You are not logged in.

Pages: 1

#1 2016-01-05 10:16:34

emkay1
Member
Registered: 2016-01-05
Posts: 13

[SOLVED] sshguard 1.6.3 not working

With the latest update from 1.6.1 to 1.6.3 the sshguard service is not working anymore.

● sshguard.service - Block hacking attempts
   Loaded: loaded (/usr/lib/systemd/system/sshguard.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Di 2016-01-05 11:11:41 CET; 5s ago
  Process: 22977 ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl -b /var/db/sshguard/blacklist.db SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 (code=exited, status=64)
Main PID: 22977 (code=exited, status=64)

Jan 05 11:11:41 alarm systemd[1]: Started Block hacking attempts.
Jan 05 11:11:41 alarm sshguard-journalctl[22977]: usage: sshguard [-v] [-a thresh] [-b thresh:file] [-e script]
Jan 05 11:11:41 alarm sshguard-journalctl[22977]: [-f service:pid-file] [-l source] [-p interval]
Jan 05 11:11:41 alarm sshguard-journalctl[22977]: [-s interval] [-w address | file]
Jan 05 11:11:41 alarm systemd[1]: sshguard.service: Main process exited, code=exited, status=64/n/a
Jan 05 11:11:41 alarm systemd[1]: sshguard.service: Unit entered failed state.
Jan 05 11:11:41 alarm systemd[1]: sshguard.service: Failed with result 'exit-code'.


Starting it manually with the following command "/usr/sbin/sshguard -l- -b 60:/var/db/sshguard/blacklist.db" it seems that sshguard runs, but it permanently outputs "Refreshing sources showed 0 changes." every second and it does not block incoming intrusion attempts.

Does anybody have an idea what went wrong here? Help is appreciated.

Last edited by emkay1 (2016-01-07 11:04:54)

Offline

#2 2016-01-05 10:22:56

tequa
Member
Registered: 2012-06-22
Posts: 8

Re: [SOLVED] sshguard 1.6.3 not working

I can confirm the exact same two problems (change in the "-b" option and the infinite "Refreshing sources" logging) but have no solution either, unfortunately. (besides downgrade to 1.6.1 temporarily)

Offline

#3 2016-01-05 20:22:11

nfm
Member
Registered: 2008-06-13
Posts: 66

Re: [SOLVED] sshguard 1.6.3 not working

I can also confirm. I additionally nuked my  /var/db/sshguard/blacklist.db hoping that was the problem, but it made no effect hmm

Offline

#4 2016-01-06 03:47:25

wba072
Member
Registered: 2010-11-11
Posts: 33

Re: [SOLVED] sshguard 1.6.3 not working

The issue is that the threshold value for the "-b" is required but not provided in sshguard.service. Locate and edit sshguard.service to include this value. For example, to make the threshold 40:

Change the following line from:

ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-b /var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

To:

ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl "-b 40:/var/db/sshguard/blacklist.db" SYSLOG_FACILITY=4 SYSLOG_FACILITY=10

Then restart the service.

Edit: This doesn't seem to solve the ultimate issue of the infinite logs.

Last edited by wba072 (2016-01-06 03:56:35)

Offline

#5 2016-01-06 04:21:28

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,231
Website

Re: [SOLVED] sshguard 1.6.3 not working

emkay1 wrote:

  Process: 22977 ExecStart=/usr/lib/systemd/scripts/sshguard-journalctl -b /var/db/sshguard/blacklist.db SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 (code=exited, status=64)
..........
Jan 05 11:11:41 alarm sshguard-journalctl[22977]: usage: sshguard [-v] [-a thresh] [-b thresh:file] [-e script]
Jan 05 11:11:41 alarm sshguard-journalctl[22977]: [-f service:pid-file] [-l source] [-p interval]
Jan 05 11:11:41 alarm sshguard-journalctl[22977]: [-s interval] [-w address | file]

As wba072 has said, look at the command being run by ExecStart, and compare it to the error (usage) message. The -b option is missing the "thresh:" part of it's required option.

This is how the service unit is currently packaged, so file a bug on the bug tracker for it.

Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?

BlueHackers // fscanary // resticctl

Offline

#6 2016-01-06 04:26:25

wba072
Member
Registered: 2010-11-11
Posts: 33

Re: [SOLVED] sshguard 1.6.3 not working

Okay, so I think the above solves the entire bug. The reason in your test that you were not blocking intrusion attempts is that sshguard wasn't looking at journactl. To do that you have to do:

/usr/bin/journalctl -afb -p info -n1 -o cat "$@" | /usr/bin/sshguard -l- -b 40:/var/db/sshguard/blacklist.db

This is what /usr/lib/systemd/scripts/sshguard-journalctl does, which is called by sshguard.service. I think the continual sshguard output in journalctl must be something else entirely.

Also bug filed: https://bugs.archlinux.org/task/47639 (now resolved)

Last edited by wba072 (2016-01-07 01:36:10)

Offline

#7 2016-01-07 11:04:28

emkay1
Member
Registered: 2016-01-05
Posts: 13

Re: [SOLVED] sshguard 1.6.3 not working

solved with 1.6.3-2

Offline

Pages: 1

Board footer

Powered by FluxBB