We are attempting to create systemd files for an ssh port monitoring process. When we enable and attempt to start the service we get multiple executions of the daemon and systemctl does not return until we do a control-c. The init script and our attempt at replacement:
#!/bin/bash # # chkconfig: - 56 24 # # sshdfilter Start up the SSH server daemon filter # # description: filter for SSH port connections to give more control # over who can log in and if probed add firewall rules # to block probing sites. # # processname: sshdfilter # config: /etc/sshdfilterrc # pidfile: /var/run/sshdfilter.pid # pipe: /var/run/sshdfilter.fifo
### BEGIN INIT INFO # Provides: sshdfilter # Required-Start: $local_fs $network $rsyslog # Required-Stop: $local_fs $rsyslog # Should-Start: $rsyslog # Should-Stop: $network $rsyslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start up the SSH filter server daemon # Description: SSH is a protocol for secure remote shell access. # This service starts up the SSH filter server daemon. ### END INIT INFO
# source function library . /etc/rc.d/init.d/functions
# pull in sysconfig settings [ -f /etc/sysconfig/sshdfilter ] && . /etc/sysconfig/sshdfilter # make fifo if it does not exist [ -p /var/run/sshdfilter.fifo ] || mkfifo /var/run/sshdfilter.fifo
RETVAL=0 prog="sshdfilter" lockfile=/var/lock/subsys/$prog
# Some functions to make the below more readable SSHDF=/usr/sbin/sshdfilter PID_FILE=/var/run/sshdfilter.SSHD.pid
runlevel=$(set -- $(runlevel); eval "echo $$#" )
start() { [ -x $SSHDF ] || exit 5 [ -f /etc/sshdfilterrc ] || exit 6
echo -n $"Starting $prog: " $SSHDF $OPTIONS && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch $lockfile echo return $RETVAL }
stop() { echo -n $"Stopping $prog: " if [ -n "`pidfileofproc $SSHDF`" ] ; then killproc $SSHDF else failure $"Stopping $prog" fi RETVAL=$? # if we are in halt or reboot runlevel kill all running sessions # so the TCP connections are closed cleanly if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then trap '' TERM killall $prog 2>/dev/null trap TERM fi [ $RETVAL -eq 0 ] && rm -f $lockfile echo }
restart() { stop start }
rh_status() { status -p $PID_FILE sshdfilter-daemon }
rh_status_q() { rh_status >/dev/null 2>&1 }
case "$1" in start) rh_status_q && exit 0 start ;; stop) if ! rh_status_q; then rm -f $lockfile exit 0 fi stop ;; restart) restart ;; status) rh_status RETVAL=$? if [ $RETVAL -eq 3 -a -f $lockfile ] ; then RETVAL=2 fi ;; *) echo $"Usage: $0 {start|stop|restart|status}" RETVAL=2 esac exit $RETVAL
============ sshdfilter.service ===================
[Unit] Description=sshdfilter Daemon Documentation=file://usr/share/doc/sshdfilter-1.5.7/INSTALL.Fedora DefaultDependencies=no
[Service] Type=forking PIDFile=/var/run/sshdfilter.SSHD.pid ExecStart=/sbin/sshdfilter NotifyAccess=all
[Install] WantedBy=multi-user.target
============ sshdfilter.socket ===================
[Unit] Description=sshdfilter Named Pipe Documentation=file:///usr/share/doc/sshdfilter-1.5.7/INSTALL.Fedora DefaultDependencies=no After=syslog.target
[Socket] ListenFIFO=/var/run/sshdfilter.fifo SocketMode=0644
在 2013-3-6 PM3:33,"Pierre-Yves Chibon" pingou@pingoured.fr写道:
On Wed, 2013-03-06 at 11:49 +0800, Christopher Meng wrote:
Wrong list, please.
How so?
Pierre
Weird, I didn't reply to this thread... Sorry...
On Tue, Mar 05, 2013 at 07:48:04PM -0800, David Highley wrote:
We are attempting to create systemd files for an ssh port monitoring process. When we enable and attempt to start the service we get multiple executions of the daemon and systemctl does not return until we do a control-c. The init script and our attempt at replacement: ============ sshdfilter.service ===================
[Unit] Description=sshdfilter Daemon Documentation=file://usr/share/doc/sshdfilter-1.5.7/INSTALL.Fedora DefaultDependencies=no
[Service] Type=forking PIDFile=/var/run/sshdfilter.SSHD.pid ExecStart=/sbin/sshdfilter NotifyAccess=all
[Install] WantedBy=multi-user.target
Couple of comments: - Why DefaultDependencies=no? It is almost certainly wrong - NotifyAccess= make sense only with Type=notify; I doubt sshdfilter has systemd notification bits implemented
(real paths should be /run and /usr/sbin, but it doesn't really matter for your case).
============ sshdfilter.socket ===================
[Unit] Description=sshdfilter Named Pipe Documentation=file:///usr/share/doc/sshdfilter-1.5.7/INSTALL.Fedora DefaultDependencies=no After=syslog.target
[Socket] ListenFIFO=/var/run/sshdfilter.fifo SocketMode=0644
again, DefDeps are no-no. syslog is always available
To debug further, you should provide "systemctl status" outputs for socket and service units.
Oh, and there is always "tallow" program for blocking brute force ssh - it reads journal directly. It is very bare, though, for example it has not support for IPv6 blocking.
On Tue, 05.03.13 19:48, David Highley (dhighley@highley-recommended.com) wrote:
[Unit] Description=sshdfilter Daemon Documentation=file://usr/share/doc/sshdfilter-1.5.7/INSTALL.Fedora DefaultDependencies=no
DefaultDependencies=no is unlikely what you want here. That's an option for early-boot stuff, not for normal services.
[Service] Type=forking PIDFile=/var/run/sshdfilter.SSHD.pid ExecStart=/sbin/sshdfilter NotifyAccess=all
This only makes sense if your daemon use sd_notify() from its C code. Does it really?
[Install] WantedBy=multi-user.target
============ sshdfilter.socket ===================
[Unit] Description=sshdfilter Named Pipe Documentation=file:///usr/share/doc/sshdfilter-1.5.7/INSTALL.Fedora DefaultDependencies=no
Same as above.
After=syslog.target
Redundant, it's implied.
[Socket] ListenFIFO=/var/run/sshdfilter.fifo SocketMode=0644
This suggests your service is actually socket-activatable via this FIFO. Is it really?
Lennart