[SSHGuard-users] Change sshguard backend to hosts for transition from iptables to nftables?

[<81...@2r...>]

Hello, sshguard list,

Thank you to the developers and maintainers for the excellent work on sshguard.  Very, very useful.

We're moving a number of Debian machines from iptables to nftables (nft), and it looks as if the sooner we purge iptables and ufw and use only nftables the better.  While this occurs, we would like to try to run sshguard with the "tcpwrapper" hosts backend, and write the blocked hosts to /etc/hosts.deny.  We could install from source and manually set the backend in sshguard.conf, but that would also require changes to the systemd sshguard.services file.

Unfortunately, Debian 9, after building the dependencies:

autoconf automake byacc flex gcc python-docutils

fails ./configure:

<<config.status:1194: error: Something went wrong bootstrapping makefile fragments
    for automatic dependency tracking.  If GNU make was not used, consider
    re-running the configure script with MAKE="gmake" (or whatever is
    necessary).  You can also try re-running configure with the
    '--disable-dependency-tracking' option to at least be able to build
    the package (albeit without support for automatic dependency tracking).
>>

I plan to figure this out (maybe a missing build library?), but there are too many machines running Debian 9 to do this quickly.  On Ubuntu 20.04 the dependencies install, compile and make without a problem, and we can set the hosts backend with no problem (BACKEND="/usr/local/libexec/sshg-fw-hosts" in /usr/local/etc/sshguard.conf).

Has anyone been able to change the backend from the stock Debian 9 installed iptables backend to hosts?  If so, how, and how did you modify the sshguard.services file?

I will try to install next from git and see if that is successful.  

Any help would be appreciated.  My skills are limited, but I can spin up a few "sacrificial" Debian 10 vm's if you need someone to test a config with sshguard and nft.  In the past the hosts.deny backend seemed less memory intensive that the firewall backends (pf at the time), but nftables looks impressive.

Thank You,

Gordon