From owner-freebsd-ports@FreeBSD.ORG  Mon Apr 14 09:41:46 2014
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1D4F870D;
 Mon, 14 Apr 2014 09:41:46 +0000 (UTC)
Received: from mailout05.t-online.de (mailout05.t-online.de [194.25.134.82])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mailout00.t-online.de",
 Issuer "VeriSign Class 3 International Server CA - G3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 798F719C2;
 Mon, 14 Apr 2014 09:41:45 +0000 (UTC)
Received: from fwd02.aul.t-online.de (fwd02.aul.t-online.de [172.20.26.148])
 by mailout05.t-online.de (Postfix) with SMTP id B8BD41FC191;
 Mon, 14 Apr 2014 11:36:11 +0200 (CEST)
Received: from [192.168.119.11]
 (TtescQZS8hnEHfbmW+8wsCjK9woTnXeFRtDUECxOFAIcgjsVeI7AEZd283t1HTlQrr@[84.154.124.31])
 by fwd02.t-online.de
 with esmtp id 1WZdJU-14LBYW0; Mon, 14 Apr 2014 11:36:28 +0200
Message-ID: <534BAC12.9090704@freebsd.org>
Date: Mon, 14 Apr 2014 11:36:18 +0200
From: Stefan Esser <se@freebsd.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Benjamin Podszun <dar@darklajid.de>, freebsd-ports@freebsd.org
Subject: Re: FreeBSD Port: security/sshguard-pf
References: <53453547.2070307@uni-bielefeld.de>
 <fe85c5ec-65aa-425d-9e58-f70f277ad491@darklajid.de>
In-Reply-To: <fe85c5ec-65aa-425d-9e58-f70f277ad491@darklajid.de>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-ID: TtescQZS8hnEHfbmW+8wsCjK9woTnXeFRtDUECxOFAIcgjsVeI7AEZd283t1HTlQrr
X-TOI-MSGID: ae119f6d-0fda-4cf0-a761-6ab3da0c118f
Cc: crees@freebsd.org
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 09:41:46 -0000

Am 14.04.2014 10:25, schrieb Benjamin Podszun:
> Looking at the rc script and the diff [1] the problem's easy enough:
> ${sshguard_pidfile} is passed as parameter to -i, but isn't set in the
> script/has no default value. Either the related line from the previous
> revision should be revived or the substitution should change to use
> ${pidfile}, which _is_ set.

I just installed sshguard on one of my servers and noticed the same
problem. The program is not started due to several bugs:

1) $sshguard_pidfile vs. $pidfile as noticed by you

2) Pasing of log files to watch. They are correctly processed by
   sshguard_prestart(), but the result is not pasted into the
   command line. (You can manually add "-l <logfile>" options to
   the command line in the rc script as a work around ...)

There are other deficiencies:

a) The documentation lacks details about the mechanism used to block
   attacks. E.g. in case of IPFW, blocking rules are injected in lines
   55000 to 55050. You have to adapt your ruleset in such a way, that
   any to-be-blocked service is only enabled at a later line, or the
   blocking is ineffective. This port range should be mentioned at
   least in the pkg message for ipfw. Better would be a section in
   the man page, which explains the mechanism used by each backend.

b) The security/sshguard-ipfw port is marked as NO_STAGE=no, while
   security/sshguard seems to work just fine with staging enabled.
   This is probably an oversight: when sshguard was fixed/verified
   for staging, the sub-ports where not marked as staging clean.

c) The MAKE_ARGS variable mention ACLOCAL, AUTOCONF and AUTOMAKE, but
   no dependencies are registered for any of them.

d) The master port's Makefile lists hosts, pf, and ipfw as possible
   backends, selected by SSHGUARDFW, but does not mention ipfilter
   as the fourth supported backend.

I did not have time to check the code quality of the parser. I'm a
bit suspicious, that it might be possible to attack sshguard via
parameters passed under control of an attacker.

If you create a PR, you may want to add these points to the PR ...

Regards, STefan