FreeBSD Port: security/sshguard-pf

Stefan Esser se at freebsd.org
Mon Apr 14 09:41:46 UTC 2014 

Am 14.04.2014 10:25, schrieb Benjamin Podszun:
> Looking at the rc script and the diff [1] the problem's easy enough:
> ${sshguard_pidfile} is passed as parameter to -i, but isn't set in the
> script/has no default value. Either the related line from the previous
> revision should be revived or the substitution should change to use
> ${pidfile}, which _is_ set.

I just installed sshguard on one of my servers and noticed the same
problem. The program is not started due to several bugs:

1) $sshguard_pidfile vs. $pidfile as noticed by you

2) Pasing of log files to watch. They are correctly processed by
   sshguard_prestart(), but the result is not pasted into the
   command line. (You can manually add "-l <logfile>" options to
   the command line in the rc script as a work around ...)

There are other deficiencies:

a) The documentation lacks details about the mechanism used to block
   attacks. E.g. in case of IPFW, blocking rules are injected in lines
   55000 to 55050. You have to adapt your ruleset in such a way, that
   any to-be-blocked service is only enabled at a later line, or the
   blocking is ineffective. This port range should be mentioned at
   least in the pkg message for ipfw. Better would be a section in
   the man page, which explains the mechanism used by each backend.

b) The security/sshguard-ipfw port is marked as NO_STAGE=no, while
   security/sshguard seems to work just fine with staging enabled.
   This is probably an oversight: when sshguard was fixed/verified
   for staging, the sub-ports where not marked as staging clean.

c) The MAKE_ARGS variable mention ACLOCAL, AUTOCONF and AUTOMAKE, but
   no dependencies are registered for any of them.

d) The master port's Makefile lists hosts, pf, and ipfw as possible
   backends, selected by SSHGUARDFW, but does not mention ipfilter
   as the fourth supported backend.

I did not have time to check the code quality of the parser. I'm a
bit suspicious, that it might be possible to attack sshguard via
parameters passed under control of an attacker.

If you create a PR, you may want to add these points to the PR ...

Regards, STefan

More information about the freebsd-ports mailing list