gi1242+debianb...@gmail.com wrote: > Confirming I have this problem too. My /etc/sshguard/sshguard.conf has > > LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat > SYSLOG_FACILITY=4 SYSLOG_FACILITY=10" > > The example provided by upstream has > > LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -t sendmail -o cat" > > Changing it to this makes the problem go away. (Since I use postfix, I > used "-t postfix/smtpd" instead of sendmail.)
I just woke up, but I think the (unstated) underlying issue is that sshguard reads logs from *ITSELF* and considers those grounds for blocking? The suggested fix is now only looking at log events for OpenSSH and sendmail/postfix. This will disable sshguard protection for other services (I personally care about dovecot imapd): enum service { SERVICES_ALL = 0, //< anything SERVICES_SSH = 100, //< ssh SERVICES_SSHGUARD = 110, //< SSHGuard SERVICES_UWIMAP = 200, //< UWimap for imap and pop daemon SERVICES_DOVECOT = 210, //< dovecot SERVICES_CYRUSIMAP = 220, //< cyrus-imap SERVICES_CUCIPOP = 230, //< cucipop SERVICES_EXIM = 240, //< exim SERVICES_SENDMAIL = 250, //< sendmail SERVICES_POSTFIX = 260, //< postfix SERVICES_OPENSMTPD = 270, //< OpenSMTPD SERVICES_COURIER = 280, //< Courier IMAP/POP SERVICES_FREEBSDFTPD = 300, //< ftpd shipped with FreeBSD SERVICES_PROFTPD = 310, //< ProFTPd SERVICES_PUREFTPD = 320, //< Pure-FTPd SERVICES_VSFTPD = 330, //< vsftpd SERVICES_COCKPIT = 340, //< cockpit management dashboard SERVICES_CLF_UNAUTH = 350, //< HTTP 401 in common log format SERVICES_CLF_PROBES = 360, //< probes for common web services SERVICES_CLF_WORDPRESS = 370, //< WordPress logins in common log format SERVICES_OPENVPN = 400, //< OpenVPN }; The "CLF" ones are also ignored by Debian's default config due to lacking something like FILES="/var/log/nginx/access.log /var/log/apache2/over_vhosts_something_something.log" This is because they match NSCA "common log format" entries which (normally) go to a dedicated file, not journal/syslog. Systemd doesn't support something like "journalctl _UNIT!=sshguard.service". Until it does, I think the suggested -t approach is probably the clearest & safest, but needs an exhaustive list, which can be a pain. If I had a good answer, I'd have already filed a bug about this! :-( PPS: I also had a go at patching in ".d dropin directory" support, but it doesn't work quite right: --- - hosts: all tasks: - name: sshguard config tags: firewall, sshguard block: # FIXME: file a bug in Debian asking for native /etc/sshguard/sshguard.conf.d/foo.conf "dropin" support. # FIXME: by default sshguard reads from SYSLOG_FACILITY=AUTH|AUTHPRIV, # i.e. it's reading from the journald equivalent of auth.log. # HOWEVER, at a minimum, tinysshd logs to SYSLOG_FACILITY=DAEMON. # We need to verify that the journalctl policy actually matches what we expect. # FIXME: debian sshguard doesn't journalctl --system by default, so # it will unnecessarily scan logs from per-user journals. # FIXME: will journalctl show logs from systemd containers? # i.e. without -M is it -M <host system> or -M <all> ? # I suspect the answer is "you need --merge", BLERGH. # # FIXME: note that scanning nginx is only useful if nginx is actually doing password auth! # # FIXME: if we can sensibly match all relevant services, adding e.g. # -t ssh -t dovecot -t postfix@- # to the journalctl command will be clear (*and* slightly faster?) - file: dest=/etc/systemd/system/sshguard.service.d state=directory # sigh, no "make-parent-dirs: true"? - copy: dest: /etc/systemd/system/sshguard.service.d/cyber-sshguard-conf-pseudo-dropin.conf content: | # /etc/sshguard.conf is sourced by a sh script. # It doesn't have dropins built-in, so rather than adding ". /etc/sshguard.conf", # we can load the options in here. # NOTE: due to the load order, # entries in /etc/sshguard.conf entries will "win" over dropins :-( [Service] EnvironmentFile=-/etc/sshguard/sshguard.conf EnvironmentFile=-/etc/sshguard/sshguard.conf.d/*.conf - file: dest=/etc/sshguard/sshguard.conf.d state=directory # sigh, no "make-parent-dirs: true"? - name: Ensure sshguard reads sees nginx (not JUST ssh/dovecot) copy: dest: /etc/sshguard/sshguard.conf.d/read-nginx.conf content: | # NOTE: sshguard will happily read from *BOTH* $LOGREADER # and $FILES at the same time. # The $FILES are read via "tail -F", so # it will DTRT if the file doesn't exist yet, or is rotated. # FIXME: this didn't work: # FILES="$FILES /var/log/nginx/access.log" # the error I saw was: # tail: cannot open '$FILES' for reading: No such file or directory # This implies systemd EnvironmentFile= (above) isn't doing what I expect! # Since currently we don't append to FILES= in sshguard.conf, just omit the broken $FILES. # i.e. overwrite instead of (failing to) append. FILES="/var/log/nginx/access.log"