sshguard -w command doesn't work

Issue #146 open

Goran Muminovic created an issue 2021-11-26

FreeBSD 13.0-RELEASE-p4

https://www.freshports.org/security/sshguard/

firewall = ipfw

I tried sshguard -w 12.1.1.1 didn't work, so then I realized it's installed in two places. Below are error messages when I run commands.

Running command doesn’t work

sshguard -w 162.222.4.25

/usr/local/sbin/sshguard: cannot create : No such file or directory
^CTerminated

root@me:/usr/local/sbin # sshguard
/usr/local/sbin/sshguard: cannot create : No such file or directory
^CTerminated

From inside /usr/local/etc/rc.d

From inside /usr/local/etc/rc.d directory restart works

root@me:/usr/local/etc/rc.d # ./sshguard restart
Stopping sshguard.
Waiting for PIDS: 845, 845.
Starting sshguard.

Calling the command doesn’t work
root@me:/usr/local/etc/rc.d # sshguard restart
/usr/local/sbin/sshguard: cannot create : No such file or directory
^CTerminated

Also from inside /usr/local/sbin it doesn’t work

root@me:/usr/local/sbin # ./sshguard restart
./sshguard: cannot create : No such file or directory
^CTerminated

Manpages don’t say where whitelist file is located.

Am able to start via service sshguard start and everything works fine besides trying to invoke commands -w -a etc ….

‌

Edit: Edited the title to not be a lie it was

Comments (20)

Goran Muminovic reporter
- edited description
- 2021-11-26T13:37:20+00:00
Kevin Zheng
- changed status to open
SSHGuard is not installed in two places. One is the rc.d script, and the other is the command-line program itself.

Could you show your $PATH environment variable when you try to run SSHGuard? If you don't know how to check it:
```
$ echo $PATH
```
- 2021-11-26T18:15:22+00:00
Goran Muminovic reporter
echo $PATH

/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- 2021-11-26T20:25:37+00:00
Goran Muminovic reporter
- changed title to sshguard -w command doesn't work
- edited description
- 2021-11-26T20:27:03+00:00
Goran Muminovic reporter
Some commands work like sshguard -v sshguard -h

I did not create any files for blacklist or whitelist, sshguard created one file for blacklist on it’s own.

Don’t know if I need to create a whitelist file first.

Below is just the commands I tried

root@me:/usr/local/sbin # ./sshguard -w
No arg for -w option
Try 'sshguard -h' for help

root@me:/usr/local/sbin # ./sshguard -w 162.0.0.5
./sshguard: cannot create : No such file or directory
^CTerminated

root@me:/usr/local/sbin # sshguard -w 162.0.0.2
/usr/local/sbin/sshguard: cannot create : No such file or directory
^CTerminated

root@me:/usr/local/sbin # sshguard -i
No arg for -i option
Try 'sshguard -h' for help

root@me:/usr/local/sbin # sshguard -h
Usage: sshguard [-v] [-h]
[-a BLACKLIST-THRESHOLD] [-b BLACKLIST-FILE]
[-i PID-FILE] [-p BLOCK_TIME]
[-s DETECTION_TIME] [-w IP-ADDRESS | WHITELIST-FILE]

root@me:/usr/local/sbin # sshguard -a 30
/usr/local/sbin/sshguard: cannot create : No such file or directory
^CTerminated

root@irondesign:/usr/local/sbin # sshguard -v
SSHGuard 2.4.2

‌
- 2021-11-26T20:34:29+00:00
Kevin Zheng
Could you please also attach your sshguard.conf?
- 2021-11-28T18:28:57+00:00

Goran Muminovic reporter

I did uncomment the whitelist file # and restarted sshguard, it was the same.

#!/bin/sh
# sshguard.conf -- SSHGuard configuration

# Options that are uncommented in this example are set to their default
# values. Options without defaults are commented out.

