FS#31733 : [sshguard] sshguard-journalctl script does not work with systemd 192-1

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#31733 - [sshguard] sshguard-journalctl script does not work with systemd 192-1

Attached to Project: Community Packages
Opened by Radu Potop (wooptoo) - Saturday, 29 September 2012, 16:22 GMT
Last edited by Massimiliano Torromeo (mtorromeo) - Thursday, 15 November 2012, 09:00 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Massimiliano Torromeo (mtorromeo)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	3 Abdó Roig-Maranges (abdo) (2012-11-15) Fredy (fredysqm) (2012-11-08) Radu Potop (wooptoo) (2012-09-29)
Private	No

Details

Script /usr/lib/systemd/scripts/sshguard-journalctl does not work with systemd 192-1. Sshguard does not read the log at all.

Currently it's something like:

/usr/bin/journalctl -flbp info -n0 SYSLOG_FACILITY=10 | /usr/sbin/sshguard -l- "$@"

I found that this works:

/usr/bin/journalctl -fb _SYSTEMD_UNIT=sshd.service | /usr/sbin/sshguard -l- "$@"

This task depends upon

Closed by Massimiliano Torromeo (mtorromeo)
Thursday, 15 November 2012, 09:00 GMT
Reason for closing: Fixed
Additional comments about closing: sshguard-1.5-8

Comments (6)
Related Tasks (0/1)

Comment by Abdó Roig-Maranges (abdo) - Saturday, 29 September 2012, 16:35 GMT

The problems are:

1) the -l flag no longer exists
2) SYSLOG_FACILITY=10 does not catch the messages that report the attacking IP (at least with sshd). Need to add SYSLOG_FACILITY=4 too.
3) Moreover, piping journalctl output truncates lines to a certain length, which may result in trouble. Need to add -a flag.

So, I'd suggest using something like this:

/usr/bin/journalctl -afb -p info -n0 SYSLOG_FACILITY=4 SYSLOG_FACILITY=10 | /usr/sbin/sshguard -l- "$@"

Comment by Radu Potop (wooptoo) - Saturday, 29 September 2012, 17:05 GMT

Also, sshguard service should depend on iptables. It gives this error if started before iptables:

Sep 29 19:54:34 blue sshguard-journalctl[351]: iptables: No chain/target/match by that name.

Comment by Massimiliano Torromeo (mtorromeo) - Sunday, 30 September 2012, 11:20 GMT

@wooptoo: sshguard does not work only with sshd, it also checks other types of attacks in different services, so your proposed solution is suboptimal.
I'm planning to fix it with Abdo's suggestion. Can you check if it works fine for you too?

Comment by Radu Potop (wooptoo) - Sunday, 30 September 2012, 18:24 GMT

You're right, abdo's script works better.

Comment by Radu Potop (wooptoo) - Wednesday, 14 November 2012, 23:54 GMT

Can anyone confirm that sshguard works with the latest packages?
Now it reads the logs but it won't block anything with iptables.

Comment by Massimiliano Torromeo (mtorromeo) - Thursday, 15 November 2012, 08:55 GMT

The reason it stopped working is that journalctl now fails to parse "-n0". I'm updating sshguard-journalctl to use "-n1" and I verified that it works correctly this way.

Thanks for reporting.

	Tasks related to this task (0)

Duplicate tasks of this task (1)
~~FS#31409 - [sshguard] new systemd service silently stops working when no sy~~

Arch Linux

Community Packages

FS#31733 - [sshguard] sshguard-journalctl script does not work with systemd 192-1

Details

Loading...