Date: Thu, 01 Oct 2015 10:43:41 -0500 From: Mark Felder <feld@FreeBSD.org> To: "Michael B. Eichorn" <ike@michaeleichorn.com>, Alexandre <axelbsd@ymail.com>, FreeBSD Questions Mailing List FreeBSD Questions Mailing List <freebsd-questions@freebsd.org> Subject: Re: SSHguard & IPFW Message-ID: <1443714221.3983239.398738409.5D3608D5@webmail.messagingengine.com> In-Reply-To: <1443531575.1236.13.camel@michaeleichorn.com> References: <DUB118-W2564316B09E855F03F7D11B44E0@phx.gbl> <1443531575.1236.13.camel@michaeleichorn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 29, 2015, at 07:59, Michael B. Eichorn wrote: > > Is there any chance that you might have followed an old guide? In > sshguard < 1.5 a valid configuration option was to use syslog to kickoff > sshguard and not use sshguard enable, but this is now depreciated in > favor of the new 'Log Sucker' introduced in v1.5. > I noted a problem in the PR that was just opened: "Using sshguard via syslogd is convenient because it will auto-spawn a new process if sshguard were to die. However, if syslogd receives a HUP signal it sends a TERM to any piped children (by design). This kills sshguard, removing the entries from your firewall's sshguard table. You're now open to attacks by those on your blocklist until a new log entry makes syslogd spawn a new sshguard process. This is very bad." And syslogd can get HUPs hourly: # Rotate log files every hour, if necessary. 0 * * * * root newsyslog -- Mark Felder ports-secteam member feld@FreeBSD.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1443714221.3983239.398738409.5D3608D5>