On 21:30:00 Nov 16, Stuart Henderson wrote:
> I don't see where systrace has anything to do with it ...
> I think this may explain it:
>
> $ ps wwuax|grep ssh[g]
> _syslogd 8901 0.0 0.1 532 1264 ?? S 8:56PM 0:00.00
> /usr/local/sbin/sshguard
>
> i.e. syslogd is running it as the _syslogd user.
>
I should have looked into /etc/passwd.
You know what? It occurred to me on the way back home last night that I
might be wrong about the systrace thing. I knew I did not have proof.
I was so tired at having to debug this port for so long that I ran out
of breath. ;)
Anyway this puts things in perspective. Thanks.
> However, you could use systrace to elevate privileges,
> see /usr/ports/net/nagios/plugins/files/README.OpenBSD.
> It's a bit messy but better than using a setuid binary
> (don't install it setuid, if people want that, they have
> to deliberately chmod it themselves). Maybe sudo is another
> option..
Of the alternatives you suggest setuid is a definite no no.
I don't want sudo either. Elevating privileges seems fine. Let me check
out nagios and get back to you.
I just read the nagios README. systrace's privilege elevation does not
look messy at all.
> We should really get some documentation better than the manpage
> installed too, but upstream will need to help, unfortunately
> we can't just make a separate tar.gz of the docs on their web
> pages to add to the package because there is no copyright license
> on those pages.
What do you mean? sshguard has a nice man page. And we really are not
looking for advanced usage of this tool. People want to guard against
ssh bruteforce attacks. That is the reason I am not even mentioning that
this tool can jolly well be used to protecting any other bruteforce
attack.
Can you be more specific? What do you want added? I could simply patch
the man page. Or we could install the online html documentation in a
separate location like {PREFIX}/share/doc/sshguard/html.
Why do you want to bother upstream for this? ;)
> Users also need to be reminded to use tabs not spaces in
> syslog.conf, I guarantee everybody will copy-and-paste from
> MESSAGE and get it wrong - if you add a reminder, only about
> half the people will do that ;-)
I agree but anyone with a reasonable degree of UNIX experience should
know that tabs are the in thing for crontabs and config files. :)
By the way this is a syslog restriction and has nothing to do with the
sshguard port.
> Does anyone who knows yacc/regex well have time to take a
> look over sshguard's pattern matchers?
No the "problem" if you may call it so lies elsewhere.
>From whatever little I know of yacc parsing I can see the there is no
mention of tabs in attack_parser.y file.
My idea is to give people a secure way to protect against the ssh
bruteforce attack.
And we cannot help dumb users beyond a point anyway...
Sorry for the long post.
Have a nice day!
-Girish
