SshGuard are just a layer of the onion. Not the sole solution. Most methods you can, with certain degrees of effort and stubbornness, circumvent or break.
/hasse -----Ursprungligt meddelande----- Från: [email protected] [mailto:[email protected]] För David Diggles Skickat: den 26 juli 2012 05:57 Till: [email protected] Ämne: Re: sshguard How secure is the principle of log sucking for anything more than stats? The inherent assumptions are risky I would think. I mean, if someone could deliberately craft certain strings with spaces or tabs that get passed, then they could subvert the sucking script. There is an absolute reliance on the syslog behaving in a certain way under all conditions! On Wed, Jul 25, 2012 at 09:50:40AM -0600, Chris Lobkowicz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > sshguard prefers to use the "log-sucker" way of parsing authlog. I > don't even have a mention of sshguard in syslog.conf. > > the rc script just basically daemonises sshguard, and points it at > /var/log/authlog > > # /etc/rc.d/sshguard > daemon="/usr/local/sbin/sshguard" > # REALLY Touchy version > daemon_flags="-a 3 -l /var/log/authlog -w /var/db/sshguard/friends.db > - -b 5:/var/db/sshguard/blacklist.db" > # Less Touchy Version > #daemon_flags="-l /var/log/authlog -w /var/db/sshguard/friends.db -b > 5:/var/db/sshguard/blacklist.db" > > . /etc/rc.d/rc.subr > > rc_bg=YES > rc_reload=NO > > rc_cmd $1 > > > sshguard documentation on their website is quite thorough on how to > install/use. The documentation on how to tweak is a little lacking though. > > All that is missing from an install of sshguard is the required > entries into pf.conf, and which log files to monitor in the rc script. > > Works very, very well I might add. > > Good luck! > > Cheers > Chris > > > > > > > On 25/07/2012 08:04, Otto Moerbeek wrote: > > On Wed, Jul 25, 2012 at 02:25:44PM +0200, Hasse Hansson wrote: > > > >> Hello all. > >> # uname -a > >> OpenBSD odin.thorshammare.org 5.2 GENERIC#13 i386 > >> > >> sshguard-1.5 > >> Are we not supposed to use the entry in /etc/syslog.conf any more ? > >> " auth.info;authpriv.info |/usr/local/sbin/sshguard " > >> > >> I get a message on my console saying: > >> syslogd: unknown priority name "info |/usr/local/sbin/sshguard" > >> > >> The info about the syslog.conf entry seems to be gone in the > >> install message too. > >> > >> All the best > >> Hasse > > > > syslog is very picky about the difference between spaces and tabs. > > Always use one or more tabs. > > > > -Otto > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJQEBXQAAoJEFxdNdJhPdR3NK4IALCdIRU3ffb5W7l8rA1coIRR > 6/UNM3IfOyBa1mO9750oiMzOCPS8qyGQ/93nt9xt8TcQC2XYV0gGhGBa0jDLXLNe > ujRXBFHXoSmd4DZ60WaZ6Ej9+TNV3rN2WZRZRjXHWWtEm1dacTWhNDakBp3pCtY3 > GYfFLWTQe5wSHVxrI/yB9eiCz6dCdwcL1xewTsQrTYtahtT46uPweCqjUCtx5pFv > SogLHiWvA9qiUHhiPAoh/79KM11QDQGPpX+agm+LVA9/qkMuglAMhhaBM8IzXIIN > qkJiz4KNGQuqLh2BfEetIr6bM44W3G3QTy+z+N1HEdRH3jayC+wkvb7TT91zEbk= > =+k75 > -----END PGP SIGNATURE-----
