[Sshguard-users] Small fix when reading from stdin

[Jeremie Le H. <je...@le...>]

Hey guys,

I'm not subscribed so I hope this mail will go through.

When reading from stdin, this is very probably syslogd(8).  But when
logrotate(8) on Linux or newsyslog(8) on *BSD decices to rotate a
logfile, it will send a SIGHUP to syslogd(8) to tell it to close all
its file descriptors and reopen them.  This leads sshguard to get an EOF
and shut down itself, thus flushing the blacklist from the firewall.

The problem is that on busy servers, log rotation may happen every hour.
Consequently the blacklist will be flushed at the same frequency,
defeating the whole point of blacklisting.

Cheers,

Index: sshguard.c
===================================================================
--- sshguard.c  (revision 238)
+++ sshguard.c  (working copy)
@@ -478,9 +478,13 @@
 
 /* finalization routine */
 static void finishup(void) {
-    /* flush blocking rules */
+    /* flush blocking rules except if we are reading from stdin:
+     * if so we're probably reading syslogd(8) and it will close all its fd
+     * each time a logfile is rotated.  On busy servers this may happen hourly,
+     * defeating the whole point of blacklisting. */
     sshguard_log(LOG_NOTICE, "Got exit signal, flushing blocked addresses and exiting...");
-    fw_flush();
+    if (opts.has_polled_files)
+        fw_flush();
     if (fw_fin() != FWALL_OK) sshguard_log(LOG_ERR, "Cound not finalize firewall.");
     if (whitelist_fin() != 0) sshguard_log(LOG_ERR, "Could not finalize the whitelisting system.");
     if (procauth_fin() != 0) sshguard_log(LOG_ERR, "Could not finalize the process authorization subsystem.");


-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.