On 2008/11/17 08:42, Girish Venkatachalam wrote:
> I just read the nagios README. systrace's privilege elevation does not
> look messy at all.
Maybe messy enough that people will think "oh I can't be bothered
with that I will just make it setuid root"...and that doesn't avoid
sudo either.
> Can you be more specific? What do you want added? I could simply patch
> the man page. Or we could install the online html documentation in a
> separate location like {PREFIX}/share/doc/sshguard/html.
> Why do you want to bother upstream for this? ;)
If we were to install the online html documentation, we would need
permission to redistribute it, because they don't grant it.
But, I sort-of assumed (from the frequent references to the website)
that there was some more documentation there, and hoped it would say
a bit more about the other log formats it can parse, but now I've
looked over it I can't find any more useful information, so I'm
happy to leave those out. We do need to mention the other parsers
in the manual though, or people may be surprised if they mistype
a POP3 password and get locked out of SSH.
But actually we need to bother them anyway: there's no copyright
license in the .tar.bz2 file either, as things stand now you must
set PERMIT_*=No. The only mention is at the top of the website,
"sshguard is BSD-licensed", but that is not enough. They need to
include the actual license text (since there is no single "BSD
license") and it needs to be with the source code.
They might be interested in looking at the usual OpenBSD license,
http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/src/share/misc/license.template
- it has helpful comments about formatting of dates etc.
> > Users also need to be reminded to use tabs not spaces in
> > syslog.conf, I guarantee everybody will copy-and-paste from
> > MESSAGE and get it wrong - if you add a reminder, only about
> > half the people will do that ;-)
>
> I agree but anyone with a reasonable degree of UNIX experience should
> know that tabs are the in thing for crontabs and config files. :)
>
> By the way this is a syslog restriction and has nothing to do with the
> sshguard port.
The only files I can think of where this applies are syslog.conf
and sendmail.cf, and most users who look for this software won't have
edited syslog.conf before (and wouldn't dream of touching sendmail.cf!)
Pointing it out will avoid stupid "it doesn't work" emails to the
maintainer :-)
> > Does anyone who knows yacc/regex well have time to take a
> > look over sshguard's pattern matchers?
>
> No the "problem" if you may call it so lies elsewhere.
>
> From whatever little I know of yacc parsing I can see the there is no
> mention of tabs in attack_parser.y file.
Tabs aren't the problem there, now I have found the reference
I was looking for:
http://www.ossec.net/en/attacking-loganalysis.html
see why I keep mentioning it? :-)
Maybe their parsers are ok, but I think they need checking.
> My idea is to give people a secure way to protect against the ssh
> bruteforce attack.
Yes, and since many (often novice) users are looking for this
and seem to be looking for log parsers in particular (rather than
PF connection-rate checks), we need to take quite a lot of care
over it. People should not take the existence of something in
ports as a recommendation, but they will...
> And we cannot help dumb users beyond a point anyway...
>
> Sorry for the long post.
>
> Have a nice day!
>
> -Girish
>
And you :-)
