Blacklisting is on by default and cannot be disabled

Create issue
Issue #19 resolved
Unknown Name created an issue

Running sshguard 1.5 on Ubuntu 12.04.5 with iptables with the following parameters:

/usr/sbin/sshguard -i /var/run/sshguard.pid -l /var/log/auth.log -w /etc/sshguard/whitelist -a 40 -p 420 -s 1200

There is a IP address block. Here the log entries:

auth.log.4.gz:Nov 27 19:42:21 sshguard[26508]: Blocking 222.186.x.x:4 for >630secs: 40 danger in 4 attacks over 8 seconds (all: 40d in 1 abuses over 8s).
auth.log.4.gz:Nov 27 19:53:49 sshguard[26508]: Blocking 222.186.x.x:4 for >945secs: 40 danger in 4 attacks over 8 seconds (all: 80d in 2 abuses over 696s).
auth.log.4.gz:Nov 27 20:10:29 sshguard[26508]: Blocking 222.186.x.x:4 for >0secs:   40 danger in 4 attacks over 7 seconds (all: 120d in 3 abuses over 1696s).

Since, then, that IP address keeps beeing blocked, it is not released, no new messages regarding that IP address in the log, and still blocked in iptables:

iptables-save

-A sshguard -s 222.186.x.x/32 -j DROP

Does "Blocking for >0secs" mean blocking forever?

Why it is blocked for more than three days now? Reading the documentation the blocking time should double every time, and then the IP should be released.

The only thing in the documentation for permanent blocking I found is with the black list option "-b" but I do not have that activated.

How can I disable the permanent blocking?

I have the same behaviour also with another IP- it seems to be blocked forever on the third blocking event.

I could reproduce this also with current Gentoo Linux and sshguard 1.5.

This makes sshguard unusable for me.

Comments (3)

  1. Log in to comment