ports/113663: rc.d startup script for sshguard

Jeremy Chadwick koitsu at FreeBSD.org
Wed Jun 13 18:30:05 UTC 2007 

>Number:         113663
>Category:       ports
>Synopsis:       rc.d startup script for sshguard
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 13 18:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Jeremy Chadwick
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD eos.sc1.parodius.com 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Mar 8 10:41:09 PST 2007 root at eos.sc1.parodius.com:/usr/obj/usr/src/sys/EOS i386
>Description:
	sysutils/sshguard (and sshguard-ipfw/sshguard-pf) when installed
	out-of-the-box relies upon the syslog.conf "|" mechanism to run
	sshguard.  There's one major issue with this method, as I found
	out this morning: newsyslog sends a SIGHUP to syslogd at midnight
	(so it will reopen its logfiles), thus the pipe to sshguard gets
	closed and sshguard is respawned.

	When sshguard is respawned, it empties the pf <sshguard> table
	of all entries.  Therefore every night at midnight, you lose all
	blocked IPs which sshguard has spent time adding over the past day.

	To alleviate this, I decided it would be best to make a startup
	rc.d script for sshguard which did tail -n0 -F /var/log/auth.log | sshguard &.

	It would be benefitial if someone could review the rc.d script
	for mistakes/oversights.  It does work (tested on RELENG_6), but
	I did not try all of the rc.subr commands (status/poll/etc.).
	Just stop/start/restart.  I'm particularly concerned over
	which rcorder(8) strings are needed.

	Also: the port installation mechanism would need to be changed
	to not modify syslog.conf, because that mechanism won't be
	needed any longer.  :-)
>How-To-Repeat:
	n/a
>Fix:
#!/bin/sh
#
# PROVIDE: sshguard
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable sshguard:
# sshguard_enable (bool):	Set it to "YES" to enable sshguard.
#				Default is "NO".
# sshguard_pidfile (path):	Set full path to sshguard.pid.
#				Default is "/var/run/sshguard.pid".
# sshguard_logfile (path):	Set full path to syslog logfile which
#				contains LOG_AUTH syslog facility logs.
#				Default is "/var/log/auth.log".
# sshguard_flags (str):		Flags passed to sshguard on startup.
#				Default is "".
#

. /etc/rc.subr

name="sshguard"
rcvar=`set_rcvar`

load_rc_config $name

: ${sshguard_enable="NO"}
: ${sshguard_pidfile="/var/run/sshguard.pid"}
: ${sshguard_logfile="/var/log/auth.log"}
: ${sshguard_flags=""}

# Set $procname to tail, because that's the process we want to kill on
# stop/restart.  We do not want to kill sshguard itself.   Killing tail
# will take care of that automatically (pipe gets closed).

sshguard_procname="/usr/local/sbin/sshguard"
pidfile=${sshguard_pidfile}
procname="tail"
tailcmd="${procname} -n0 -F ${sshguard_logfile}"

start_cmd=${name}_start

sshguard_checklogfile() {
	if [ ! -r "${sshguard_logfile}" ]; then
		echo "'sshguard_logfile' is unreadable or missing (file=${sshguard_logfile})."
		exit 1
	fi
}

sshguard_checkpid() {
	pid=`check_pidfile ${pidfile} ${procname}`

        if [ 0"$pid" -gt 1 ]; then
		echo "${name} already running? (pid of tail=$pid)."
		exit 1
        fi
}

sshguard_start() {
	sshguard_checklogfile
	sshguard_checkpid

	sh -c "echo \$\$ > ${pidfile} && exec ${tailcmd}" | ${sshguard_procname} ${sshguard_flags} 2>/dev/null &
	echo "Starting ${name}."
}

run_rc_command "$1"

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list