Menu
▾
▴
Re: [SSHGuard-users] [Proposal] Handle End-of-line comments in Whitelists
|
From: Kevin B. <kev...@gm...> - 2020-05-15 01:35:25
|
On 2020/05/15 02:36, Kevin Zheng wrote: > > Do you mean to say that you're running in an environment where setting > environment variables is not possible? No. > Currently, LOG_DEBUG lines are only displayed when SSHGUARD_DEBUG is set > in the environment, see sshguard(8). So that's the missing piece for that then. >> * What we originally found, after adding EOL comments to a whitelist file >> was that SSHGuard "appeared" to work OK, except that it wasnt, and it was >> only when we added a comment along the lines of: >> >> >> nnn.nnn.nnn.nnn # Host at some org but covered by range >> nnn.nnn.nnn.0/30 above >> >> that we realised that the whitelist parser (whitelist_add() function) >> was seeing the "/" in the comment as indication of a range and then >> "not quite getting there" when parsing the full line. > > Sounds like what we should really have is a better-written parser. > Perhaps we should write a better IP list parser ... In all fairness, if one is happy to ONLY have comments on lines of their own, so above or below individual entries, then the existing parser is fine. Furthermore, none of the example files show End-of-line comments. However, if you do not wish to have your IP addresses and ranges surrounded by comments, and it could make the file a bit unwiedly, and/or the IP addresses and ranges a little harder to discern, then the existing parser doesn't always do the right thing. Making the latter work is what the addition of the strsep() proposal addresses, not any percieved issue with the existing parser when used against whitelists that dont have EOL comments. > ... and combine the > whitelist and blacklist parsers to support comments? The ability to annotate a blacklist with EOL comments might add some operational benefit, as well as providing consistency in the way the black and white lists are handled, which then reduces any potential for confusion and errors in the input files. Kevin |
