FreeBSD Port: security/sshguard-pf
Stefan Esser
se at freebsd.org
Mon Apr 14 09:41:46 UTC 2014
Am 14.04.2014 10:25, schrieb Benjamin Podszun:
> Looking at the rc script and the diff [1] the problem's easy enough:
> ${sshguard_pidfile} is passed as parameter to -i, but isn't set in the
> script/has no default value. Either the related line from the previous
> revision should be revived or the substitution should change to use
> ${pidfile}, which _is_ set.
I just installed sshguard on one of my servers and noticed the same
problem. The program is not started due to several bugs:
1) $sshguard_pidfile vs. $pidfile as noticed by you
2) Pasing of log files to watch. They are correctly processed by
sshguard_prestart(), but the result is not pasted into the
command line. (You can manually add "-l <logfile>" options to
the command line in the rc script as a work around ...)
There are other deficiencies:
a) The documentation lacks details about the mechanism used to block
attacks. E.g. in case of IPFW, blocking rules are injected in lines
55000 to 55050. You have to adapt your ruleset in such a way, that
any to-be-blocked service is only enabled at a later line, or the
blocking is ineffective. This port range should be mentioned at
least in the pkg message for ipfw. Better would be a section in
the man page, which explains the mechanism used by each backend.
b) The security/sshguard-ipfw port is marked as NO_STAGE=no, while
security/sshguard seems to work just fine with staging enabled.
This is probably an oversight: when sshguard was fixed/verified
for staging, the sub-ports where not marked as staging clean.
c) The MAKE_ARGS variable mention ACLOCAL, AUTOCONF and AUTOMAKE, but
no dependencies are registered for any of them.
d) The master port's Makefile lists hosts, pf, and ipfw as possible
backends, selected by SSHGUARDFW, but does not mention ipfilter
as the fourth supported backend.
I did not have time to check the code quality of the parser. I'm a
bit suspicious, that it might be possible to attack sshguard via
parameters passed under control of an attacker.
If you create a PR, you may want to add these points to the PR ...
Regards, STefan
More information about the freebsd-ports
mailing list