sshguard -w command doesn't work

Create issue
Issue #146 open
goran created an issue

FreeBSD 13.0-RELEASE-p4

firewall = ipfw

I tried sshguard -w didn't work, so then I realized it's installed in two places. Below are error messages when I run commands.

Running command doesn’t work

sshguard -w

/usr/local/sbin/sshguard: cannot create : No such file or directory

root@me:/usr/local/sbin # sshguard
/usr/local/sbin/sshguard: cannot create : No such file or directory

From inside /usr/local/etc/rc.d

root@me:/usr/local/etc/rc.d # ./sshguard -w
./sshguard: unknown directive '-w'.
Usage: ./sshguard fast|force|one|quiet](start|stop|restart|rcvar|enable|disable|delete|enabled|describe|extracommands|status|poll)

From inside /usr/local/etc/rc.d directory restart works

root@me:/usr/local/etc/rc.d # ./sshguard restart
Stopping sshguard.
Waiting for PIDS: 845, 845.
Starting sshguard.

Calling the command doesn’t work
root@me:/usr/local/etc/rc.d # sshguard restart
/usr/local/sbin/sshguard: cannot create : No such file or directory

Also from inside /usr/local/sbin it doesn’t work

root@me:/usr/local/sbin # ./sshguard restart
./sshguard: cannot create : No such file or directory

Manpages don’t say where whitelist file is located.

Am able to start via service sshguard start and everything works fine besides trying to invoke commands -w -a etc ….

Edit: Edited the title to not be a lie it was 🙂

Comments (20)

  1. Kevin Zheng
    • changed status to open

    SSHGuard is not installed in two places. One is the rc.d script, and the other is the command-line program itself.

    Could you show your $PATH environment variable when you try to run SSHGuard? If you don't know how to check it:

    $ echo $PATH
  2. goran reporter

    Some commands work like sshguard -v sshguard -h

    I did not create any files for blacklist or whitelist, sshguard created one file for blacklist on it’s own.

    Don’t know if I need to create a whitelist file first.

    Below is just the commands I tried

    root@me:/usr/local/sbin # ./sshguard -w
    No arg for -w option
    Try 'sshguard -h' for help

    root@me:/usr/local/sbin # ./sshguard -w
    ./sshguard: cannot create : No such file or directory

    root@me:/usr/local/sbin # sshguard -w
    /usr/local/sbin/sshguard: cannot create : No such file or directory

    root@me:/usr/local/sbin # sshguard -i
    No arg for -i option
    Try 'sshguard -h' for help

    root@me:/usr/local/sbin # sshguard -h
    Usage: sshguard [-v] [-h]
    [-i PID-FILE] [-p BLOCK_TIME]

    root@me:/usr/local/sbin # sshguard -a 30
    /usr/local/sbin/sshguard: cannot create : No such file or directory

    root@irondesign:/usr/local/sbin # sshguard -v
    SSHGuard 2.4.2

  3. goran reporter

    I did uncomment the whitelist file # and restarted sshguard, it was the same.

    # sshguard.conf -- SSHGuard configuration
    # Options that are uncommented in this example are set to their default
    # values. Options without defaults are commented out.
    # Full path to backend executable (required, no default)
    # Space-separated list of log files to monitor. (optional, no default)
    FILES="/var/log/auth.log /var/log/maillog"
    # Shell command that provides logs on standard output. (optional, no default)
    # Example 1: ssh and sendmail from systemd journal:
    #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
    # Example 2: ssh from os_log (macOS 10.12+)
    #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"
    #### OPTIONS ####
    # Block attackers when their cumulative attack score exceeds THRESHOLD.
    # Most attacks have a score of 10. (optional, default 30)
    # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
    # Subsequent blocks increase by a factor of 1.5. (optional, default 120)
    # Remember potential attackers for up to DETECTION_TIME seconds before
    # resetting their score. (optional, default 1800)
    # Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
    # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
    #### EXTRAS ####
    # !! Warning: These features may not work correctly with sandboxing. !!
    # Full path to PID file (optional, no default)
    # Colon-separated blacklist threshold and full path to blacklist file.
    # (optional, no default)
    # IP addresses listed in the WHITELIST_FILE are considered to be
    # friendlies and will never be blocked.
    # If PARSER is unset, SSHGuard will use the installed sshg-parser as its
    # parser. Setting PARSER overrides this, so that you can use your own parser.
    # Run POST_PARSER as a filter after the parser. POST_PARSER must read as input
    # and produce as output lines in the format used by sshg-parser. This example
    # implements primitive whitelisting, preventing sshg-blocker from seeing
    # attacks from Unlike whitelisting, attacks filtered by POST_PARSER
    # are not logged by SSHGuard.
    #POST_PARSER="grep -v"

  4. goran reporter

    Slightly off topic.

