Am 14.04.2014 10:25, schrieb Benjamin Podszun:
> Looking at the rc script and the diff [1] the problem's easy enough:
> ${sshguard_pidfile} is passed as parameter to -i, but isn't set in the
> script/has no default value. Either the related line from the previous
> revision should be revived or the substitution should change to use
> ${pidfile}, which _is_ set.I just installed sshguard on one of my servers and noticed the same problem. The program is not started due to several bugs: 1) $sshguard_pidfile vs. $pidfile as noticed by you 2) Pasing of log files to watch. They are correctly processed by sshguard_prestart(), but the result is not pasted into the command line. (You can manually add "-l <logfile>" options to the command line in the rc script as a work around ...) There are other deficiencies: a) The documentation lacks details about the mechanism used to block attacks. E.g. in case of IPFW, blocking rules are injected in lines 55000 to 55050. You have to adapt your ruleset in such a way, that any to-be-blocked service is only enabled at a later line, or the blocking is ineffective. This port range should be mentioned at least in the pkg message for ipfw. Better would be a section in the man page, which explains the mechanism used by each backend. b) The security/sshguard-ipfw port is marked as NO_STAGE=no, while security/sshguard seems to work just fine with staging enabled. This is probably an oversight: when sshguard was fixed/verified for staging, the sub-ports where not marked as staging clean. c) The MAKE_ARGS variable mention ACLOCAL, AUTOCONF and AUTOMAKE, but no dependencies are registered for any of them. d) The master port's Makefile lists hosts, pf, and ipfw as possible backends, selected by SSHGUARDFW, but does not mention ipfilter as the fourth supported backend. I did not have time to check the code quality of the parser. I'm a bit suspicious, that it might be possible to attack sshguard via parameters passed under control of an attacker. If you create a PR, you may want to add these points to the PR ... Regards, STefan _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
