SSHguard & IPFW

Mark Felder feld at
Thu Oct 1 15:43:48 UTC 2015

On Tue, Sep 29, 2015, at 07:59, Michael B. Eichorn wrote:
> Is there any chance that you might have followed an old guide? In
> sshguard < 1.5 a valid configuration option was to use syslog to kickoff
> sshguard and not use sshguard enable, but this is now depreciated in
> favor of the new 'Log Sucker' introduced in v1.5.

I noted a problem in the PR that was just opened:

"Using sshguard via syslogd is convenient because it will auto-spawn a
new process if sshguard were to die. However, if syslogd receives a HUP
signal it sends a TERM to any piped children (by design). This kills
sshguard, removing the entries from your firewall's sshguard table.
You're now open to attacks by those on your blocklist until a new log
entry makes syslogd spawn a new sshguard process. This is very bad."

And syslogd can get HUPs hourly:

# Rotate log files every hour, if necessary.
0       *       *       *       *       root    newsyslog

  Mark Felder
  ports-secteam member
  feld at

More information about the freebsd-questions mailing list