Upgrade to the latest sshguard

SerialVelocity · May 8, 2020 · b0872a5 · b0872a5
1 parent 4542c4b
commit b0872a5
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 11 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,10 @@
-FROM debian:unstable-slim
+FROM debian:stable-slim
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends iptables sshguard systemd \
+    && apt-get install -y --no-install-recommends ipset iptables nftables sshguard systemd tini \
     && rm -rf /var/lib/apt/lists/*
 
+RUN echo > /etc/sshguard/sshguard.conf
 ADD start-sshguard.sh /
 
-ENTRYPOINT ["/start-sshguard.sh"]
+ENTRYPOINT ["tini", "--", "/start-sshguard.sh"]
diff --git a/README.md b/README.md
@@ -3,13 +3,13 @@ Dockerised sshguard for CoreOS.
 
 Your iptable must already contain an sshguard chain.
 
-This will correctly log using as the sshguard unit.
+This will correctly log as the sshguard unit.
 
 # Installation
 
-Add the ``sshguard-docker.service`` or ``sshguard-rkt.service`` file to your CoreOS installation. You probably want to rename it to ``sshguard.service``.
+Add one of the ``sshguard-*.service`` files to your CoreOS installation as ``sshguard.service``.
 
-For instance:
+CoreOS:
 ```yaml
 coreos:
   units:
@@ -18,3 +18,19 @@ coreos:
       content: |
         <contents of sshguard.service here>
 ```
+
+Fedora CoreOS:
+```yaml
+systemd:
+  units:
+    - name: sshguard.service
+      enabled: true
+      contents: |
+        <contents of sshguard.service here>
+```
+
+# Configuration
+
+All configuration variables are exposed as environment variables. Check out `start-sshguard.sh` for more information and the defaults.
+
+You can also mount /etc/sshguard/sshguard.conf into the container with your overrides.
diff --git a/sshguard-docker.service b/sshguard-docker.service
@@ -5,10 +5,10 @@ Requires=network-online.target docker.service
 
 [Service]
 TimeoutStartSec=0
-ExecStartPre=/bin/sh -c 'docker ps -a -q --filter "name=%n" | xargs -0 --no-run-if-empty docker rm -f'
+ExecStartPre=/usr/bin/docker rm -f %n
 ExecStartPre=/usr/bin/docker run --rm -v /opt/bin:/opt/bin ibuildthecloud/systemd-docker:v0.2.1
 
-ExecStart=/opt/bin/systemd-docker run \
+ExecStart=/opt/bin/systemd-docker run --rm \
             --name=%n \
             --net=host \
             --cap-add=NET_ADMIN \
@@ -17,11 +17,11 @@ ExecStart=/opt/bin/systemd-docker run \
             -v /var/run/systemd/journal/socket:/var/run/systemd/journal/socket \
             -v /var/log/journal:/var/log/journal:ro \
             -v /var/db/sshguard/:/var/db/sshguard/ \
+            -v /run/xtables.lock:/run/xtables.lock \
             chillichef/coreos-sshguard:latest \
             -a 120 -b /var/db/sshguard/blacklist.db
 
 ExecStop=/usr/bin/docker stop %n
-ExecStop=/usr/bin/docker rm %n
 
 [Install]
 WantedBy=multi-user.target
diff --git a/sshguard-podman.service b/sshguard-podman.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=sshguard
+After=network-online.target iptables-restore.service
+Requires=network-online.target
+
+[Service]
+TimeoutStartSec=0
+ExecStartPre=-/usr/bin/podman rm --force %n
+
+ExecStart=/opt/bin/podman run --rm \
+            --name=%n \
+            --net=host \
+            --cap-add=CAP_NET_ADMIN,CAP_NET_RAW \
+            --mount volume=dev-log,target=/dev/log --volume dev-log,kind=host,source=/dev/log,readOnly=true \
+            --mount volume=journal,target=/var/log/journal --volume journal,kind=host,source=/var/log/journal,readOnly=true \
+            --mount volume=config,target=/var/db/sshguard --volume config,kind=host,source=/var/db/sshguard \
+            --mount volume=run-xtables,target=/run/xtables.lock --volume run-xtables,kind=host,source=/run/xtables.lock \
+            chillichef/coreos-sshguard:latest \
+            -a 120 -b /var/db/sshguard/blacklist.db
+
+ExecStop=/usr/bin/podman stop %n
+
+[Install]
+WantedBy=multi-user.target
diff --git a/sshguard-rkt.service b/sshguard-rkt.service
@@ -8,8 +8,9 @@ ExecStart=/usr/bin/rkt --insecure-options=image run \
             --inherit-env \
             --net=host \
             --mount volume=dev-log,target=/dev/log --volume dev-log,kind=host,source=/dev/log,readOnly=true \
-            --mount volume=journal,target=/var/log/journal --volume journal,kind=host,source=/var/log/journal \
+            --mount volume=journal,target=/var/log/journal --volume journal,kind=host,source=/var/log/journal,readOnly=true \
             --mount volume=config,target=/var/db/sshguard --volume config,kind=host,source=/var/db/sshguard \
+            --mount volume=run-xtables,target=/run/xtables.lock --volume run-xtables,kind=host,source=/run/xtables.lock \
             docker://chillichef/coreos-sshguard:latest \
             --name=%p-service \
             --caps-retain=CAP_NET_ADMIN,CAP_NET_RAW \

diff --git a/start-sshguard.sh b/start-sshguard.sh
@@ -1,3 +1,14 @@
 #!/bin/sh
 
-journalctl -D /var/log/journal --no-pager -n0 -xfq -t sshd | /usr/sbin/sshguard "$@"
+set -eu
+
+BACKEND=${BACKEND:-/usr/lib/x86_64-linux-gnu/sshg-fw-ipset}
+LOGREADER=${LOGREADER:-LANG=C /bin/journalctl -afb -p info -n1 -D /var/log/journal -o cat SYSLOG_FACILITY=4 SYSLOG_FACILITY=10}
+THRESHOLD=${THRESHOLD:-30}
+BLOCK_TIME=${BLOCK_TIME:-120}
+DETECTION_TIME=${DETECTION_TIME:-1800}
+WHITELIST_FILE=${WHITELIST_FILE:-/etc/sshguard/whitelist}
+
+export BACKEND LOGREADER THRESEHOLD BLOCK_TIME DETECTION_TIME WHITELIST_TIME
+
+exec /usr/sbin/sshguard "$@"