2.1.0 (2nd try)

Andreas Kusalananda Kähäri Sun, 22 Apr 2018 07:04:57 -0700

On Sun, Apr 22, 2018 at 04:03:23PM +0200, Andreas Kusalananda Kähäri wrote:
> 
> Please find the diffs for an updated port of sshguard attached.


Now actually attached, duh.


> 
> This updates sshguard from version 1.5 to 2.1.0.  One of the main
> reasons to update to this version is that sshguard now seems to
> correctly parse the OpenBSD sshd logs.  One can now also block an entire
> subnet rather than individual IP addresses, if one is so inclined.
> 
> I have been running this port for a few weeks, and it seems to work as
> advertised.
> 
> Note that the /etc/sshguard.conf file now is required (I modified the
> sample file so that it hopefully fits a vanilla OpenBSD system).
> 
> I posted about this update in late March when I had issues getting the
> sshguard service to properly shut down, but that issue has since been
> resolved (rc_stop() needs to send it the HUP signal).
> 
> Release announcements for sshguard are available at
> https://www.sshguard.net/litenewz/feeds/
> 
> Regards,
> 
> -- 
> Andreas Kusalananda Kähäri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.

-- 
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

? sshguard.diff
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/sshguard/Makefile,v
retrieving revision 1.11
diff -u -p -u -r1.11 Makefile
--- Makefile    11 Jan 2018 19:27:09 -0000      1.11
+++ Makefile    22 Apr 2018 13:47:55 -0000
@@ -2,8 +2,7 @@
 
 COMMENT=       protect against brute force attacks on sshd and others
 
-DISTNAME=      sshguard-1.5
-REVISION=      4
+DISTNAME=      sshguard-2.1.0
 CATEGORIES=    security
 
 # BSD
@@ -13,11 +12,20 @@ WANTLIB+=   c pthread
 
 HOMEPAGE=      http://www.sshguard.net/
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=sshguard/}
-EXTRACT_SUFX=  .tar.bz2
+EXTRACT_SUFX=  .tar.gz
 
 CONFIGURE_STYLE=gnu
 NO_TEST=       Yes
 
-CONFIGURE_ARGS = --with-firewall=pf 
+pre-install:
+       ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8
+       ${SUBST_CMD} ${WRKSRC}/examples/sshguard.conf.sample
+
+post-install:
+       ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard
+       ${INSTALL_DATA} ${WRKSRC}/examples/sshguard.conf.sample \
+           ${PREFIX}/share/examples/sshguard
+       ${INSTALL_DATA} ${WRKSRC}/examples/whitelistfile.example \
+           ${PREFIX}/share/examples/sshguard
 
