From owner-freebsd-questions@freebsd.org Wed Oct 7 07:23:56 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 46C2B9D041C for ; Wed, 7 Oct 2015 07:23:56 +0000 (UTC) (envelope-from nino80@gmail.com) Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0D6E2E7 for ; Wed, 7 Oct 2015 07:23:56 +0000 (UTC) (envelope-from nino80@gmail.com) Received: by obcgx8 with SMTP id gx8so6761212obc.3 for ; Wed, 07 Oct 2015 00:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=7qa3kUogs1fal4zXJzcBjrCWTEPRRbl4mNuOgvyKk+c=; b=evU6y67trsVvcgsyRritoOmdzquGTHeIhsBqTcgF68pCduuEjw24tdQhq/a84x1J+g NwBUO+s+jSEWylBTELr28LcaS+7jT4u64VDyhaC/gK7JF0Eqrrf69c2p/GVTjkUjAnu3 ilvSabUZlwA/NrNsqk0WK0aMmhrRMEY7iNe+xEO+KIVos4xX7x8mnYGOsKLacVTclv8W r4TtljrHKbCoG4DfWfH5bDJ3jG3YDne6h4PMpB99kbV4YLwqWznTuZUTsGu5v8zB1zLq tUA9MNX575ZBBRy1v1JTT7zEli5kx2lAiWuzhnIuthK782T+5g9f6nQ41QpxOrYo7iIB rRyg== X-Received: by 10.182.114.132 with SMTP id jg4mr22410051obb.31.1444202635443; Wed, 07 Oct 2015 00:23:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.76.110.102 with HTTP; Wed, 7 Oct 2015 00:23:36 -0700 (PDT) In-Reply-To: References: <1443531575.1236.13.camel@michaeleichorn.com> From: Nino J Date: Wed, 7 Oct 2015 09:23:36 +0200 Message-ID: Subject: Re: SSHguard & IPFW To: Alexandre Cc: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2015 07:23:56 -0000 On Tue, Oct 6, 2015 at 9:59 AM, Alexandre wrote: > > Hi Nino, > > I encounter now an issue with IPFW and blacklist functionnality: when I > restart sshguard service (or reboot the machine), I need to delete > /var/db/sshguard/blacklist.db before launch sshguard service again. > It is a know issue as described here > http://sourceforge.net/p/sshguard/mailman/message/34146342/ > Do you know when the next security/sshguard-ipfw version will be in > FreeBSD ports? > > Thank you. > > Regards. > Alexandre > Hi Alexandre, As you noted, there is already a reported issue with this problem. See https://bitbucket.org/sshguard/sshguard/issues/14/sshguard-crashes-on-blacklist-db . The ports version is actually the latest released version of sshguard (1.6.1). As you can see in the issue tracker linked above, the fix will probably come out in 1.6.2. Last reply in that issue was made on September 30th and it said that it shouldn't take long before 1.6.2 is released. You have a few options: - wait until 1.6.2 is released - download the development version and install it manually (I have that and it works fine) - fix the buffer overflow issue in the current version locally (the problem is a sprintf() in ipfw.c that goes through the entire address list even though the buffer is limited to MAXIPFWCMDLEN=90) Simple temporary fix would be to 1) increase MAXIPFWCMDLEN to a more reasonable length e.g. 16384 2) check blacklist length and error out if it exceeds MAXIPFWCMDLEN Regards, -- Nino