#### REQUIRED CONFIGURATION ####
# Full path to backend executable (required, no default)
#BACKEND="/usr/local/libexec/sshg-fw-hosts"
#BACKEND="/usr/local/libexec/sshg-fw-ipfw"
BACKEND="/usr/local/libexec/sshg-fw-pf"

# Space-separated list of log files to monitor. (optional, no default)
FILES="/var/log/auth.log /var/log/maillog"

# Shell command that provides logs on standard output. (optional, no default)
# Example 1: ssh and sendmail from systemd journal:
#LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat"
# Example 2: ssh from os_log (macOS 10.12+)
#LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'"

#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120

# Remember potential attackers for up to DETECTION_TIME seconds before
# resetting their score. (optional, default 1800)
DETECTION_TIME=1800

# Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128)
IPV6_SUBNET=128

# Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32)
IPV4_SUBNET=32

#### EXTRAS ####
# !! Warning: These features may not work correctly with sandboxing. !!

# Full path to PID file (optional, no default)
#PID_FILE=/var/run/sshguard.pid

# Colon-separated blacklist threshold and full path to blacklist file.
# (optional, no default)
#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist

# If PARSER is unset, SSHGuard will use the installed sshg-parser as its
# parser. Setting PARSER overrides this, so that you can use your own parser.
#PARSER=

# Run POST_PARSER as a filter after the parser. POST_PARSER must read as input
# and produce as output lines in the format used by sshg-parser. This example
# implements primitive whitelisting, preventing sshg-blocker from seeing
# attacks from 1.2.3.4. Unlike whitelisting, attacks filtered by POST_PARSER
# are not logged by SSHGuard.
#POST_PARSER="grep -v 1.2.3.4"

‌

2021-11-28T19:20:50+00:00

Goran Muminovic reporter
Slightly off topic.

At first I didn’t have this, but it seems to work fine with no difference, but as per documentation for syslog I added #auth.info;authpriv.info |exec /usr/local/sbin/sshguard but now have removed it as it made the parser run in two instances, removing and rebooting now there is only one process running. Is there a need to add that at syslogd, as in the sshguard.conf only the auth and mail logs are uncommented.

787 root 20 0 13248 2764 S 0.0 0.1 0:00.00 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/db/sshguard/blacklist.db -p 120 -s 1800 -N 128 -n 32

‌
- 2021-11-28T22:04:53+00:00
Kevin Zheng
Where did you find this documentation about adding that line to syslog.conf? This became unsupported several versions ago and was removed from the man page.
- 2021-11-29T01:44:20+00:00
Kevin Zheng
I’m having trouble reproducing.

Also, you noted in your bug report that you want to use ipfw, yet, why do you have the pf backend enabled?
- 2021-11-29T01:46:44+00:00
Goran Muminovic reporter
Oh I changed the firewall to pf in the meantime, disabled ipfw and changed backend accordingly.

As for the documentation, at the https://www.sshguard.net/docs.html website, the links on iit redirect to web.archive

https://web.archive.org/web/20180901061425/https://www.sshguard.net/docs/setup/

This page is non existent https://www.sshguard.net/docs/

I installed it again on my other VPS. Same thing, I might have put the table at the wrong place in pf.conf, idk, maybe if you tell me an outline of how you did it and couldn’t reproduce it so I can do the same thing.

Anyway, what I did, enable pf and enable sshguard, copy quick internet rules for pf which I’ll post, enable backend, put the table in pf.conf at seemingly logical place,

pfctl -t sshguard -T show shows an ip blocked already

sshguard -w 8.8.8.8 complained I didn’t set up a table because I forgot, after reboot now there is no error but it just hangs there.
- 2021-11-29T07:55:23+00:00
Goran Muminovic reporter
# Source and tutorial - https://www.cyberciti.biz/faq/how-to-set-up-a-firewall-with-pf-on-freebsd-to-protect-a-web-server/

# /usr/local/etc/pf.conf

#

## Set your public interface ##

ext_if="vtnet0"

## Set your server public IP address ##

ext_if_ip="162.212.158.250"

## Set and drop these IP ranges on public interface ##

martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \

‌ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \

‌ 0.0.0.0/8, 240.0.0.0/4 }"

