Possibile bug for block time (-p flag)

Create issue
Issue #62 resolved
Stefano Balzan created an issue

I've recently set up an sshguard instance on a small server. Sshguard version: 1.7.1, arch: aarch64, Odroid C2 running arch linux ARM

I've found out what may be a strange behaviour or perhaps a bug.

Setting an initial block time of 600 seconds (10 minutes) with the "-p 600" flag in the systemd unit file the block time is actually doubled, 1200 seconds.

I could read in the journal:

"Blocking 192.84.139.215 for 1200 secs (2 attacks in 2 secs, after 1 abuses over 2 secs)"

Comments (12)

  1. Kevin Zheng

    There are at least two different things going on here:

    • The initial block time is controlled by the -p flag. -b is for blacklisting.
    • The block time increases by a factor of 1.5x every time an attacker is blocked.

    It looks like this is the second time your attacker was blocked ("after 1 abuses over 2 secs"). I wonder what's setting your initial block time?

  2. Stefano Balzan reporter

    Sorry, I've mistaken the two flags. You are right, the flag controlling block time is "-p" and that's the one apparently causing issues. I've edited the initial post accordingly.

    Here is the entire systemd unit:

    [Unit]
    Description=Block hacking attempts
    After=iptables.service ip6tables.service ufw.service shorewall.service shorewall6.service network.target
    
    [Service]
    ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-a 20 -p 600 -s 10800 -b 40:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10
    
    [Install]
    WantedBy=multi-user.target
    
  3. Log in to comment