Menu
▾
▴
Re: [SSHGuard-users] Support for the "hosts" firewall backend
|
From: Kevin Z. <kev...@gm...> - 2016-09-29 08:12:12
|
On 09/28/2016 21:25, Jonathan Woithe wrote: > I personally have found the "hosts" backend to be extremely useful. It > allows sshguard's actions to be firmly isolated from the rest of the > firewall, which is important if a complex firewall is already in place. > It's also much easier to isolate sshguard from the firewall using the > "hosts" backend as it only needs permission to alter a single file. > Collectively these details mean that it has been trivial for me to deploy > sshguard on a number of machines without having to take special precautions > to ensure it doesn't inadvertently interfere with other things on the > system. Thanks for the comments. I'll re-implement support for the hosts backend in the next release. Support was dropped due to changes in the firewall backend. These changes separate the backend program from SSHGuard, a stepping stone to sandboxing SSHGuard with Capsicum or pledge(2). From several posts to the list it seemed like nobody was using it. > It is unlikely that the majority of people using sshguard even heard about > this survey. I didn't: I am only now aware of it because I went searching > to find out the reason for the "hosts" backend being deprecated as noted in > the 1.7.0 release notes which I've just read. The user survey was announced (twice) on the user mailing list. > As an aside, I note that rather than being deprecated in sshguard 1.7.0, the > "hosts" backend doesn't actually compile anymore. So technically it was > effectively deprecated in 1.6.4 and removed in 1.7.0. My fault for insufficient testing before release. In slight defense, I sent a call-for-testing after the commit that probably broke it, as well as one or two weeks before the release. Issues that came up were fixed; the hosts backend issue never came up. > I'm certainly not the only one in this situation. The author of the article > at > > https://forums.freebsd.org/threads/57509/ > > is in a similar situation to me, although they have obviously taken the > deprecation notice a little harder than I. It's true: software maintainers aren't telepathic. Most users deal with package maintainers and not upstream, too. I admit: I know how I use SSHGuard; I know how the users on the mailing list use SSHGuard; and I can guess how the survey respondents use SSHGuard. Beyond that, no clue. Most users interact with package maintainers. The only package maintainer that I've interacted with is Mark (from FreeBSD), who's done a great job of updating and pointing out bugs. I need more support from package maintainers. Users who aren't on the mailing list aren't heard from. I realize it's not possible to participate in every project you use. Unfortunately I don't have a good solution to this problem; if you don't participate you aren't heard. > There may be subtle issues in play that I'm not currently aware of, but the > patch included at the end of this message against sshguard 1.7.0 compiles > and might be all that's needed to get the "hosts" backend working again. I'll take a look and get back to you. > I don't mind when features are deprecated in cases where there's a clear way > to achieve similar behaviours with alternative configurations. Sometimes > this is needed to make progress. However, in this case there isn't: none of > the remaining backends offer the kind of functionality previously provided > by "hosts". Unless there's a significant future maintenance burden > associated with the "hosts" backend I don't agree with its deprecation. After it's rewritten, it shouldn't need to be touched for a long time. > Pretty much as it was documented. I personally chose this backend because > there was no way it could interfere with the existing firewall functionality > on the system (and conversely, the firewall management couldn't interfere > with sshguard). In addition I liked the simplicity of the hosts.allow > approach. Consider trying different backends. The PF and IPFW backends do not add rules; you add the rules yourself to the firewall, and add a directive that creates a table. SSHGuard populates and depopulates the table. Best, Kevin -- Kevin Zheng kev...@gm... | ke...@be... | PGP: 0xC22E1090 |
