FS#53228 - [sshguard] Requires a configuration file

Attached to Project: Community Packages
Opened by Ludovic Fauvet (etix) - Thursday, 09 March 2017, 15:20 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 11 March 2017, 14:20 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 6
Private No

Details

Description: sshguard 2.0.0 now requires a configuration file, this file must be located in %PREFIX%/etc/sshguard.conf but since the package is compiled with PREFIX=/usr the package is looking for the configuration in /usr/etc/sshguard.conf. Furthermore, the example file is not provided by the package.

Steps to reproduce:

1. Install sshguard
2. Run sshguard

Result:

sshguard
sshguard: Could not read '/usr/etc/sshguard.conf'
sshguard: Please configure SSHGuard.
This task depends upon

Closed by  Doug Newgard (Scimmia)
Saturday, 11 March 2017, 14:20 GMT
Reason for closing:  Fixed
Additional comments about closing:  sshguard 2.0.0-3
Comment by Radu Potop (wooptoo) - Thursday, 09 March 2017, 16:38 GMT
Running into the same issue.

Some sample config files can be found if you download the package source and look into the `examples` folder.

   sshguard.conf.sample (1.7 KiB)
Comment by Radu Potop (wooptoo) - Thursday, 09 March 2017, 20:18 GMT
So I managed to get a working configuration that's equivalent to the old one of Sshguard 1.7

Sshguard 2.0 can now read journalctl on its own using the LOGREADER directive from the config.
The wrapper script found at `/usr/lib/systemd/scripts/sshguard-journalctl` is no longer needed since LOGREADER now does exactly that.

The BACKEND directive is also a must: BACKEND="/usr/libexec/sshg-fw-iptables"

And a new .service file is needed which will start sshguard without any other parameters.
The old blacklist.db is fine and is provided via: BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db

   sshguard.conf (1.5 KiB)
   sshguard.service (0.4 KiB)
Comment by Tim (sirarch) - Thursday, 09 March 2017, 20:33 GMT
Is it the case that sshguard now requires a config file? Didn't need one in the past.
Comment by Radu Potop (wooptoo) - Thursday, 09 March 2017, 23:23 GMT
The config file is mandatory from version 2.0.
Comment by Tim (sirarch) - Friday, 10 March 2017, 01:15 GMT
Thanks. The config file clearly doesn't belong in /usr/etc, maybe /etc/sshguard/sshguard.conf or just /etc/sshguard.conf
Hopefully this will be fixed soon and we will have a working package as I rely on it for an added layer of protection.
Comment by Sergej Pupykin (sergej) - Friday, 10 March 2017, 09:22 GMT
please try sshguard-2.0.0-2
Comment by Radu Potop (wooptoo) - Friday, 10 March 2017, 10:14 GMT
> please try sshguard-2.0.0-2

The `/usr/lib/systemd/scripts/sshguard-journalctl` script should be removed since it't not part of the original distribution anyway, and replaced with the LOGREADER directive in the config file:

BACKEND="/usr/libexec/sshg-fw-iptables"
LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"
BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db
Comment by Sergej Pupykin (sergej) - Friday, 10 March 2017, 10:33 GMT
uploaded sshguard-2.0.0-3
Comment by Radu Potop (wooptoo) - Friday, 10 March 2017, 11:45 GMT
That works well, though it would be preferable to have the comments as well https://gist.github.com/wooptoo/bdd5840ad7adfa0996a847ff14eeef31
Comment by Witit Sujjapong (bsujja) - Friday, 10 March 2017, 13:07 GMT
I have this error after installing 20.0.3 with modified sshguard.service as suggested above:
Process: 653 ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=1/FAILURE)
Comment by Sergej Pupykin (sergej) - Friday, 10 March 2017, 14:41 GMT
> ExecStartPre=/usr/sbin/iptables -N sshguard (code=exited, status=1/FAILURE)

it is ok, it means chain already exists and should be ignored.
Comment by Alex (troy) - Friday, 10 March 2017, 16:27 GMT
After start sshguard.service: Failed at step EXEC spawning /usr/lib/systemd/scripts/sshguard-journalctl: No such file or directory

in /etc/sshguard.conf LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat"

Does sshguard read this config?
Comment by Ludovic Fauvet (etix) - Friday, 10 March 2017, 16:30 GMT
Maybe you still have an old sshguard.service around?
Comment by Alex (troy) - Friday, 10 March 2017, 16:36 GMT
Ludovic, you're right. systemctl revert helped, thanks!
Comment by Ludovic Fauvet (etix) - Friday, 10 March 2017, 16:37 GMT
I think this issue can now be closed.
Thank you all.

Loading...