Menu
▾
▴
Re: [SSHGuard-users] SSHGuard not working in MacOS 10.12 (Sierra)
|
From: Steve W. <st...@sw...> - 2017-01-02 11:43:00
|
> On 2 Jan 2017, at 10:04, Daniel Aleksandersen <co...@da...> wrote: > > On Mon, Jan 2, 2017, at 06:20, Kevin Zheng wrote: >> On 01/01/2017 21:44, Doug Niven wrote: >>> I’m pretty sure SSHGuard is unable to work in MacOS 10.12 (Sierra) >>> because of how Apple recently changed logging in this new OS upgrade. >>> No longer are failed SSH logins recorded in /var/log/system.log or >>> any other system log file, because Apple has moved to “unified >>> logging”. >> >> Thanks for the report. >> >>> A Terminal command like the following will show some of the >>> information we’re after, but I’m not sure how this would need to be >>> incorporated into SSHGuard to allow it to work as before: >>> >>> % log show --predicate '(eventMessage CONTAINS "maximum >>> authentication attempts exceeded")' --style syslog —info >> >> Now, will this command be like `tail` and give us a pipe with new >> messages like they come in, or like dmesg and just give us a view of the >> buffer? >> >>> If anyone has any suggestions or ideas please let me know, since I’m >>> a big fan of SSHGuard and would to have it work in Sierra. > > Doug, see this example for how to stream macOS’ sshd log to SSHGuard: > https://bitbucket.org/sshguard/sshguard/src/e96d19f2e98c/examples/net.sshguard.plist > > I tested it with the git master version just now, and it worked fine. > Not sure if it will work with the current stable release, but you can > let us know if it doesn’t! > > Though it should be configured in the config file rather than the > launchd service file starting with SSHGuard 2.0. I’ll opened a pull > request for updating the documentation to match: > https://bitbucket.org/sshguard/sshguard/pull-requests/18/ > >> This sounds a bit like the situation with journalctl on Linux. This is >> being solved by piping journalctl output to SSHGuard (see commit edd8414 >> in what will become 2.0). I tried moving the log command from the launch plist to sshguard.conf but had to escape the double quotes in the predicate list to get it to parse correctly. In my case I’m monitoring sshd, dovecot and postfix. LOGREADER="/usr/bin/log stream --style syslog --info --predicate 'processImagePath == \"/usr/sbin/sshd\" or processImagePath contains \"dovecot\" or processImagePath contains \"postfix/smtpd\"'" This is working with the latest commit (e96d19f) on MacOS 10.12.2. Cheers, Steve |
