Add Disjoint IP Addresses To SSHGuard Blacklist

· klm's blog


Original post is here: eklausmeier.goip.de

Problem at hand: There are multiple machines running SSHGuard. Each of these machines accumulates different sets of blacklists. Task: Add disjoint IP addresses from one machine to another machine's blacklist.

1. Copy from "master" machine:

1scp -p master:/var/db/sshguard/blacklist.db blacklist_master.db

This blacklist looks like this:

11615278352|100|4|59.46.169.194
21615278438|100|4|45.144.67.47
31615279294|100|4|122.155.47.9
41615279795|100|4|106.12.173.237
51615284110|100|4|103.152.79.161
61615284823|100|4|79.255.172.22
71615286299|100|4|106.12.171.76

The first entry is time in time_t format, second entry is service, in our case always 100=ssh, third entry is either 4 for IPv4, or 6 for IPv6, fourth entry is actual IP address, see Analysis And Usage of SSHGuard.

2. Create difference set: Run script sshgadd:

1sshgadd /var/db/sshguard/blacklist.db blacklist_master.db

Script sshgadd is:

1[ -z "$1" ] && exit 11
2[ -z "$2" ] && exit 12
3[ -f "$1" ] || exit 13
4[ -f "$2" ] || exit 14
5
6comm -23 <(cut -d\| -f4 $1 | sort) <(cut -d\| -f4 $2 | sort)        \
7        | perl -ane 'print "1613412470|100|4|$_"'

The comm command can suppress common columns:

1       -1     suppress column 1 (lines unique to FILE1)
2       -2     suppress column 2 (lines unique to FILE2)
3       -3     suppress column 3 (lines that appear in both files)

This "<(list)" construct is called process substitution.

3. Stop SSHGuard on machine and add output of sshgadd to blacklist via any editor of your choice, or use cat and mv.