(oops, resending from correct address) Dovecot on OpenBSD uses a "dovecot: " prefix on log lines, which sshguard's parser doesn't handle. I haven't sent it upstream yet but will do so.
Update to the current upstream release and add missing pledge marker while there. OK? Index: Makefile =================================================================== RCS file: /cvs/ports/security/sshguard/Makefile,v retrieving revision 1.19 diff -u -p -r1.19 Makefile --- Makefile 11 Mar 2022 19:54:05 -0000 1.19 +++ Makefile 20 Sep 2023 11:58:19 -0000 @@ -1,17 +1,18 @@ COMMENT= protect against brute force attacks on sshd and others -DISTNAME= sshguard-2.4.2 +DISTNAME= sshguard-2.4.3 CATEGORIES= security HOMEPAGE= https://www.sshguard.net/ -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} +SITES= ${SITE_SOURCEFORGE:=sshguard/} MAINTAINER= Andreas Kusalananda Kahari <andreas.kah...@abc.se> # BSD PERMIT_PACKAGE= Yes +# uses pledge() WANTLIB+= c pthread CONFIGURE_STYLE=gnu Index: distinfo =================================================================== RCS file: /cvs/ports/security/sshguard/distinfo,v retrieving revision 1.6 diff -u -p -r1.6 distinfo --- distinfo 22 Jul 2021 18:16:32 -0000 1.6 +++ distinfo 20 Sep 2023 11:58:19 -0000 @@ -1,2 +1,2 @@ -SHA256 (sshguard-2.4.2.tar.gz) = J3C3duXqcKm+3+xP2E1XQAr6kn8PdSKHDS3LvhrON+g= -SIZE (sshguard-2.4.2.tar.gz) = 835431 +SHA256 (sshguard-2.4.3.tar.gz) = ZAKd7/bekP3u+x9JfUFPDkBFB2aTqR2hpw63WV6X7+s= +SIZE (sshguard-2.4.3.tar.gz) = 1118756 Index: patches/patch-doc_sshguard_8 =================================================================== RCS file: /cvs/ports/security/sshguard/patches/patch-doc_sshguard_8,v retrieving revision 1.2 diff -u -p -r1.2 patch-doc_sshguard_8 --- patches/patch-doc_sshguard_8 11 Mar 2022 19:54:05 -0000 1.2 +++ patches/patch-doc_sshguard_8 20 Sep 2023 11:58:19 -0000 @@ -1,7 +1,7 @@ Index: doc/sshguard.8 --- doc/sshguard.8.orig +++ doc/sshguard.8 -@@ -119,8 +119,8 @@ Set to enable verbose output from sshg\-blocker. +@@ -124,8 +124,8 @@ Set to enable verbose output from \fBsshg\-blocker\fP\ .SH FILES .INDENT 0.0 .TP Index: patches/patch-src_common_sandbox_c =================================================================== RCS file: patches/patch-src_common_sandbox_c diff -N patches/patch-src_common_sandbox_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_common_sandbox_c 20 Sep 2023 11:58:19 -0000 @@ -0,0 +1,9 @@ +Index: src/common/sandbox.c +--- src/common/sandbox.c.orig ++++ src/common/sandbox.c +@@ -1,3 +1,5 @@ ++#include <stdio.h> ++#include <unistd.h> + #include "config.h" + #include "sandbox.h" + Index: patches/patch-src_parser_attack_scanner_l =================================================================== RCS file: patches/patch-src_parser_attack_scanner_l diff -N patches/patch-src_parser_attack_scanner_l --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_parser_attack_scanner_l 20 Sep 2023 11:58:19 -0000 @@ -0,0 +1,12 @@ +Index: src/parser/attack_scanner.l +--- src/parser/attack_scanner.l.orig ++++ src/parser/attack_scanner.l +@@ -249,7 +249,7 @@ HTTP_LOGIN_200OK_BAD .*({WORDPRESS_LOGIN}|{TYPO3 + <sendmail_authfailure>"]".* { BEGIN(INITIAL); return SENDMAIL_AUTHFAILURE_SUFF; } + + /* dovecot */ +-("(libdovecot."[0-9\.]+".dylib) ")?(imap|pop3|submission)"-login: ""Info: "?("Aborted login"|Disconnected).*" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; } ++("(libdovecot."[0-9\.]+".dylib) "|"dovecot: ")?(imap|pop3|submission)"-login: ""Info: "?("Aborted login"|Disconnected).*" (auth failed, "{NUMBER}" attempts".*"): ".+" rip=" { BEGIN(dovecot_loginerr); return DOVECOT_IMAP_LOGINERR_PREF; } + <dovecot_loginerr>", lip=".+ { BEGIN(INITIAL); return DOVECOT_IMAP_LOGINERR_SUFF; } + + /* UWimap login errors */ Index: patches/patch-src_parser_tests_txt =================================================================== RCS file: patches/patch-src_parser_tests_txt diff -N patches/patch-src_parser_tests_txt --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_parser_tests_txt 20 Sep 2023 11:58:19 -0000 @@ -0,0 +1,13 @@ +Index: src/parser/tests.txt +--- src/parser/tests.txt.orig ++++ src/parser/tests.txt +@@ -231,6 +231,9 @@ M + imap-login: Aborted login (auth failed, 6 attempts): XYZ rip=2001:db8::a11:beef:7ac0, lip=127.0.0.1 + 210 2001:db8::a11:beef:7ac0 6 10 + M ++dovecot: imap-login: Disconnected: Aborted login by logging out (auth failed, 2 attempts in 4 secs): XYZ, method=PLAIN, rip=192.0.2.1, lip=192.168.41.21, TLS, session=<uAr6j8UFtcoC2jhm>, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) ++210 192.0.2.1 4 10 ++M + 2019-10-15 08:08:52 imap-login: Info: Disconnected (auth failed, 1 attempts in 2 secs): user=<test>, method=PLAIN, rip=172.21.0.1, lip=172.21.0.3, TLS, session=<1MyTfu0USIqsFQAB> + 210 172.21.0.1 4 10 + M