Menu
▾
▴
Re: [SSHGuard-users] [Proposal] Handle End-of-line comments in Whitelists
|
From: Kevin Z. <kev...@gm...> - 2020-05-14 18:37:03
|
On 5/13/20 6:45 PM, Kevin Buckley wrote: > Other than neededing to bump up the log level to LOG_ERR to see this > working on my test system, that would clearly be a useful addition, > however, our testing would suggest that, when the whitelist parser > "gets it wrong", then it really gets it wrong, and just segfaults*. > > My "extra flag for debuging" idea would have just seen everything > dumped into the log stream by adding in some > > if( debug_flag_used) then > sshguard_log(LOG_ERR, "stuff") > fi > > guards, on the understanding that, if you invoked SSHGuard with the > debug flag, you would want to see some output without needing to alter > anything else on the system outside of SSHGuard. Do you mean to say that you're running in an environment where setting environment variables is not possible? Currently, LOG_DEBUG lines are only displayed when SSHGUARD_DEBUG is set in the environment, see sshguard(8). > * What we originally found, after adding EOL comments to a whitelist file > was that SSHGuard "appeared" to work OK, except that it wasnt, and it was > only when we added a comment along the lines of: > > > nnn.nnn.nnn.nnn # Host at some org but covered by range > nnn.nnn.nnn.0/30 above > > that we realised that the whitelist parser (whitelist_add() function) > was seeing the "/" in the comment as indication of a range and then > "not quite getting there" when parsing the full line. Sounds like what we should really have is a better-written parser. Perhaps we should write a better IP list parser and combine the whitelist and blacklist parsers to support comments? Regards, Kevin -- Kevin Zheng kev...@gm... | ke...@be... XMPP: ke...@ee... |
