ports/126867: security/sshguard-pf 1.1 fails to detect attempted logins
Mij
mij at bitchx.it
Wed Sep 10 09:40:03 UTC 2008
The following reply was made to PR ports/126867; it has been noted by GNATS.
From: Mij <mij at bitchx.it>
To: Michael <freebsdports at bindone.de>
Cc: bug-followup at FreeBSD.org
Subject: Re: ports/126867: security/sshguard-pf 1.1 fails to detect attempted logins
Date: Wed, 10 Sep 2008 11:24:14 +0200
The way syslog is configured in a default system wrt what finishes
into "auth.log"
should impact sshguard only if you poll its content with the so-called
"tail+sshguard combo"
http://sshguard.sourceforge.net/doc/setup/loggingrawfile.html
Under FreeBSD this is not the recommended way (this is the way the
port prepares the
system), as the system implementation of syslog supports pipes to
external tools:
http://sshguard.sourceforge.net/doc/setup/loggingsyslog.html
In this latter approach, no matter what the original configuration of
the system is, syslog
is setup to feed sshguard with both messages. Please check that as
follows:
1) enable this line:
auth.info;authpriv.info |exec /usr/local/sbin/sshguard
high in the /etc/syslog.conf file.
2) run /etc/rc.d/syslogd reload
if sshguard is still not blocking, you can investigate it further pipe-
ing from syslog to
an instance of tee that logs and passes through to sshguard.
On Sep 6, 2008, at 12:04 , Michael wrote:
> No, I'm talking about auth.log. Seriously.
> What about trying it on your own on a fresh install?
>
> Mij wrote:
>> The fact you say there is only a single line and "the system logs"
>> make me think you're considering /var/log/messages,
>> there authentication messages do not appear. What about /var/log/
>> auth.log (or any other destination you set for auth.info)?
More information about the freebsd-ports-bugs
mailing list