FreeBSD Port: security/sshguard-pf

Chris Rees crees at bayofrum.net
Mon Apr 14 09:47:47 UTC 2014 


On 14 April 2014 10:36:18 BST, Stefan Esser <se at freebsd.org> wrote:
>Am 14.04.2014 10:25, schrieb Benjamin Podszun:
>> Looking at the rc script and the diff [1] the problem's easy enough:
>> ${sshguard_pidfile} is passed as parameter to -i, but isn't set in
>the
>> script/has no default value. Either the related line from the
>previous
>> revision should be revived or the substitution should change to use
>> ${pidfile}, which _is_ set.
>
>I just installed sshguard on one of my servers and noticed the same
>problem. The program is not started due to several bugs:
>
>1) $sshguard_pidfile vs. $pidfile as noticed by you

This one's my fault, sorry.

>2) Pasing of log files to watch. They are correctly processed by
>   sshguard_prestart(), but the result is not pasted into the
>   command line. (You can manually add "-l <logfile>" options to
>   the command line in the rc script as a work around ...)

Don't think this one is, but I'll investigate.

Chris

>There are other deficiencies:
>
>a) The documentation lacks details about the mechanism used to block
>   attacks. E.g. in case of IPFW, blocking rules are injected in lines
>   55000 to 55050. You have to adapt your ruleset in such a way, that
>   any to-be-blocked service is only enabled at a later line, or the
>   blocking is ineffective. This port range should be mentioned at
>   least in the pkg message for ipfw. Better would be a section in
>   the man page, which explains the mechanism used by each backend.
>
>b) The security/sshguard-ipfw port is marked as NO_STAGE=no, while
>   security/sshguard seems to work just fine with staging enabled.
>   This is probably an oversight: when sshguard was fixed/verified
>   for staging, the sub-ports where not marked as staging clean.
>
>c) The MAKE_ARGS variable mention ACLOCAL, AUTOCONF and AUTOMAKE, but
>   no dependencies are registered for any of them.
>
>d) The master port's Makefile lists hosts, pf, and ipfw as possible
>   backends, selected by SSHGUARDFW, but does not mention ipfilter
>   as the fourth supported backend.
>
>I did not have time to check the code quality of the parser. I'm a
>bit suspicious, that it might be possible to attack sshguard via
>parameters passed under control of an attacker.
>
>If you create a PR, you may want to add these points to the PR ...
>
>Regards, STefan

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the freebsd-ports mailing list