    At first I didn’t have this, but it seems to work fine with no difference, but as per documentation for syslog I added; |exec /usr/local/sbin/sshguard but now have removed it as it made the parser run in two instances, removing and rebooting now there is only one process running. Is there a need to add that at syslogd, as in the sshguard.conf only the auth and mail logs are uncommented.

    787 root 20 0 13248 2764 S 0.0 0.1 0:00.00 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/db/sshguard/blacklist.db -p 120 -s 1800 -N 128 -n 32

  5. Kevin Zheng

    Where did you find this documentation about adding that line to syslog.conf? This became unsupported several versions ago and was removed from the man page.

  6. Kevin Zheng

    I’m having trouble reproducing.

    Also, you noted in your bug report that you want to use ipfw, yet, why do you have the pf backend enabled?

  7. goran reporter

    Oh I changed the firewall to pf in the meantime, disabled ipfw and changed backend accordingly.

    As for the documentation, at the website, the links on iit redirect to web.archive

    This page is non existent

    I installed it again on my other VPS. Same thing, I might have put the table at the wrong place in pf.conf, idk, maybe if you tell me an outline of how you did it and couldn’t reproduce it 🙂 so I can do the same thing.

    Anyway, what I did, enable pf and enable sshguard, copy quick internet rules for pf which I’ll post, enable backend, put the table in pf.conf at seemingly logical place,

    pfctl -t sshguard -T show shows an ip blocked already

    sshguard -w complained I didn’t set up a table because I forgot, after reboot now there is no error but it just hangs there.

  8. goran reporter

    # Source and tutorial -

    # /usr/local/etc/pf.conf


    ## Set your public interface ##


    ## Set your server public IP address ##


    ## Set and drop these IP ranges on public interface ##

    martians = "{,,, \

    ‌,,, \

    ‌, }"

    ## Set http(80)/https (443) port here ##

    webports = "{http, https}"

    ## enable these services ##

    int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"

    int_udp_services = "{domain, ntp}"

    ## Skip loop back interface - Skip all PF processing on interface ##

    set skip on lo

    ## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##

    set loginterface $ext_if

    ## Set default policy ##

    block return in log all

    block out all

    # Deal with attacks based on incorrect handling of packet fragments

    #scrub in all

    # Drop all Non-Routable Addresses

    block drop in quick on $ext_if from $martians to any

    block drop out quick on $ext_if from any to $martians

    ## Blocking spoofed packets

    antispoof quick for $ext_if

    table <sshguard> persist

    block in proto tcp from <sshguard>

    # Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only

    # I do not allow or accept ssh traffic from ALL for security reasons

    #pass in quick on $ext_if inet proto tcp from to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from"

    ## Use the following rule to enable ssh for ALL users from any IP address #

    pass in inet proto tcp to $ext_if port ssh

    ### [ OR ] ###

    ## pass in inet proto tcp to $ext_if port 22

    # Allow Ping-Pong stuff. Be a good sysadmin

    pass inet proto icmp icmp-type echoreq

    # All access to our Nginx/Apache/Lighttpd Webserver ports

    pass proto tcp from any to $ext_if port $webports

    # Allow essential outgoing traffic

    pass out quick on $ext_if proto tcp to any port $int_tcp_services

    pass out quick on $ext_if proto udp to any port $int_udp_services

    # Add custom rules below

    # vim: set ft=pf

  9. goran reporter

    I think my processes have started like they’re supposed to.

    462 root 20 0 13532 3100 S 0.0 0.2 0:00.00 pflogd: [priv]
    464 _pflogd 20 0 13532 3128 S 0.0 0.2 0:02.75 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog
    670 root 20 0 12920 2808 S 0.0 0.1 0:00.93 /usr/sbin/syslogd -s
    776 root 20 0 20952 8152 S 0.0 0.4 0:00.23 /usr/sbin/sshd
    781 root 52 0 29224 7572 S 0.0 0.4 0:00.00 nginx: master process /usr/local/sbin/nginx
    782 www 20 0 29224 8368 S 0.0 0.4 0:00.06 nginx: worker process
    783 www 20 0 29224 8420 S 0.0 0.4 0:00.10 nginx: worker process
    795 root 52 0 13624 2840 S 0.0 0.1 0:00.00 /bin/sh /usr/local/sbin/sshguard -b 120:/var/db/sshguard/blacklist.db -i /var/run/
    800 root 20 0 12944 2604 S 0.0 0.1 0:02.70 tail -F -n 0 /var/log/auth.log /var/log/maillog
    801 root 20 0 14544 3808 S 0.0 0.2 0:00.07 /usr/local/libexec/sshg-parser
    802 root 20 0 17344 2840 S 0.0 0.1 0:00.08 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/db/sshguard/blacklist.db -p 120 -s 1800 -N 128 -n 32
    803 root 20 0 13624 2844 S 0.0 0.1 0:00.01 /bin/sh /usr/local/libexec/sshg-fw-pf

