gi1242+debianb...@gmail.com wrote:
> Confirming I have this problem too. My /etc/sshguard/sshguard.conf has
>
> LOGREADER="LANG=C /bin/journalctl -afb -p info -n1 -o cat
> SYSLOG_FACILITY=4 SYSLOG_FACILITY=10"
>
> The example provided by upstream has
>
> LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
>
> Changing it to this makes the problem go away. (Since I use postfix, I
> used "-t postfix/smtpd" instead of sendmail.)
I just woke up, but
I think the (unstated) underlying issue is that sshguard reads logs from
*ITSELF* and
considers those grounds for blocking?
The suggested fix is now only looking at log events for OpenSSH and
sendmail/postfix.
This will disable sshguard protection for other services (I personally care
about dovecot imapd):
enum service {
SERVICES_ALL = 0, //< anything
SERVICES_SSH = 100, //< ssh
SERVICES_SSHGUARD = 110, //< SSHGuard
SERVICES_UWIMAP = 200, //< UWimap for imap and pop daemon
SERVICES_DOVECOT = 210, //< dovecot
SERVICES_CYRUSIMAP = 220, //< cyrus-imap
SERVICES_CUCIPOP = 230, //< cucipop
SERVICES_EXIM = 240, //< exim
SERVICES_SENDMAIL = 250, //< sendmail
SERVICES_POSTFIX = 260, //< postfix
SERVICES_OPENSMTPD = 270, //< OpenSMTPD
SERVICES_COURIER = 280, //< Courier IMAP/POP
SERVICES_FREEBSDFTPD = 300, //< ftpd shipped with FreeBSD
SERVICES_PROFTPD = 310, //< ProFTPd
SERVICES_PUREFTPD = 320, //< Pure-FTPd
SERVICES_VSFTPD = 330, //< vsftpd
SERVICES_COCKPIT = 340, //< cockpit management dashboard
SERVICES_CLF_UNAUTH = 350, //< HTTP 401 in common log format
SERVICES_CLF_PROBES = 360, //< probes for common web services
SERVICES_CLF_WORDPRESS = 370, //< WordPress logins in common log
format
SERVICES_OPENVPN = 400, //< OpenVPN
};
The "CLF" ones are also ignored by Debian's default config due to lacking
something like
FILES="/var/log/nginx/access.log
/var/log/apache2/over_vhosts_something_something.log"
This is because they match NSCA "common log format" entries which (normally) go
to a dedicated file, not journal/syslog.
Systemd doesn't support something like "journalctl _UNIT!=sshguard.service".
Until it does, I think the suggested -t approach is probably the clearest &
safest, but
needs an exhaustive list, which can be a pain.
If I had a good answer, I'd have already filed a bug about this! :-(
PPS: I also had a go at patching in ".d dropin directory" support, but it
doesn't work quite right:
---
- hosts: all
tasks:
- name: sshguard config
tags: firewall, sshguard
block:
# FIXME: file a bug in Debian asking for native
/etc/sshguard/sshguard.conf.d/foo.conf "dropin" support.
# FIXME: by default sshguard reads from SYSLOG_FACILITY=AUTH|AUTHPRIV,
# i.e. it's reading from the journald equivalent of auth.log.
# HOWEVER, at a minimum, tinysshd logs to
SYSLOG_FACILITY=DAEMON.
# We need to verify that the journalctl policy actually
matches what we expect.
# FIXME: debian sshguard doesn't journalctl --system by default, so
# it will unnecessarily scan logs from per-user journals.
# FIXME: will journalctl show logs from systemd containers?
# i.e. without -M is it -M <host system> or -M <all> ?
# I suspect the answer is "you need --merge", BLERGH.
#
# FIXME: note that scanning nginx is only useful if nginx is actually
doing password auth!
#
# FIXME: if we can sensibly match all relevant services, adding e.g.
# -t ssh -t dovecot -t postfix@-
# to the journalctl command will be clear (*and* slightly
faster?)
- file: dest=/etc/systemd/system/sshguard.service.d state=directory
# sigh, no "make-parent-dirs: true"?
- copy:
dest:
/etc/systemd/system/sshguard.service.d/cyber-sshguard-conf-pseudo-dropin.conf
content: |
# /etc/sshguard.conf is sourced by a sh script.
# It doesn't have dropins built-in, so rather than adding ".
/etc/sshguard.conf",
# we can load the options in here.
# NOTE: due to the load order,
# entries in /etc/sshguard.conf entries will "win" over dropins
:-(
[Service]
EnvironmentFile=-/etc/sshguard/sshguard.conf
EnvironmentFile=-/etc/sshguard/sshguard.conf.d/*.conf
- file: dest=/etc/sshguard/sshguard.conf.d state=directory # sigh,
no "make-parent-dirs: true"?
- name: Ensure sshguard reads sees nginx (not JUST ssh/dovecot)
copy:
dest: /etc/sshguard/sshguard.conf.d/read-nginx.conf
content: |
# NOTE: sshguard will happily read from *BOTH* $LOGREADER
# and $FILES at the same time.
# The $FILES are read via "tail -F", so
# it will DTRT if the file doesn't exist yet, or is rotated.
# FIXME: this didn't work:
# FILES="$FILES /var/log/nginx/access.log"
# the error I saw was:
# tail: cannot open '$FILES' for reading: No such
file or directory
# This implies systemd EnvironmentFile= (above) isn't
doing what I expect!
# Since currently we don't append to FILES= in
sshguard.conf, just omit the broken $FILES.
# i.e. overwrite instead of (failing to) append.
FILES="/var/log/nginx/access.log"