## Set http(80)/https (443) port here ##

webports = "{http, https}"

## enable these services ##

int_tcp_services = "{domain, ntp, smtp, www, https, ftp, ssh}"

int_udp_services = "{domain, ntp}"

## Skip loop back interface - Skip all PF processing on interface ##

set skip on lo

## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##

set loginterface $ext_if

## Set default policy ##

block return in log all

block out all

# Deal with attacks based on incorrect handling of packet fragments

#scrub in all

# Drop all Non-Routable Addresses

block drop in quick on $ext_if from $martians to any

block drop out quick on $ext_if from any to $martians

## Blocking spoofed packets

antispoof quick for $ext_if

table <sshguard> persist

block in proto tcp from <sshguard>

# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only

# I do not allow or accept ssh traffic from ALL for security reasons

#pass in quick on $ext_if inet proto tcp from 139.xxx.yyy.zzz to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"

## Use the following rule to enable ssh for ALL users from any IP address #

pass in inet proto tcp to $ext_if port ssh

### [ OR ] ###

## pass in inet proto tcp to $ext_if port 22

# Allow Ping-Pong stuff. Be a good sysadmin

pass inet proto icmp icmp-type echoreq

# All access to our Nginx/Apache/Lighttpd Webserver ports

pass proto tcp from any to $ext_if port $webports

# Allow essential outgoing traffic

pass out quick on $ext_if proto tcp to any port $int_tcp_services

pass out quick on $ext_if proto udp to any port $int_udp_services

# Add custom rules below

# vim: set ft=pf

‌

‌
- 2021-11-29T07:59:45+00:00
Goran Muminovic reporter
I think my processes have started like they’re supposed to.

462 root 20 0 13532 3100 S 0.0 0.2 0:00.00 pflogd: [priv]
464 _pflogd 20 0 13532 3128 S 0.0 0.2 0:02.75 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog
670 root 20 0 12920 2808 S 0.0 0.1 0:00.93 /usr/sbin/syslogd -s
776 root 20 0 20952 8152 S 0.0 0.4 0:00.23 /usr/sbin/sshd
781 root 52 0 29224 7572 S 0.0 0.4 0:00.00 nginx: master process /usr/local/sbin/nginx
782 www 20 0 29224 8368 S 0.0 0.4 0:00.06 nginx: worker process
783 www 20 0 29224 8420 S 0.0 0.4 0:00.10 nginx: worker process
795 root 52 0 13624 2840 S 0.0 0.1 0:00.00 /bin/sh /usr/local/sbin/sshguard -b 120:/var/db/sshguard/blacklist.db -i /var/run/sshguard.pid
800 root 20 0 12944 2604 S 0.0 0.1 0:02.70 tail -F -n 0 /var/log/auth.log /var/log/maillog
801 root 20 0 14544 3808 S 0.0 0.2 0:00.07 /usr/local/libexec/sshg-parser
802 root 20 0 17344 2840 S 0.0 0.1 0:00.08 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/db/sshguard/blacklist.db -p 120 -s 1800 -N 128 -n 32
803 root 20 0 13624 2844 S 0.0 0.1 0:00.01 /bin/sh /usr/local/libexec/sshg-fw-pf
- 2021-11-29T08:31:01+00:00
Goran Muminovic reporter
this is what happens in auth log when I tail it and run sshguard -w ipaddress, it hangs there and I have to Ctrl c

Nov 29 02:49:19 dva sshguard[1400]: Now monitoring attacks.

Nov 29 02:49:22 dva sshguard[1400]: Exiting on signal.

