On 2008-11-16, Girish Venkatachalam <[EMAIL PROTECTED]> wrote: > $ cat pkg/DESCR > > uses logfile monitoring and protects networked hosts from ssh brute > force attacks. It detects such attacks and blocks the author's address > with a firewall rule. > > ------------------ > > Port here. > > http://gayatri-hitech.com/Misc/sshguard.tgz > > I have a problem here. It works only when you give group RW permission > to /dev/pf. > > I instrumented sshguard to use pf(4) ioctl but I think the systrace > policy is not allowing it to open /dev/pf. > > That needs to be fixed. Otherwise it works very well. > > -Girish > >
I don't see where systrace has anything to do with it ... I think this may explain it: $ ps wwuax|grep ssh[g] _syslogd 8901 0.0 0.1 532 1264 ?? S 8:56PM 0:00.00 /usr/local/sbin/sshguard i.e. syslogd is running it as the _syslogd user. However, you could use systrace to elevate privileges, see /usr/ports/net/nagios/plugins/files/README.OpenBSD. It's a bit messy but better than using a setuid binary (don't install it setuid, if people want that, they have to deliberately chmod it themselves). Maybe sudo is another option.. We should really get some documentation better than the manpage installed too, but upstream will need to help, unfortunately we can't just make a separate tar.gz of the docs on their web pages to add to the package because there is no copyright license on those pages. Users also need to be reminded to use tabs not spaces in syslog.conf, I guarantee everybody will copy-and-paste from MESSAGE and get it wrong - if you add a reminder, only about half the people will do that ;-) Does anyone who knows yacc/regex well have time to take a look over sshguard's pattern matchers?
