On Sun, Apr 22, 2018 at 04:04:02PM +0200, Andreas Kusalananda Kähäri wrote: > On Sun, Apr 22, 2018 at 04:03:23PM +0200, Andreas Kusalananda Kähäri wrote: > > > > Please find the diffs for an updated port of sshguard attached. > > Now actually attached, duh. >
Updated patch attached with comments from kn@ taken into account, but with CONFIGURE_STYLE=gnu left in place as suggested by Jeremie and Stuart. Regards, > > > > > This updates sshguard from version 1.5 to 2.1.0. One of the main > > reasons to update to this version is that sshguard now seems to > > correctly parse the OpenBSD sshd logs. One can now also block an entire > > subnet rather than individual IP addresses, if one is so inclined. > > > > I have been running this port for a few weeks, and it seems to work as > > advertised. > > > > Note that the /etc/sshguard.conf file now is required (I modified the > > sample file so that it hopefully fits a vanilla OpenBSD system). > > > > I posted about this update in late March when I had issues getting the > > sshguard service to properly shut down, but that issue has since been > > resolved (rc_stop() needs to send it the HUP signal). > > > > Release announcements for sshguard are available at > > https://www.sshguard.net/litenewz/feeds/ > > > > Regards, -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
? sshguard.diff Index: Makefile =================================================================== RCS file: /cvs/ports/security/sshguard/Makefile,v retrieving revision 1.11 diff -u -p -u -r1.11 Makefile --- Makefile 11 Jan 2018 19:27:09 -0000 1.11 +++ Makefile 23 Apr 2018 09:08:33 -0000 @@ -2,8 +2,7 @@ COMMENT= protect against brute force attacks on sshd and others -DISTNAME= sshguard-1.5 -REVISION= 4 +DISTNAME= sshguard-2.1.0 CATEGORIES= security # BSD @@ -11,13 +10,21 @@ PERMIT_PACKAGE_CDROM= Yes WANTLIB+= c pthread -HOMEPAGE= http://www.sshguard.net/ +HOMEPAGE= https://www.sshguard.net/ MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} -EXTRACT_SUFX= .tar.bz2 CONFIGURE_STYLE=gnu NO_TEST= Yes -CONFIGURE_ARGS = --with-firewall=pf +post-patch: + ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 + ${SUBST_CMD} ${WRKSRC}/examples/sshguard.conf.sample + +post-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard + ${INSTALL_DATA} ${WRKSRC}/examples/sshguard.conf.sample \ + ${PREFIX}/share/examples/sshguard + ${INSTALL_DATA} ${WRKSRC}/examples/whitelistfile.example \ + ${PREFIX}/share/examples/sshguard .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /cvs/ports/security/sshguard/distinfo,v retrieving revision 1.3 diff -u -p -u -r1.3 distinfo --- distinfo 27 Jan 2014 15:49:15 -0000 1.3 +++ distinfo 23 Apr 2018 09:08:33 -0000 @@ -1,2 +1,2 @@ -SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk= -SIZE (sshguard-1.5.tar.bz2) = 303767 +SHA256 (sshguard-2.1.0.tar.gz) = ISUqSDSthAjfOE7k3fRoYkqp3pzq1a/eHHc4CkjPAoo= +SIZE (sshguard-2.1.0.tar.gz) = 1117466 Index: patches/patch-doc_sshguard_8 =================================================================== RCS file: patches/patch-doc_sshguard_8 diff -N patches/patch-doc_sshguard_8 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-doc_sshguard_8 23 Apr 2018 09:08:33 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: doc/sshguard.8 +--- doc/sshguard.8.orig ++++ doc/sshguard.8 +@@ -119,7 +119,7 @@ Set to enable verbose output from sshg\-blocker. + .SH FILES + .INDENT 0.0 + .TP +-.B %PREFIX%/etc/sshguard.conf ++.B ${SYSCONFDIR}/sshguard.conf + See sample configuration file. + .UNINDENT + .SH WHITELISTING Index: patches/patch-examples_sshguard_conf_sample =================================================================== RCS file: patches/patch-examples_sshguard_conf_sample diff -N patches/patch-examples_sshguard_conf_sample --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-examples_sshguard_conf_sample 23 Apr 2018 09:08:33 -0000 @@ -0,0 +1,31 @@ +$OpenBSD$ + +Index: examples/sshguard.conf.sample +--- examples/sshguard.conf.sample.orig ++++ examples/sshguard.conf.sample +@@ -7,9 +7,11 @@ + #### REQUIRED CONFIGURATION #### + # Full path to backend executable (required, no default) + #BACKEND="/usr/local/libexec/sshg-fw-iptables" ++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf" + + # Space-separated list of log files to monitor. (optional, no default) + #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog" ++FILES="/var/log/authlog" + + # Shell command that provides logs on standard output. (optional, no default) + # Example 1: ssh and sendmail from systemd journal: +@@ -40,11 +42,11 @@ DETECTION_TIME=1800 + # !! Warning: These features may not work correctly with sandboxing. !! + + # Full path to PID file (optional, no default) +-#PID_FILE=/run/sshguard.pid ++#PID_FILE=/var/run/sshguard.pid + + # Colon-separated blacklist threshold and full path to blacklist file. + # (optional, no default) +-#BLACKLIST_FILE=90:/var/lib/sshguard/enemies ++#BLACKLIST_FILE=90:/var/db/sshguard/enemies + + # IP addresses listed in the WHITELIST_FILE are considered to be + # friendlies and will never be blocked. Index: patches/patch-src_fwalls_command_c =================================================================== RCS file: patches/patch-src_fwalls_command_c diff -N patches/patch-src_fwalls_command_c --- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011 -+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011 -@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind, - return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR); - } - --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) { -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) { - /* block each address individually */ - int i; - Index: patches/patch-src_sshguard_fw_h =================================================================== RCS file: patches/patch-src_sshguard_fw_h diff -N patches/patch-src_sshguard_fw_h --- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011 -+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011 -@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind, - * - * @return FWALL_OK or FWALL_ERR - */ --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]); -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]); - - - /** Index: patches/patch-src_sshguard_in =================================================================== RCS file: patches/patch-src_sshguard_in diff -N patches/patch-src_sshguard_in --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_sshguard_in 23 Apr 2018 09:08:33 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: src/sshguard.in +--- src/sshguard.in.orig ++++ src/sshguard.in +@@ -3,7 +3,7 @@ + + # Unregister recursive SIGTERM, and make sure to kill + # entire process group (subshell) on exit/interrupts. +-trap "trap - SIGTERM && kill 0" SIGINT SIGTERM EXIT ++trap "trap - TERM && kill 0" INT TERM EXIT + + libexec="@libexecdir@" + version="@sshguardversion@" Index: patches/patch-src_sshguard_logsuck_c =================================================================== RCS file: patches/patch-src_sshguard_logsuck_c diff -N patches/patch-src_sshguard_logsuck_c --- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $ ---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011 -+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011 -@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen, - if (ret > 0) { - if (kevs[0].filter == EVFILT_READ) { - /* got data on this one. Read from it */ -- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident); -+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident); - readentry = list_seek(& sources_list, & kevs[0].ident); - assert(readentry != NULL); - assert(readentry->active); Index: patches/patch-src_sshguard_procauth_c =================================================================== RCS file: patches/patch-src_sshguard_procauth_c diff -N patches/patch-src_sshguard_procauth_c --- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $ ---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010 -+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010 -@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren - dup2(ps2me[1], 1); - - sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'."); -- execlp("ps", "ps", "axo", "pid,ppid", NULL); -+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0); - - sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno)); - exit(-1); Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/sshguard/pkg/PLIST,v retrieving revision 1.4 diff -u -p -u -r1.4 PLIST --- pkg/PLIST 25 Mar 2014 12:33:31 -0000 1.4 +++ pkg/PLIST 23 Apr 2018 09:08:33 -0000 @@ -1,6 +1,21 @@ -@comment $OpenBSD: PLIST,v 1.4 2014/03/25 12:33:31 ajacoutot Exp $ -@pkgpath security/sshguard,tcpd +@comment $OpenBSD$ +@bin libexec/sshg-blocker +libexec/sshg-fw-firewalld +@bin libexec/sshg-fw-hosts +libexec/sshg-fw-ipfilter +libexec/sshg-fw-ipfw +libexec/sshg-fw-ipset +libexec/sshg-fw-iptables +libexec/sshg-fw-nft-sets +libexec/sshg-fw-null +libexec/sshg-fw-pf +libexec/sshg-logtail +@bin libexec/sshg-parser +@man man/man7/sshguard-setup.7 @man man/man8/sshguard.8 -@bin sbin/sshguard +sbin/sshguard share/doc/pkg-readmes/${FULLPKGNAME} +share/examples/sshguard/ +share/examples/sshguard/sshguard.conf.sample +share/examples/sshguard/whitelistfile.example @rcscript ${RCDIR}/sshguard Index: pkg/README =================================================================== RCS file: /cvs/ports/security/sshguard/pkg/README,v retrieving revision 1.2 diff -u -p -u -r1.2 README --- pkg/README 25 Mar 2014 12:31:50 -0000 1.2 +++ pkg/README 23 Apr 2018 09:08:33 -0000 @@ -10,3 +10,7 @@ table <sshguard> persist block in quick on egress proto tcp from <sshguard> \ to any port ssh label "ssh bruteforce" + +Also copy the example configruation found in +${PREFIX}/share/examples/sshguard to ${SYSCONFDIR} and modify it to fit +your needs. Index: pkg/sshguard.rc =================================================================== RCS file: /cvs/ports/security/sshguard/pkg/sshguard.rc,v retrieving revision 1.4 diff -u -p -u -r1.4 sshguard.rc --- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4 +++ pkg/sshguard.rc 23 Apr 2018 09:08:33 -0000 @@ -3,9 +3,12 @@ # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $ daemon="${TRUEPREFIX}/sbin/sshguard" -daemon_flags="-l /var/log/authlog" . /etc/rc.d/rc.subr + +pexp="/bin/sh $pexp" + +rc_stop () { pkill -HUP -xf "$pexp"; } rc_bg=YES rc_reload=NO