 .include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/sshguard/distinfo,v
retrieving revision 1.3
diff -u -p -u -r1.3 distinfo
--- distinfo    27 Jan 2014 15:49:15 -0000      1.3
+++ distinfo    22 Apr 2018 13:47:55 -0000
@@ -1,2 +1,2 @@
-SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk=
-SIZE (sshguard-1.5.tar.bz2) = 303767
+SHA256 (sshguard-2.1.0.tar.gz) = ISUqSDSthAjfOE7k3fRoYkqp3pzq1a/eHHc4CkjPAoo=
+SIZE (sshguard-2.1.0.tar.gz) = 1117466
Index: patches/patch-doc_sshguard_8
===================================================================
RCS file: patches/patch-doc_sshguard_8
diff -N patches/patch-doc_sshguard_8
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-doc_sshguard_8        22 Apr 2018 13:47:55 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: doc/sshguard.8
+--- doc/sshguard.8.orig
++++ doc/sshguard.8
+@@ -119,7 +119,7 @@ Set to enable verbose output from sshg\-blocker.
+ .SH FILES
+ .INDENT 0.0
+ .TP
+-.B %PREFIX%/etc/sshguard.conf
++.B ${SYSCONFDIR}/sshguard.conf
+ See sample configuration file.
+ .UNINDENT
+ .SH WHITELISTING
Index: patches/patch-examples_sshguard_conf_sample
===================================================================
RCS file: patches/patch-examples_sshguard_conf_sample
diff -N patches/patch-examples_sshguard_conf_sample
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-examples_sshguard_conf_sample 22 Apr 2018 13:47:55 -0000
@@ -0,0 +1,31 @@
+$OpenBSD$
+
+Index: examples/sshguard.conf.sample
+--- examples/sshguard.conf.sample.orig
++++ examples/sshguard.conf.sample
+@@ -7,9 +7,11 @@
+ #### REQUIRED CONFIGURATION ####
+ # Full path to backend executable (required, no default)
+ #BACKEND="/usr/local/libexec/sshg-fw-iptables"
++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf"
+ 
+ # Space-separated list of log files to monitor. (optional, no default)
+ #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
++FILES="/var/log/authlog"
+ 
+ # Shell command that provides logs on standard output. (optional, no default)
+ # Example 1: ssh and sendmail from systemd journal:
+@@ -40,11 +42,11 @@ DETECTION_TIME=1800
+ # !! Warning: These features may not work correctly with sandboxing. !!
+ 
+ # Full path to PID file (optional, no default)
+-#PID_FILE=/run/sshguard.pid
++#PID_FILE=/var/run/sshguard.pid
+ 
+ # Colon-separated blacklist threshold and full path to blacklist file.
+ # (optional, no default)
+-#BLACKLIST_FILE=90:/var/lib/sshguard/enemies
++#BLACKLIST_FILE=90:/var/db/sshguard/enemies
+ 
+ # IP addresses listed in the WHITELIST_FILE are considered to be
+ # friendlies and will never be blocked.
Index: patches/patch-src_fwalls_command_c
===================================================================
RCS file: patches/patch-src_fwalls_command_c
diff -N patches/patch-src_fwalls_command_c
--- patches/patch-src_fwalls_command_c  9 Sep 2011 20:13:28 -0000       1.1
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/fwalls/command.c.orig  Fri Sep  9 22:07:56 2011
-+++ src/fwalls/command.c       Fri Sep  9 22:08:12 2011
-@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind, 
-     return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? 
FWALL_OK : FWALL_ERR);
- }
- 
--int fw_block_list(const char *restrict addresses[], int addrkind, const int 
service_codes[]) {
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int 
service_codes[]) {
-     /* block each address individually */
-     int i;
- 
Index: patches/patch-src_sshguard_fw_h
===================================================================
RCS file: patches/patch-src_sshguard_fw_h
diff -N patches/patch-src_sshguard_fw_h
--- patches/patch-src_sshguard_fw_h     9 Sep 2011 20:13:28 -0000       1.1
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/sshguard_fw.h.orig     Fri Sep  9 22:07:03 2011
-+++ src/sshguard_fw.h  Fri Sep  9 22:07:20 2011
-@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind, 
-  *
-  * @return FWALL_OK or FWALL_ERR
-  */
--int fw_block_list(const char *restrict addresses[], int addrkind, const int 
service_codes[]);
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int 
service_codes[]);
- 
- 
- /**
