Original post is here: eklausmeier.goip.de
Problem at hand: There are multiple machines running SSHGuard. Each of these machines accumulates different sets of blacklists. Task: Add disjoint IP addresses from one machine to another machine's blacklist.
1. Copy from "master" machine:
1scp -p master:/var/db/sshguard/blacklist.db blacklist_master.db
This blacklist looks like this:
11615278352|100|4|59.46.169.194
21615278438|100|4|45.144.67.47
31615279294|100|4|122.155.47.9
41615279795|100|4|106.12.173.237
51615284110|100|4|103.152.79.161
61615284823|100|4|79.255.172.22
71615286299|100|4|106.12.171.76
The first entry is time in time_t format, second entry is service, in our case always 100=ssh, third entry is either 4 for IPv4, or 6 for IPv6, fourth entry is actual IP address, see Analysis And Usage of SSHGuard.
2. Create difference set: Run script sshgadd:
1sshgadd /var/db/sshguard/blacklist.db blacklist_master.db
Script sshgadd is:
1[ -z "$1" ] && exit 11
2[ -z "$2" ] && exit 12
3[ -f "$1" ] || exit 13
4[ -f "$2" ] || exit 14
5
6comm -23 <(cut -d\| -f4 $1 | sort) <(cut -d\| -f4 $2 | sort) \
7 | perl -ane 'print "1613412470|100|4|$_"'
The comm command can suppress common columns:
1 -1 suppress column 1 (lines unique to FILE1)
2 -2 suppress column 2 (lines unique to FILE2)
3 -3 suppress column 3 (lines that appear in both files)
This "<(list)" construct is called process substitution.
3. Stop SSHGuard on machine and add output of sshgadd to blacklist via any editor of your choice, or use cat and mv.