OlafLostViking (2016-04-18 19:05:12)
Offline