Index: patches/patch-src_sshguard_in
===================================================================
RCS file: patches/patch-src_sshguard_in
diff -N patches/patch-src_sshguard_in
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sshguard_in       22 Apr 2018 13:47:55 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: src/sshguard.in
+--- src/sshguard.in.orig
++++ src/sshguard.in
+@@ -3,7 +3,7 @@
+ 
+ # Unregister recursive SIGTERM, and make sure to kill
+ # entire process group (subshell) on exit/interrupts.
+-trap "trap - SIGTERM && kill 0" SIGINT SIGTERM EXIT
++trap "trap - TERM && kill 0" INT TERM EXIT
+ 
+ libexec="@libexecdir@"
+ version="@sshguardversion@"
Index: patches/patch-src_sshguard_logsuck_c
===================================================================
RCS file: patches/patch-src_sshguard_logsuck_c
diff -N patches/patch-src_sshguard_logsuck_c
--- patches/patch-src_sshguard_logsuck_c        7 Mar 2011 17:44:16 -0000       
1.2
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $
---- src/sshguard_logsuck.c.orig        Wed Feb  9 13:01:47 2011
-+++ src/sshguard_logsuck.c     Sat Mar  5 19:27:53 2011
-@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
-         if (ret > 0) {
-             if (kevs[0].filter == EVFILT_READ) {
-                 /* got data on this one. Read from it */
--                sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", 
kevs[0].ident);
-+                sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", 
kevs[0].ident);
-                 readentry = list_seek(& sources_list, & kevs[0].ident);
-                 assert(readentry != NULL);
-                 assert(readentry->active);
Index: patches/patch-src_sshguard_procauth_c
===================================================================
RCS file: patches/patch-src_sshguard_procauth_c
diff -N patches/patch-src_sshguard_procauth_c
--- patches/patch-src_sshguard_procauth_c       7 Sep 2010 12:23:43 -0000       
1.1.1.1
+++ /dev/null   1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert 
Exp $
---- src/sshguard_procauth.c.orig       Mon Aug  9 02:44:15 2010
-+++ src/sshguard_procauth.c    Mon Aug 30 13:05:40 2010
-@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
-         dup2(ps2me[1], 1);
- 
-         sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'.");
--        execlp("ps", "ps", "axo", "pid,ppid", NULL);
-+        execlp("ps", "ps", "axo", "pid,ppid", (char *)0);
- 
-         sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", 
strerror(errno));
-         exit(-1);
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/sshguard/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -u -r1.4 PLIST
--- pkg/PLIST   25 Mar 2014 12:33:31 -0000      1.4
+++ pkg/PLIST   22 Apr 2018 13:47:55 -0000
@@ -1,6 +1,21 @@
-@comment $OpenBSD: PLIST,v 1.4 2014/03/25 12:33:31 ajacoutot Exp $
-@pkgpath security/sshguard,tcpd
+@comment $OpenBSD$
+@bin libexec/sshg-blocker
+libexec/sshg-fw-firewalld
+@bin libexec/sshg-fw-hosts
+libexec/sshg-fw-ipfilter
+libexec/sshg-fw-ipfw
+libexec/sshg-fw-ipset
+libexec/sshg-fw-iptables
+libexec/sshg-fw-nft-sets
+libexec/sshg-fw-null
+libexec/sshg-fw-pf
+libexec/sshg-logtail
+@bin libexec/sshg-parser
+@man man/man7/sshguard-setup.7
 @man man/man8/sshguard.8
-@bin sbin/sshguard
+sbin/sshguard
 share/doc/pkg-readmes/${FULLPKGNAME}
+share/examples/sshguard/
+share/examples/sshguard/sshguard.conf.sample
+share/examples/sshguard/whitelistfile.example
 @rcscript ${RCDIR}/sshguard
Index: pkg/sshguard.rc
===================================================================
RCS file: /cvs/ports/security/sshguard/pkg/sshguard.rc,v
retrieving revision 1.4
diff -u -p -u -r1.4 sshguard.rc
--- pkg/sshguard.rc     11 Jan 2018 19:27:09 -0000      1.4
+++ pkg/sshguard.rc     22 Apr 2018 13:47:55 -0000
@@ -3,9 +3,12 @@
 # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $
 
 daemon="${TRUEPREFIX}/sbin/sshguard"
-daemon_flags="-l /var/log/authlog"
 
 . /etc/rc.d/rc.subr
+
+pexp="/bin/sh $pexp"
+
+rc_stop () { pkill -HUP -xf "$pexp"; }
 
 rc_bg=YES
 rc_reload=NO

Re: UPDATE: security/sshguard, 1.5-->2.1.0 (2nd try)

Reply via email to