[Bug 1881459] Re: sshguard triggers on its own log messages

Sat, 10 Jul 2021 03:35:42 -0700 

Use this quick workaround:

sudo sed -i "s/SYSLOG_FACILITY=4 SYSLOG_FACILITY=10/-t sshd/" 
/etc/sshguard/sshguard.conf
sudo systemctl restart sshguard

Can add more services (-t <service>) as needed.

Note: SSHGuard can parse the following services (see
src/common/attack.h):

enum service {
    SERVICES_ALL            = 0,    //< anything
    SERVICES_SSH            = 100,  //< ssh
    SERVICES_SSHGUARD       = 110,  //< SSHGuard
    SERVICES_UWIMAP         = 200,  //< UWimap for imap and pop daemon
    SERVICES_DOVECOT        = 210,  //< dovecot
    SERVICES_CYRUSIMAP      = 220,  //< cyrus-imap
    SERVICES_CUCIPOP        = 230,  //< cucipop
    SERVICES_EXIM           = 240,  //< exim
    SERVICES_SENDMAIL       = 250,  //< sendmail
    SERVICES_POSTFIX        = 260,  //< postfix
    SERVICES_OPENSMTPD      = 270,  //< OpenSMTPD
    SERVICES_COURIER        = 280,  //< Courier IMAP/POP
    SERVICES_FREEBSDFTPD    = 300,  //< ftpd shipped with FreeBSD
    SERVICES_PROFTPD        = 310,  //< ProFTPd
    SERVICES_PUREFTPD       = 320,  //< Pure-FTPd
    SERVICES_VSFTPD         = 330,  //< vsftpd
    SERVICES_COCKPIT        = 340,  //< cockpit management dashboard
    SERVICES_CLF_UNAUTH     = 350,  //< HTTP 401 in common log format
    SERVICES_CLF_PROBES     = 360,  //< probes for common web services
    SERVICES_CLF_LOGIN_URL  = 370,  //< CMS framework logins in common log 
format
    SERVICES_OPENVPN        = 400,  //< OpenVPN
    SERVICES_OPENVPN_PS     = 410,  //< OpenVPN Portshare
    SERVICES_GITEA          = 500,  //< Gitea
};

A quick look at the source reveals that SSHGuard has a parser for its
own logs, which seems to be to support remote sshguard logging scenario.

There does not seem to be a way to configure SSHGuard actions per-
service, and it is always logging using LOG_AUTH facility (4). Which
means SYSLOG_FACILITY=4 can never be used as a filter currently, the
only solution is to filter the logs *before* they reach SSHGuard.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1881459

Title:
  sshguard triggers on its own log messages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sshguard/+bug/1881459/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to