15th March 2021, 1 min read

Add Disjoint IP Addresses To SSHGuard Blacklist

Original post is here eklausmeier.goip.de/blog/2021/03-15-add-disjoint-ip-addresses-to-sshguard-blacklist.

Problem at hand: There are multiple machines running SSHGuard. Each of these machines accumulates different sets of blacklists. Task: Add disjoint IP addresses from one machine to another machine's blacklist.

1. Copy from "master" machine:

scp -p master:/var/db/sshguard/blacklist.db blacklist_master.db

This blacklist looks like this:

1615278352|100|4|59.46.169.194
1615278438|100|4|45.144.67.47
1615279294|100|4|122.155.47.9
1615279795|100|4|106.12.173.237
1615284110|100|4|103.152.79.161
1615284823|100|4|79.255.172.22
1615286299|100|4|106.12.171.76

The first entry is time in time_t format, second entry is service, in our case always 100=ssh, third entry is either 4 for IPv4, or 6 for IPv6, fourth entry is actual IP address, see Analysis And Usage of SSHGuard.

2. Create difference set: Run script sshgadd:

sshgadd /var/db/sshguard/blacklist.db blacklist_master.db

Script sshgadd is:

[ -z "$1" ] && exit 11
[ -z "$2" ] && exit 12
[ -f "$1" ] || exit 13
[ -f "$2" ] || exit 14

comm -23 <(cut -d\| -f4 $1 | sort) <(cut -d\| -f4 $2 | sort)        \
        | perl -ane 'print "1613412470|100|4|$_"'

The comm command can suppress common columns:

       -1     suppress column 1 (lines unique to FILE1)
       -2     suppress column 2 (lines unique to FILE2)
       -3     suppress column 3 (lines that appear in both files)

This "<(list)" construct is called process substitution.

3. Stop SSHGuard on machine and add output of sshgadd to blacklist via any editor of your choice, or use cat and mv.