Subnet matching and blocking
SSHGuard needs to be able to recognize an attack originating from a given subnet.
The current recommendation is delegating /64 to a residential network means one source IP can switch to another IP address and never be recognized by SSHGuard. A simpler attack could keep an IP address up until it is blocked, and then switch to another address and continue the attack at no cost. All the lightbulbs and bathroom scales in my home theoretically have access to 18 446 744 073 709 551 61 IPv6 addresses and they can change address as fast as their sockets can handle it. That are a lot of potential attackers.
The firewall integration should be fairly simple for at least some firewalls like pf, ipset, ipfilter, and firewalld. Just slap a CIDR notation at the end of the address to block and you’re done (172.27.5.10/24).
Matching a subnet in the requires some reworking for the lexer. Frankly, I’m not entirely sure what the best approach here would be. I’d suggest that adjusting the IPv4 and IPv6 lexer rules based on a
INET6_SUBNET="64" option so the matched result would be transformed to a implicit subnet (10.10.10.0). Not entirely sure how to acheive this as the lexer is a bit of a mystery to me.
I’m setting the priority on this to critical as I’m seeing several attacks from /24 and especially /64 on my own opublic facing server every week. SSHGuard either fails to detect these entirely, or when it does see them: blocking becomes ineffectual.
Ideas? comments? implementors?