Unfortunately this is all misdirected effort.
The config file /etc/sshguard.conf should have
BACKEND="/usr/local/libexec/sshg-fw-pf"
automatically added. And,
FILES=/var/log/authlog
I think you may have to add that one.
WHITELIST_FILE=/etc/sshguard.trustedips
or whatever you may choose to call it.
You do NOTHING to /etc/syslog.conf because auth.info events are by
default logged to /var/log/authlog. See the config line, above, for the
details of how sshguard gains access to ssh login failures.
Then, the magic:
# rcctl enable sshguard
The whole issue of sshguard reading files from stdin is incorrectly
stated in the docs; the config file determines where it should be
reading. The OpenBSD port correctly identifies the proper utilities and
files needed. The /usr/local/share/doc/pkg-readmes/sshguard file states
the necessary PF advice but neglects to point out the provided
/etc/rc.d/sshguard needs to be enabled.
I ran into this a few weeks ago. After battling for a while, pkg_info
-L sshguard gave the necessary hints. I didn't post a patch. Ooops,
sorry.
John