‌
- 2021-11-29T08:51:16+00:00
Goran Muminovic reporter
ok so after I run sshguard -w .8.8.8.8 , or if I just run sshguard, it just starts another instance of sshguard along with all other processes that are needed to run, so pretty much just a copy of those I posted above.
- 2021-11-29T08:54:28+00:00
Goran Muminovic reporter
1307 root 52 0 13624 3124 S 0.0 0.2 0:00.00 /bin/sh /usr/local/sbin/sshguard -b 120:/var/db/ss
1308 root 20 0 12944 2448 S 0.0 0.1 0:00.18 tail -F -n 0 /var/log/auth.log /var/log/maillog
1309 root 20 0 14544 3964 S 0.0 0.2 0:00.01 /usr/local/libexec/sshg-parser
1310 root 20 0 17344 2752 S 0.0 0.1 0:00.01 /usr/local/libexec/sshg-blocker -a 30 -b 120:/var/
1311 root 20 0 13624 3124 S 0.0 0.2 0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf
1316 root 20 0 12944 2348 S 0.0 0.1 0:00.16 tail: system.fileargs
1435 root 20 0 16508 4476 R 0.0 0.2 0:00.14 htop
1463 root 23 0 13624 3124 S 0.0 0.2 0:00.01 /bin/sh /usr/local/sbin/sshguard -w 8.8.8.8
1464 root 20 0 12944 2440 S 0.0 0.1 0:00.01 tail -F -n 0 /var/log/auth.log /var/log/maillog
1465 root 22 0 14544 3940 S 0.0 0.2 0:00.00 /usr/local/libexec/sshg-parser
1466 root 22 0 13248 2668 S 0.0 0.1 0:00.01 /usr/local/libexec/sshg-blocker -a 30 -p 120 -s 18
1467 root 26 0 13624 3132 S 0.0 0.2 0:00.00 /bin/sh /usr/local/libexec/sshg-fw-pf
1472 root 20 0 12944 2348 S 0.0 0.1 0:00.00 tail: system.fileargs

‌
- 2021-11-29T08:57:56+00:00
Janne Paalijarvi
Hello. I think I have similar issues than goran . But I have Debian:

root@shell:~# cat /etc/debian_version
10.11

I went as far as to create a manual kludge to get the whitelist to work:

https://github.com/usvi/random/blob/master/c/whitelist_ip_sshguard/whitelist_ip_sshguard.c

I think the issue is real.
- 2021-12-10T16:53:22+00:00
Kevin Zheng
Hi Janne, thanks for reporting your problem. Could you explain what you know so far about the problem, and why the kludge fixes it? Perhaps then we can figure out how to address the root cause.

‌
- 2021-12-10T17:28:14+00:00
Janne Paalijarvi
Fresh Debian 10.11. Installed sshguard 2.3.1 via apt-get. Trying to add via -w just hangs forever:

‌
- 2021-12-11T13:40:35+00:00
yo000
I could be misleading, so @Kevin Zheng do not hesitate to correct.

There is two things here :
1. /usr/local/sbin/sshguard: cannot create : No such file or directory
2. The “hang forever” part
The first item occurs because you are executing sshguard as a command line tool, and there is no PID_FILE environment variable. This situation could be introduced by your distribution packaging.

For example FreeBSD port patch sshguard.in so it removes the check on PID_FILE:
```
% cat security/sshguard/files/patch-src_sshguard.in 
--- src/sshguard.in.orig        2021-06-06 14:54:07 UTC
+++ src/sshguard.in
@@ -98,14 +98,8 @@ elif [ -z "$tailcmd" ]; then
     exit 1
 fi

-if [ -n "$PID_FILE" ]; then
-    if [ ! -e "$PID_FILE" ]; then
-        echo "$$" > $PID_FILE
-    else
-        err "$PID_FILE already exists; is SSHGuard already running?"
-        exit 1
-    fi
-fi
+# Already checked by rc(8)
+echo "$$" > $PID_FILE
```
‌

The second item is a misunderstanding of sshguard usage : this is not an interactive command line tool. “sshguard” executable is the service itself, so hanging forever is its normal behaviour.

-w option is not designed to be used like this. For whitelisting addresses, enable WHITELIST_FILE in sshguard.conf and put addresses there.

Hope that helps.
- 2022-12-31T22:44:55+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: open

Component: –

Votes: 0

Watchers: 1