Hi, I updated the security/sshguard port from 1.5 to 2.1.0 as that version now understands the logs that our newer version of OpenSSH outputs.
The port works as it should do, but I have an issue with shutting the daemon down. "rcctl stop sshguard" simply does nothing. The "sshguard" executable is now a shell script, and it does not respond do the TERM signal properly and does not seem to propagate the signal to the helper programs that it starts. I have included the diff in an attachment. Note that the /etc/sshguard.conf file now is required (I modified the sample file so that it fits a vanilla OpenBSD system). If anyone knows how to fix this, then please let me know. Also, I know the ports tree is locked, but it would be nice to get some kind of update of sshguard into the tree when it unlocks again, possibly based on this patch. Regards, -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
Index: Makefile =================================================================== RCS file: /cvs/ports/security/sshguard/Makefile,v retrieving revision 1.11 diff -u -p -r1.11 Makefile --- Makefile 11 Jan 2018 19:27:09 -0000 1.11 +++ Makefile 25 Mar 2018 11:12:30 -0000 @@ -2,8 +2,7 @@ COMMENT= protect against brute force attacks on sshd and others -DISTNAME= sshguard-1.5 -REVISION= 4 +DISTNAME= sshguard-2.1.0 CATEGORIES= security # BSD @@ -13,11 +12,20 @@ WANTLIB+= c pthread HOMEPAGE= http://www.sshguard.net/ MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} -EXTRACT_SUFX= .tar.bz2 +EXTRACT_SUFX= .tar.gz CONFIGURE_STYLE=gnu NO_TEST= Yes -CONFIGURE_ARGS = --with-firewall=pf +pre-install: + ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 + ${SUBST_CMD} ${WRKSRC}/examples/sshguard.conf.sample + +post-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard + ${INSTALL_DATA} ${WRKSRC}/examples/sshguard.conf.sample \ + ${PREFIX}/share/examples/sshguard + ${INSTALL_DATA} ${WRKSRC}/examples/whitelistfile.example \ + ${PREFIX}/share/examples/sshguard .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/security/sshguard/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo 27 Jan 2014 15:49:15 -0000 1.3 +++ distinfo 25 Mar 2018 11:12:30 -0000 @@ -1,2 +1,2 @@ -SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk= -SIZE (sshguard-1.5.tar.bz2) = 303767 +SHA256 (sshguard-2.1.0.tar.gz) = ISUqSDSthAjfOE7k3fRoYkqp3pzq1a/eHHc4CkjPAoo= +SIZE (sshguard-2.1.0.tar.gz) = 1117466 Index: patches/patch-doc_sshguard_8 =================================================================== RCS file: patches/patch-doc_sshguard_8 diff -N patches/patch-doc_sshguard_8 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-doc_sshguard_8 25 Mar 2018 11:12:30 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: doc/sshguard.8 +--- doc/sshguard.8.orig ++++ doc/sshguard.8 +@@ -119,7 +119,7 @@ Set to enable verbose output from sshg\-blocker. + .SH FILES + .INDENT 0.0 + .TP +-.B %PREFIX%/etc/sshguard.conf ++.B ${SYSCONFDIR}/sshguard.conf + See sample configuration file. + .UNINDENT + .SH WHITELISTING Index: patches/patch-examples_sshguard_conf_sample =================================================================== RCS file: patches/patch-examples_sshguard_conf_sample diff -N patches/patch-examples_sshguard_conf_sample --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-examples_sshguard_conf_sample 25 Mar 2018 11:12:30 -0000 @@ -0,0 +1,31 @@ +$OpenBSD$ + +Index: examples/sshguard.conf.sample +--- examples/sshguard.conf.sample.orig ++++ examples/sshguard.conf.sample +@@ -7,9 +7,11 @@ + #### REQUIRED CONFIGURATION #### + # Full path to backend executable (required, no default) + #BACKEND="/usr/local/libexec/sshg-fw-iptables" ++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf" + + # Space-separated list of log files to monitor. (optional, no default) + #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog" ++FILES="/var/log/authlog" + + # Shell command that provides logs on standard output. (optional, no default) + # Example 1: ssh and sendmail from systemd journal: +@@ -40,11 +42,11 @@ DETECTION_TIME=1800 + # !! Warning: These features may not work correctly with sandboxing. !! + + # Full path to PID file (optional, no default) +-#PID_FILE=/run/sshguard.pid ++#PID_FILE=/var/run/sshguard.pid + + # Colon-separated blacklist threshold and full path to blacklist file. + # (optional, no default) +-#BLACKLIST_FILE=90:/var/lib/sshguard/enemies ++#BLACKLIST_FILE=90:/var/db/sshguard/enemies + + # IP addresses listed in the WHITELIST_FILE are considered to be + # friendlies and will never be blocked. Index: patches/patch-src_fwalls_command_c =================================================================== RCS