Re: [SSHGuard-users] sshguard restart loop when using syslogd

[Peter B. <be...@an...>]

Why not add your IP(s) to the whitelist? Did you fail to login successfully
many times in the past few years?

Why not rotate your auth.log?

Why not run newsyslog manually once to rotate initially?

To me this isn't a bug, more of a "it doesn't work the way I want" for some
reasons that seem to be fairly easy to rememdy.

Beckman

On Mon, 9 May 2016, Jef Poskanzer wrote:

> Kevin Zheng:
>> Thanks for updating to 1.6.4. Could you try starting SSHGuard as a
>> daemon using the rc.d script and see if the problem persists?
>
> I'm sure that would fix the restart looping, as I suggested in my
> initial message. At the moment I can't start using the rc.d script
> for other reasons, which actually could be considered a bug in
> sshguard. Ok, since you asked so nicely I'll explain. My auth.log
> doesn't get much traffic and hasn't been rotated in years. When
> sshguard starts up it reads the whole file, sees all of my own
> logins happening at the current instant, and marks me as an
> attacker. It may have something to do with syslog lines not
> including the year - maybe sshguard parses the yearless timestamps
> past today's date as being in the future?
>
> It just occured to me this this is *exactly* the plot line of
> tonight's Person of Interest episode!
>
> Anyway I have fixed my newsyslog.conf to rotate more often, but I
> don't want to manually rotate the files so I'm not going to start
> sshguard from rc.d until they rotate on their own.
>
> There's already a note in http://www.sshguard.net/docs/setup/ about
> syslogd terminating and restarting sshguard, although it's not
> completely accurate. If the devs don't want to lower the log level
> of the exiting messages to LOG_DEBUG to prevent the restarting,
> then perhaps just correct this note and add the "!-sshguard"
> tweak I worked out. A doc change is always easier than a code
> change right?

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
be...@an...                                 http://www.angryox.com/
---------------------------------------------------------------------------