Date: Wed, 7 Oct 2015 09:23:36 +0200 From: Nino J <nino80@gmail.com> To: Alexandre <axelbsd@ymail.com> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: SSHguard & IPFW Message-ID: <CALf6cgaHKZ6zVLw=sJPiBUYM=8O44_%2BGS0gzYDxSq=ghvwx5Og@mail.gmail.com> In-Reply-To: <DUB118-W49D62C6948C2D61F7E55CBB4370@phx.gbl> References: <DUB118-W2564316B09E855F03F7D11B44E0@phx.gbl> <1443531575.1236.13.camel@michaeleichorn.com> <DUB118-W32603EFCC32F67913C02BEB44E0@phx.gbl> <CALf6cgZYJxQQA5Dxtu2QKzRC7FebeXte7NNRmGwOa5ma7We=tQ@mail.gmail.com> <DUB118-W49D62C6948C2D61F7E55CBB4370@phx.gbl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 6, 2015 at 9:59 AM, Alexandre <axelbsd@ymail.com> wrote: > > Hi Nino, > > I encounter now an issue with IPFW and blacklist functionnality: when I > restart sshguard service (or reboot the machine), I need to delete > /var/db/sshguard/blacklist.db before launch sshguard service again. > It is a know issue as described here > http://sourceforge.net/p/sshguard/mailman/message/34146342/ > Do you know when the next security/sshguard-ipfw version will be in > FreeBSD ports? > > Thank you. > > Regards. > Alexandre > Hi Alexandre, As you noted, there is already a reported issue with this problem. See https://bitbucket.org/sshguard/sshguard/issues/14/sshguard-crashes-on-blacklist-db . The ports version is actually the latest released version of sshguard (1.6.1). As you can see in the issue tracker linked above, the fix will probably come out in 1.6.2. Last reply in that issue was made on September 30th and it said that it shouldn't take long before 1.6.2 is released. You have a few options: - wait until 1.6.2 is released - download the development version and install it manually (I have that and it works fine) - fix the buffer overflow issue in the current version locally (the problem is a sprintf() in ipfw.c that goes through the entire address list even though the buffer is limited to MAXIPFWCMDLEN=90) Simple temporary fix would be to 1) increase MAXIPFWCMDLEN to a more reasonable length e.g. 16384 2) check blacklist length and error out if it exceeds MAXIPFWCMDLEN Regards, -- Nino
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALf6cgaHKZ6zVLw=sJPiBUYM=8O44_%2BGS0gzYDxSq=ghvwx5Og>