  10. goran reporter

    this is what happens in auth log when I tail it and run sshguard -w ipaddress, it hangs there and I have to Ctrl c

    Nov 29 02:49:19 dva sshguard[1400]: Now monitoring attacks.

    Nov 29 02:49:22 dva sshguard[1400]: Exiting on signal.

  11. goran reporter

    ok so after I run sshguard -w . , or if I just run sshguard, it just starts another instance of sshguard along with all other processes that are needed to run, so pretty much just a copy of those I posted above.

  12. goran reporter

    1307 root 52 0 13624 3124 S 0.0 0.2 0:00.00 /bin/sh /usr/local/sbin/sshguard -b 120:/var/db/ss
    1308 root 20 0 12944 2448 S 0.0 0.1 0:00.18 tail -F -n 0 /var/log/auth.log /var/log/maillog
    1309 root 20 0 14544 3964 S 0.0 0.2 0:00.01 /usr/local/libexec/sshg-parser
    1310 root 20 0 17344 2752 S 0.0 0.1 0:00.01 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/
    1311 root 20 0 13624 3124 S 0.0 0.2 0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf
    1316 root 20 0 12944 2348 S 0.0 0.1 0:00.16 tail: system.fileargs
    1435 root 20 0 16508 4476 R 0.0 0.2 0:00.14 htop
    1463 root 23 0 13624 3124 S 0.0 0.2 0:00.01 /bin/sh /usr/local/sbin/sshguard -w
    1464 root 20 0 12944 2440 S 0.0 0.1 0:00.01 tail -F -n 0 /var/log/auth.log /var/log/maillog
    1465 root 22 0 14544 3940 S 0.0 0.2 0:00.00 /usr/local/libexec/sshg-parser
    1466 root 22 0 13248 2668 S 0.0 0.1 0:00.01 /usr/local/libexec/sshg-blocker -a 30 -p 120 -s 18
    1467 root 26 0 13624 3132 S 0.0 0.2 0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf
    1472 root 20 0 12944 2348 S 0.0 0.1 0:00.00 tail: system.fileargs

  13. Kevin Zheng

    Hi Janne, thanks for reporting your problem. Could you explain what you know so far about the problem, and why the kludge fixes it? Perhaps then we can figure out how to address the root cause.

  14. Janne Paalijarvi

    Fresh Debian 10.11. Installed sshguard 2.3.1 via apt-get. Trying to add via -w just hangs forever:

  15. yo000

    I could be misleading, so @Kevin Zheng do not hesitate to correct.

    There is two things here :

    1. /usr/local/sbin/sshguard: cannot create : No such file or directory
    2. The “hang forever” part

    The first item occurs because you are executing sshguard as a command line tool, and there is no PID_FILE environment variable. This situation could be introduced by your distribution packaging.

    For example FreeBSD port patch so it removes the check on PID_FILE:

    % cat security/sshguard/files/ 
    --- src/        2021-06-06 14:54:07 UTC
    +++ src/
    @@ -98,14 +98,8 @@ elif [ -z "$tailcmd" ]; then
         exit 1
    -if [ -n "$PID_FILE" ]; then
    -    if [ ! -e "$PID_FILE" ]; then
    -        echo "$$" > $PID_FILE
    -    else
    -        err "$PID_FILE already exists; is SSHGuard already running?"
    -        exit 1
    -    fi
    +# Already checked by rc(8)
    +echo "$$" > $PID_FILE

    The second item is a misunderstanding of sshguard usage : this is not an interactive command line tool. “sshguard” executable is the service itself, so hanging forever is its normal behaviour.

    -w option is not designed to be used like this. For whitelisting addresses, enable WHITELIST_FILE in sshguard.conf and put addresses there.

    Hope that helps.

  16. Log in to comment