file: patches/patch-src_fwalls_command_c diff -N patches/patch-src_fwalls_command_c --- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011 -+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011 -@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind, - return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR); - } - --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) { -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) { - /* block each address individually */ - int i; - Index: patches/patch-src_sshguard_fw_h =================================================================== RCS file: patches/patch-src_sshguard_fw_h diff -N patches/patch-src_sshguard_fw_h --- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011 -+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011 -@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind, - * - * @return FWALL_OK or FWALL_ERR - */ --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]); -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]); - - - /** Index: patches/patch-src_sshguard_in =================================================================== RCS file: patches/patch-src_sshguard_in diff -N patches/patch-src_sshguard_in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_sshguard_in 25 Mar 2018 11:12:30 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: src/sshguard.in +--- src/sshguard.in.orig ++++ src/sshguard.in +@@ -3,7 +3,7 @@ + + # Unregister recursive SIGTERM, and make sure to kill + # entire process group (subshell) on exit/interrupts. +-trap "trap - SIGTERM && kill 0" SIGINT SIGTERM EXIT ++trap "trap - TERM && kill 0" INT TERM EXIT + + libexec="@libexecdir@" + version="@sshguardversion@" Index: patches/patch-src_sshguard_logsuck_c =================================================================== RCS file: patches/patch-src_sshguard_logsuck_c diff -N patches/patch-src_sshguard_logsuck_c --- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $ ---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011 -+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011 -@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen, - if (ret > 0) { - if (kevs[0].filter == EVFILT_READ) { - /* got data on this one. Read from it */ -- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident); -+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident); - readentry = list_seek(& sources_list, & kevs[0].ident); - assert(readentry != NULL); - assert(readentry->active); Index: patches/patch-src_sshguard_procauth_c =================================================================== RCS file: patches/patch-src_sshguard_procauth_c diff -N patches/patch-src_sshguard_procauth_c --- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $ ---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010 -+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010 -@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren - dup2(ps2me[1], 1); - - sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'."); -- execlp("ps", "ps", "axo", "pid,ppid", NULL); -+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0); - - sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno)); - exit(-1); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/sshguard/pkg/PLIST,v retrieving revision 1.4 diff -u -p -r1.4 PLIST --- pkg/PLIST 25 Mar 2014 12:33:31 -0000 1.4 +++ pkg/PLIST 25 Mar 2018 11:12:30 -0000 @@ -1,6 +1,21 @@ -@comment $OpenBSD: PLIST,v 1.4 2014/03/25 12:33:31 ajacoutot Exp $ -@pkgpath security/sshguard,tcpd +@comment $OpenBSD$ +@bin libexec/sshg-blocker +libexec/sshg-fw-firewalld +@bin libexec/sshg-fw-hosts +libexec/sshg-fw-ipfilter +libexec/sshg-fw-ipfw +libexec/sshg-fw-ipset +libexec/sshg-fw-iptables +libexec/sshg-fw-nft-sets +libexec/sshg-fw-null +libexec/sshg-fw-pf +libexec/sshg-logtail +@bin libexec/sshg-parser +@man man/man7/sshguard-setup.7 @man man/man8/sshguard.8 -@bin sbin/sshguard +sbin/sshguard share/doc/pkg-readmes/${FULLPKGNAME} +share/examples/sshguard/ +share/examples/sshguard/sshguard.conf.sample +share/examples/sshguard/whitelistfile.example @rcscript ${RCDIR}/sshguard Index: pkg/sshguard.rc =================================================================== RCS file: /cvs/ports/security/sshguard/pkg/sshguard.rc,v retrieving revision 1.4 diff -u -p -r1.4 sshguard.rc --- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4 +++ pkg/sshguard.rc 25 Mar 2018 11:12:30 -0000 @@ -3,10 +3,12 @@ # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $ daemon="${TRUEPREFIX}/sbin/sshguard" -daemon_flags="-l /var/log/authlog" . /etc/rc.d/rc.subr +pexp="/bin/sh $pexp" + +rc_timeout=2 rc_bg=YES rc_reload=NO
