Menu
▾
▴
[SSHGuard-users] sshguard restart loop when using syslogd
|
From: Jef P. <je...@ma...> - 2016-05-09 07:49:39
|
Hi. I ran across sshguard today and decided to give it a try.
I'm on FreeBSD 10.1R. I installed it from /usr/ports/security/sshguard
which gave me version 1.5 - no problems on the install. I enabled it
using syslogd and ipfw. I used the suggested syslog.conf line:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
And a slightly modified ipfw line:
ipfw add deny ip from 'table(22)' to me in via ${oif}
After restarting syslogd, I observed new log messages from
sshguard. Yay!
However, there was a minor problem: every hour it would exit and restart:
May 8 13:00:00 hydra sshguard[86471]: Got exit signal, flushing blocked addresses and exiting...
May 8 13:00:00 hydra sshguard[14184]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May 8 14:00:00 hydra sshguard[14184]: Got exit signal, flushing blocked addresses and exiting...
May 8 14:00:00 hydra sshguard[85407]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
May 8 15:00:00 hydra sshguard[85407]: Got exit signal, flushing blocked addresses and exiting...
May 8 15:00:00 hydra sshguard[67455]: Started successfully [(a,p,s)=(40, 420, 1200)], now ready to scan.
I did a not-very-thorough search of the sshguard-users archives and
didn't see discussion of this. The reason for the looping is pretty
obvious: sshguard's exit message goes to auth.notice and therefore
gets sent to sshguard and starts it up again.
My first try at fixing this worked ok - I changed syslog.conf so it
doesn't send sshguard's own messages to itself:
!-sshguard
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
However this makes the config file a little ugly since the sshguard
stuff now has to be in a separate paragraph.
Starting sshguard from an rc file instead of from syslog should also
fix the restart looping. I'll try that tomorrow.
A source-code fix would be to not log the exit message, or log it
at debug instead of notice. I haven't checked if something along these
lines has already been done in the development version - if so, hooray!
Anyway, thanks for the nice simple software.
---
Jef
Jef Poskanzer je...@ma... http://acme.com/jef/
|
