SSHguard & IPFW
Mark Felder
feld at FreeBSD.org
Thu Oct 1 15:43:48 UTC 2015
On Tue, Sep 29, 2015, at 07:59, Michael B. Eichorn wrote:
>
> Is there any chance that you might have followed an old guide? In
> sshguard < 1.5 a valid configuration option was to use syslog to kickoff
> sshguard and not use sshguard enable, but this is now depreciated in
> favor of the new 'Log Sucker' introduced in v1.5.
>
I noted a problem in the PR that was just opened:
"Using sshguard via syslogd is convenient because it will auto-spawn a
new process if sshguard were to die. However, if syslogd receives a HUP
signal it sends a TERM to any piped children (by design). This kills
sshguard, removing the entries from your firewall's sshguard table.
You're now open to attacks by those on your blocklist until a new log
entry makes syslogd spawn a new sshguard process. This is very bad."
And syslogd can get HUPs hourly:
# Rotate log files every hour, if necessary.
0 * * * * root newsyslog
--
Mark Felder
ports-secteam member
feld at FreeBSD.org
More information about the freebsd-questions
mailing list