From owner-freebsd-ports@FreeBSD.ORG Mon Apr 14 09:41:46 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1D4F870D; Mon, 14 Apr 2014 09:41:46 +0000 (UTC) Received: from mailout05.t-online.de (mailout05.t-online.de [194.25.134.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mailout00.t-online.de", Issuer "VeriSign Class 3 International Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 798F719C2; Mon, 14 Apr 2014 09:41:45 +0000 (UTC) Received: from fwd02.aul.t-online.de (fwd02.aul.t-online.de [172.20.26.148]) by mailout05.t-online.de (Postfix) with SMTP id B8BD41FC191; Mon, 14 Apr 2014 11:36:11 +0200 (CEST) Received: from [192.168.119.11] (TtescQZS8hnEHfbmW+8wsCjK9woTnXeFRtDUECxOFAIcgjsVeI7AEZd283t1HTlQrr@[84.154.124.31]) by fwd02.t-online.de with esmtp id 1WZdJU-14LBYW0; Mon, 14 Apr 2014 11:36:28 +0200 Message-ID: <534BAC12.9090704@freebsd.org> Date: Mon, 14 Apr 2014 11:36:18 +0200 From: Stefan Esser User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: Benjamin Podszun , freebsd-ports@freebsd.org Subject: Re: FreeBSD Port: security/sshguard-pf References: <53453547.2070307@uni-bielefeld.de> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-ID: TtescQZS8hnEHfbmW+8wsCjK9woTnXeFRtDUECxOFAIcgjsVeI7AEZd283t1HTlQrr X-TOI-MSGID: ae119f6d-0fda-4cf0-a761-6ab3da0c118f Cc: crees@freebsd.org X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Apr 2014 09:41:46 -0000 Am 14.04.2014 10:25, schrieb Benjamin Podszun: > Looking at the rc script and the diff [1] the problem's easy enough: > ${sshguard_pidfile} is passed as parameter to -i, but isn't set in the > script/has no default value. Either the related line from the previous > revision should be revived or the substitution should change to use > ${pidfile}, which _is_ set. I just installed sshguard on one of my servers and noticed the same problem. The program is not started due to several bugs: 1) $sshguard_pidfile vs. $pidfile as noticed by you 2) Pasing of log files to watch. They are correctly processed by sshguard_prestart(), but the result is not pasted into the command line. (You can manually add "-l " options to the command line in the rc script as a work around ...) There are other deficiencies: a) The documentation lacks details about the mechanism used to block attacks. E.g. in case of IPFW, blocking rules are injected in lines 55000 to 55050. You have to adapt your ruleset in such a way, that any to-be-blocked service is only enabled at a later line, or the blocking is ineffective. This port range should be mentioned at least in the pkg message for ipfw. Better would be a section in the man page, which explains the mechanism used by each backend. b) The security/sshguard-ipfw port is marked as NO_STAGE=no, while security/sshguard seems to work just fine with staging enabled. This is probably an oversight: when sshguard was fixed/verified for staging, the sub-ports where not marked as staging clean. c) The MAKE_ARGS variable mention ACLOCAL, AUTOCONF and AUTOMAKE, but no dependencies are registered for any of them. d) The master port's Makefile lists hosts, pf, and ipfw as possible backends, selected by SSHGUARDFW, but does not mention ipfilter as the fourth supported backend. I did not have time to check the code quality of the parser. I'm a bit suspicious, that it might be possible to attack sshguard via parameters passed under control of an attacker. If you create a PR, you may want to add these points to the PR ... Regards, STefan