Bug 203452

Summary: security/sshguard update pkg-message to remove syslogd references
Product: Ports & Packages Reporter: Ike Eichorn <ike>
Component: Individual Port(s)Assignee: Mark Felder <feld>
Status: Closed FIXED    
Severity: Affects Some People CC: woodsb02
Priority: --- Flags: bugzilla: maintainer-feedback? (feld)
Version: Latest   
Hardware: Any   
OS: Any   

Description Ike Eichorn 2015-09-30 12:49:01 UTC
Prior to sshguard 1.5 the method described in pkg-message was appropriate. V1.5 had a major logging system rewrite and this is no longer the preferred method. [1]

The current design of sshguard requires no configuration, as such adding sshguard_enable="YES" in rc.conf is all that is needed.

[1] http://www.sshguard.net/docs/setup/
Comment 1 Ben Woods freebsd_committer freebsd_triage 2015-09-30 13:07:02 UTC
Refer to the following link for background discussion on the freebsd-questions@ mailing list that led to this PR:
https://lists.freebsd.org/pipermail/freebsd-questions/2015-September/268434.html
Comment 2 Mark Felder freebsd_committer freebsd_triage 2015-10-01 15:35:37 UTC
(In reply to Ben Woods from comment #1)

Syslogd is still a valid use case for sshguard, but there's a potentially unresolvable bug that I've been talking to Kevin about. 

Using sshguard via syslogd is convenient because it will auto-spawn a new process if sshguard were to die. However, if syslogd receives a HUP signal it sends a TERM to any piped children (by design). This kills sshguard, removing the entries from your firewall's sshguard table. You're now open to attacks by those on your blocklist until a new log entry makes syslogd spawn a new sshguard process. This is very bad.

I've been considering adding a warning telling users to *not* use sshguard via syslogd.
Comment 3 Ike Eichorn 2015-10-03 02:33:35 UTC
(In reply to Mark Felder from comment #2)

After looking deeper into this I concede that using syslogd (aside from that rather tough bug) as well as other methods of feeding logs into sshguard are perfectly valid and indeed falls within the stated purpose of sshguard.

I suppose my concern is that for a significant number of users pkg-message is become a primary source for configuration information. Since it appears that upstream has attempted to remove any requirement (though not possibility) to do setup using logging systems, it seems prudent to at least (bug aside) change the order of configuration recommendations to prefer the rc.d daemon.

My thought is that for the vast number of users the best course would to tell them the rc.d daemon can be enabled with sshguard_enable="YES" and that additional configuration information is at sshguard.net/docs/setup (e.g pf rules). Since the syslogd configuration is documented there, the information is not lost, but it is not promoted as the first option.
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-10-13 01:14:58 UTC
A commit references this bug:

Author: feld
Date: Tue Oct 13 01:14:27 UTC 2015
New revision: 399172
URL: https://svnweb.freebsd.org/changeset/ports/399172

Log:
  security/sshgaurd: Update to 1.6.2

  * Remove recommendation of using syslog pipes
  * IPFW support has been rewritten and entries now are added to table 22

  PR:		203452

Changes:
  head/security/sshguard/Makefile
  head/security/sshguard/distinfo
  head/security/sshguard/files/pkg-message.in