[SSHGuard-users] Support for the "hosts" firewall backend

[Jonathan W. <jw...@at...>]

Hi all

On 2016-08-29 18:03:05, Kevin Zheng wrote:
> If that's something people are interested in it would just involve
> translating the original hosts.c into a new sshg-fw backend.

I personally have found the "hosts" backend to be extremely useful.  It
allows sshguard's actions to be firmly isolated from the rest of the
firewall, which is important if a complex firewall is already in place. 
It's also much easier to isolate sshguard from the firewall using the
"hosts" backend as it only needs permission to alter a single file. 
Collectively these details mean that it has been trivial for me to deploy
sshguard on a number of machines without having to take special precautions
to ensure it doesn't inadvertently interfere with other things on the
system.

If the "hosts" backend is deprecated then I would probably have to either
look for an alternative piece of software or stick with the last sshguard
version to offer the feature (1.6.4).

> It's only deprecated because not many people said they were using it on
> the survey, and I wasn't going to rewrite if not many were using it.

It is unlikely that the majority of people using sshguard even heard about
this survey.  I didn't: I am only now aware of it because I went searching
to find out the reason for the "hosts" backend being deprecated as noted in
the 1.7.0 release notes which I've just read.

As an aside, I note that rather than being deprecated in sshguard 1.7.0, the
"hosts" backend doesn't actually compile anymore.  So technically it was
effectively deprecated in 1.6.4 and removed in 1.7.0.

I'm certainly not the only one in this situation.  The author of the article
at

  https://forums.freebsd.org/threads/57509/ 

is in a similar situation to me, although they have obviously taken the
deprecation notice a little harder than I.

There may be subtle issues in play that I'm not currently aware of, but the
patch included at the end of this message against sshguard 1.7.0 compiles
and might be all that's needed to get the "hosts" backend working again.

> It would be trivial to implement if we assume the whole hosts.deny is
> controlled by SSHGuard. The original implementation used comment blocks
> to separate the SSHGuard-controlled parts from the rest.

For my purposes the "hosts" backend as always worked just fine (the comment
block approach seemed perfectly reasonable to me).  I acknowledge that it's
not as flexible as other approaches and other rules in hosts.allow could
obviously interfere, but I think that's a user issue.  For many people the
"hosts" backed was simple, worked fine and did not interfere with other
things on the system.  For those who needed additional flexibility there was
always the other backends.

I would certainly urge you reconsider the deprecation of the "hosts"
backend.  I suspect there's far more people using it in the wider world than
was indicated by the survey of which you speak.

I don't mind when features are deprecated in cases where there's a clear way
to achieve similar behaviours with alternative configurations.  Sometimes
this is needed to make progress.  However, in this case there isn't: none of
the remaining backends offer the kind of functionality previously provided
by "hosts".  Unless there's a significant future maintenance burden
associated with the "hosts" backend I don't agree with its deprecation.

> Do you know how people are usually using the hosts backend?

Pretty much as it was documented.  I personally chose this backend because
there was no way it could interfere with the existing firewall functionality
on the system (and conversely, the firewall management couldn't interfere
with sshguard).  In addition I liked the simplicity of the hosts.allow
approach.

Regards
  jonathan

--- a/src/fwalls/hosts.c	2016-08-07 01:51:51.000000000 +0930
+++ b/src/fwalls/hosts.c	2016-09-29 13:48:25.401626462 +0930
@@ -146,12 +146,12 @@
     return FWALL_OK;
 }
 
-int fw_block(const char *restrict addr, int addrkind, int service) {
+int fw_block(const attack_t *attack) {
     addr_service_t ads;
 
-    strcpy(ads.addr, addr);
-    ads.service = service;
-    ads.addrkind = addrkind;
+    strcpy(ads.addr, attack->address.value);
+    ads.addrkind = attack->address.kind;
+    ads.service = attack->service;
     list_append(&hosts_blockedaddrs, &ads);
 
     return hosts_updatelist();
@@ -172,10 +172,10 @@
     return hosts_updatelist();
 }
 
-int fw_release(const char *restrict addr, int addrkind, int services) {
+int fw_release(const attack_t *attack) {
     int pos;
 
-    if ((pos = list_locate(&hosts_blockedaddrs, addr)) < 0) {
+    if ((pos = list_locate(&hosts_blockedaddrs, attack->address.value)) <
- 0) {
         return FWALL_ERR;
     }