Date: Wed, 13 Jun 2007 11:06:11 -0700 (PDT) From: Jeremy Chadwick <koitsu@FreeBSD.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/113663: rc.d startup script for sshguard Message-ID: <20070613180611.9F7611CC044@mx01.sc1.parodius.com> Resent-Message-ID: <200706131830.l5DIU44w095946@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 113663
>Category: ports
>Synopsis: rc.d startup script for sshguard
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 13 18:30:04 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Jeremy Chadwick
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD eos.sc1.parodius.com 6.2-STABLE FreeBSD 6.2-STABLE #0: Thu Mar 8 10:41:09 PST 2007 root@eos.sc1.parodius.com:/usr/obj/usr/src/sys/EOS i386
>Description:
sysutils/sshguard (and sshguard-ipfw/sshguard-pf) when installed
out-of-the-box relies upon the syslog.conf "|" mechanism to run
sshguard. There's one major issue with this method, as I found
out this morning: newsyslog sends a SIGHUP to syslogd at midnight
(so it will reopen its logfiles), thus the pipe to sshguard gets
closed and sshguard is respawned.
When sshguard is respawned, it empties the pf <sshguard> table
of all entries. Therefore every night at midnight, you lose all
blocked IPs which sshguard has spent time adding over the past day.
To alleviate this, I decided it would be best to make a startup
rc.d script for sshguard which did tail -n0 -F /var/log/auth.log | sshguard &.
It would be benefitial if someone could review the rc.d script
for mistakes/oversights. It does work (tested on RELENG_6), but
I did not try all of the rc.subr commands (status/poll/etc.).
Just stop/start/restart. I'm particularly concerned over
which rcorder(8) strings are needed.
Also: the port installation mechanism would need to be changed
to not modify syslog.conf, because that mechanism won't be
needed any longer. :-)
>How-To-Repeat:
n/a
>Fix:
#!/bin/sh
#
# PROVIDE: sshguard
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable sshguard:
# sshguard_enable (bool): Set it to "YES" to enable sshguard.
# Default is "NO".
# sshguard_pidfile (path): Set full path to sshguard.pid.
# Default is "/var/run/sshguard.pid".
# sshguard_logfile (path): Set full path to syslog logfile which
# contains LOG_AUTH syslog facility logs.
# Default is "/var/log/auth.log".
# sshguard_flags (str): Flags passed to sshguard on startup.
# Default is "".
#
. /etc/rc.subr
name="sshguard"
rcvar=`set_rcvar`
load_rc_config $name
: ${sshguard_enable="NO"}
: ${sshguard_pidfile="/var/run/sshguard.pid"}
: ${sshguard_logfile="/var/log/auth.log"}
: ${sshguard_flags=""}
# Set $procname to tail, because that's the process we want to kill on
# stop/restart. We do not want to kill sshguard itself. Killing tail
# will take care of that automatically (pipe gets closed).
sshguard_procname="/usr/local/sbin/sshguard"
pidfile=${sshguard_pidfile}
procname="tail"
tailcmd="${procname} -n0 -F ${sshguard_logfile}"
start_cmd=${name}_start
sshguard_checklogfile() {
if [ ! -r "${sshguard_logfile}" ]; then
echo "'sshguard_logfile' is unreadable or missing (file=${sshguard_logfile})."
exit 1
fi
}
sshguard_checkpid() {
pid=`check_pidfile ${pidfile} ${procname}`
if [ 0"$pid" -gt 1 ]; then
echo "${name} already running? (pid of tail=$pid)."
exit 1
fi
}
sshguard_start() {
sshguard_checklogfile
sshguard_checkpid
sh -c "echo \$\$ > ${pidfile} && exec ${tailcmd}" | ${sshguard_procname} ${sshguard_flags} 2>/dev/null &
echo "Starting ${name}."
}
run_rc_command "$1"
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070613180611.9F7611CC044>