gi1242+debianb...@gmail.com wrote:
> Confirming I have this problem too. My /etc/sshguard/sshguard.conf has
> 
>     LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat 
> SYSLOG_FACILITY=4 SYSLOG_FACILITY=10"
> 
> The example provided by upstream has
> 
>     LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
> 
> Changing it to this makes the problem go away. (Since I use postfix, I
> used  "-t postfix/smtpd" instead of sendmail.)

I just woke up, but
I think the (unstated) underlying issue is that sshguard reads logs from 
*ITSELF* and
considers those grounds for blocking?

The suggested fix is now only looking at log events for OpenSSH and 
sendmail/postfix.
This will disable sshguard protection for other services (I personally care 
about dovecot imapd):

    enum service {
        SERVICES_ALL            = 0,    //< anything
        SERVICES_SSH            = 100,  //< ssh
        SERVICES_SSHGUARD       = 110,  //< SSHGuard
        SERVICES_UWIMAP         = 200,  //< UWimap for imap and pop daemon
        SERVICES_DOVECOT        = 210,  //< dovecot
        SERVICES_CYRUSIMAP      = 220,  //< cyrus-imap
        SERVICES_CUCIPOP        = 230,  //< cucipop
        SERVICES_EXIM           = 240,  //< exim
        SERVICES_SENDMAIL       = 250,  //< sendmail
        SERVICES_POSTFIX        = 260,  //< postfix
        SERVICES_OPENSMTPD      = 270,  //< OpenSMTPD
        SERVICES_COURIER        = 280,  //< Courier IMAP/POP
        SERVICES_FREEBSDFTPD    = 300,  //< ftpd shipped with FreeBSD
        SERVICES_PROFTPD        = 310,  //< ProFTPd
        SERVICES_PUREFTPD       = 320,  //< Pure-FTPd
        SERVICES_VSFTPD         = 330,  //< vsftpd
        SERVICES_COCKPIT        = 340,  //< cockpit management dashboard
        SERVICES_CLF_UNAUTH     = 350,  //< HTTP 401 in common log format
        SERVICES_CLF_PROBES     = 360,  //< probes for common web services
        SERVICES_CLF_WORDPRESS  = 370,  //< WordPress logins in common log 
format
        SERVICES_OPENVPN        = 400,  //< OpenVPN
    };

The "CLF" ones are also ignored by Debian's default config due to lacking 
something like

    FILES="/var/log/nginx/access.log 
/var/log/apache2/over_vhosts_something_something.log"

This is because they match NSCA "common log format" entries which (normally) go 
to a dedicated file, not journal/syslog.

Systemd doesn't support something like "journalctl _UNIT!=sshguard.service".
Until it does, I think the suggested -t approach is probably the clearest & 
safest, but
needs an exhaustive list, which can be a pain.
If I had a good answer, I'd have already filed a bug about this! :-(


PPS: I also had a go at patching in ".d dropin directory" support, but it 
doesn't work quite right:

    ---
    - hosts: all
      tasks:
        - name: sshguard config
          tags: firewall, sshguard
          block:
          # FIXME: file a bug in Debian asking for native 
/etc/sshguard/sshguard.conf.d/foo.conf "dropin" support.
          # FIXME: by default sshguard reads from SYSLOG_FACILITY=AUTH|AUTHPRIV,
          #        i.e. it's reading from the journald equivalent of auth.log.
          #        HOWEVER, at a minimum, tinysshd logs to 
SYSLOG_FACILITY=DAEMON.
          #        We need to verify that the journalctl policy actually 
matches what we expect.
          # FIXME: debian sshguard doesn't journalctl --system by default, so
          #        it will unnecessarily scan logs from per-user journals.
          # FIXME: will journalctl show logs from systemd containers?
          #        i.e. without -M is it -M <host system> or -M <all> ?
          #        I suspect the answer is "you need --merge", BLERGH.
          #
          # FIXME: note that scanning nginx is only useful if nginx is actually 
doing password auth!
          #
          # FIXME: if we can sensibly match all relevant services, adding e.g.
          #          -t ssh -t dovecot -t postfix@-
          #        to the journalctl command will be clear (*and* slightly 
faster?)
          - file: dest=/etc/systemd/system/sshguard.service.d state=directory  
# sigh, no "make-parent-dirs: true"?
          - copy:
              dest: 
/etc/systemd/system/sshguard.service.d/cyber-sshguard-conf-pseudo-dropin.conf
              content: |
                # /etc/sshguard.conf is sourced by a sh script.
                # It doesn't have dropins built-in, so rather than adding ". 
/etc/sshguard.conf",
                # we can load the options in here.
                # NOTE: due to the load order,
                # entries in /etc/sshguard.conf entries will "win" over dropins 
:-(
                [Service]
                EnvironmentFile=-/etc/sshguard/sshguard.conf
                EnvironmentFile=-/etc/sshguard/sshguard.conf.d/*.conf
          - file: dest=/etc/sshguard/sshguard.conf.d state=directory  # sigh, 
no "make-parent-dirs: true"?
          - name: Ensure sshguard reads sees nginx (not JUST ssh/dovecot)
            copy:
              dest: /etc/sshguard/sshguard.conf.d/read-nginx.conf
              content: |
                # NOTE: sshguard will happily read from *BOTH* $LOGREADER
                # and $FILES at the same time.
                # The $FILES are read via "tail -F", so
                # it will DTRT if the file doesn't exist yet, or is rotated.
                # FIXME: this didn't work:
                #            FILES="$FILES /var/log/nginx/access.log"
                #        the error I saw was:
                #            tail: cannot open '$FILES' for reading: No such 
file or directory
                #        This implies systemd EnvironmentFile= (above) isn't 
doing what I expect!
                #        Since currently we don't append to FILES= in 
sshguard.conf, just omit the broken $FILES.
                #        i.e. overwrite instead of (failing to) append.
                FILES="/var/log/nginx/access.log"

Reply via email to