On Mon, Apr 23, 2018 at 11:12:55AM +0200, Andreas Kusalananda Kähäri wrote:
> On Sun, Apr 22, 2018 at 04:04:02PM +0200, Andreas Kusalananda Kähäri wrote:
> > On Sun, Apr 22, 2018 at 04:03:23PM +0200, Andreas Kusalananda Kähäri wrote:
> > >
> > > Please find the diffs for an updated port of sshguard attached.
> >
> > Now actually attached, duh.
> >
>
> Updated patch attached with comments from kn@ taken into account, but
> with CONFIGURE_STYLE=gnu left in place as suggested by Jeremie and
> Stuart.
I forgot about this diff when removing -O2 earlier (portroach also
wouldn't detect an update due to EXTRACT_SUFX change), thanks Andreas
for reminding me.
The diff looks good, I made a few additional changes:
- Drop README: sshguard-intro(7) contains all relevant information
- sshguard.rc: $pexp -> ${pexp}, unfold rc_stop()
- Makefile: Use SUBST_CMD and INSTALL_DATA just once
On amd64 sshguard continues to work.
1.5.0 is broken on sparc64 due to an assertion failure when parsing log
lines, 2.1.0 fixed this.
OK?
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/sshguard/Makefile,v
retrieving revision 1.12
diff -u -p -r1.12 Makefile
--- Makefile 24 Jun 2018 10:54:19 -0000 1.12
+++ Makefile 24 Jun 2018 14:45:49 -0000
@@ -2,8 +2,7 @@
COMMENT= protect against brute force attacks on sshd and others
-DISTNAME= sshguard-1.5
-REVISION= 5
+DISTNAME= sshguard-2.1.0
CATEGORIES= security
# BSD
@@ -13,11 +12,18 @@ WANTLIB+= c pthread
HOMEPAGE= https://www.sshguard.net/
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
-EXTRACT_SUFX= .tar.bz2
CONFIGURE_STYLE=gnu
-CONFIGURE_ARGS= --with-firewall=pf
NO_TEST= Yes
+
+post-patch:
+ ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \
+ ${WRKSRC}/examples/sshguard.conf.sample
+
+post-install:
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard/
+ ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \
+ ${PREFIX}/share/examples/sshguard/
.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/sshguard/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 27 Jan 2014 15:49:15 -0000 1.3
+++ distinfo 24 Jun 2018 14:45:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk=
-SIZE (sshguard-1.5.tar.bz2) = 303767
+SHA256 (sshguard-2.1.0.tar.gz) = ISUqSDSthAjfOE7k3fRoYkqp3pzq1a/eHHc4CkjPAoo=
+SIZE (sshguard-2.1.0.tar.gz) = 1117466
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $
-
-Index: configure
---- configure.orig
-+++ configure
-@@ -5949,7 +5949,6 @@ then
- STD99_CFLAGS="-xc99"
- else
- # other compiler (assume gcc-compatibile :( )
-- OPTIMIZER_CFLAGS="-O2"
- WARNING_CFLAGS="-Wall"
- STD99_CFLAGS="-std=c99"
- fi
Index: patches/patch-doc_sshguard_8
===================================================================
RCS file: patches/patch-doc_sshguard_8
diff -N patches/patch-doc_sshguard_8
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-doc_sshguard_8 24 Jun 2018 14:45:49 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: doc/sshguard.8
+--- doc/sshguard.8.orig
++++ doc/sshguard.8
+@@ -119,7 +119,7 @@ Set to enable verbose output from sshg\-blocker.
+ .SH FILES
+ .INDENT 0.0
+ .TP
+-.B %PREFIX%/etc/sshguard.conf
++.B ${SYSCONFDIR}/sshguard.conf
+ See sample configuration file.
+ .UNINDENT
+ .SH WHITELISTING
Index: patches/patch-examples_sshguard_conf_sample
===================================================================
RCS file: patches/patch-examples_sshguard_conf_sample
diff -N patches/patch-examples_sshguard_conf_sample
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-examples_sshguard_conf_sample 24 Jun 2018 14:45:49 -0000
@@ -0,0 +1,31 @@
+$OpenBSD$
+
+Index: examples/sshguard.conf.sample
+--- examples/sshguard.conf.sample.orig
++++ examples/sshguard.conf.sample
+@@ -7,9 +7,11 @@
+ #### REQUIRED CONFIGURATION ####
+ # Full path to backend executable (required, no default)
+ #BACKEND="/usr/local/libexec/sshg-fw-iptables"
++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf"
+
+ # Space-separated list of log files to monitor. (optional, no default)
+ #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
++FILES="/var/log/authlog"
+
+ # Shell command that provides logs on standard output. (optional, no default)
+ # Example 1: ssh and sendmail from systemd journal:
+@@ -40,11 +42,11 @@ DETECTION_TIME=1800
+ # !! Warning: These features may not work correctly with sandboxing. !!
+
+ # Full path to PID file (optional, no default)
+-#PID_FILE=/run/sshguard.pid
++#PID_FILE=/var/run/sshguard.pid
+
+ # Colon-separated blacklist threshold and full path to blacklist file.
+ # (optional, no default)
+-#BLACKLIST_FILE=90:/var/lib/sshguard/enemies
++#BLACKLIST_FILE=90:/var/db/sshguard/enemies
+
+ # IP addresses listed in the WHITELIST_FILE are considered to be
+ # friendlies and will never be blocked.
Index: patches/patch-src_fwalls_command_c
===================================================================
RCS file: patches/patch-src_fwalls_command_c
diff -N patches/patch-src_fwalls_command_c
--- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011
-+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011
-@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind,
- return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ?
FWALL_OK : FWALL_ERR);
- }
-
--int fw_block_list(const char *restrict addresses[], int addrkind, const int
service_codes[]) {
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int
service_codes[]) {
- /* block each address individually */
- int i;
-
Index: patches/patch-src_sshguard_fw_h
===================================================================
RCS file: patches/patch-src_sshguard_fw_h
diff -N patches/patch-src_sshguard_fw_h
--- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011
-+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011
-@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind,
- *
- * @return FWALL_OK or FWALL_ERR
- */
--int fw_block_list(const char *restrict addresses[], int addrkind, const int
service_codes[]);
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int
service_codes[]);
-
-
- /**
Index: patches/patch-src_sshguard_in
===================================================================
RCS file: patches/patch-src_sshguard_in
diff -N patches/patch-src_sshguard_in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_sshguard_in 24 Jun 2018 14:45:49 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+
+Index: src/sshguard.in
+--- src/sshguard.in.orig
++++ src/sshguard.in
+@@ -3,7 +3,7 @@
+
+ # Unregister recursive SIGTERM, and make sure to kill
+ # entire process group (subshell) on exit/interrupts.
+-trap "trap - SIGTERM && kill 0" SIGINT SIGTERM EXIT
++trap "trap - TERM && kill 0" INT TERM EXIT
+
+ libexec="@libexecdir@"
+ version="@sshguardversion@"
Index: patches/patch-src_sshguard_logsuck_c
===================================================================
RCS file: patches/patch-src_sshguard_logsuck_c
diff -N patches/patch-src_sshguard_logsuck_c
--- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000
1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $
---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011
-+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011
-@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
- if (ret > 0) {
- if (kevs[0].filter == EVFILT_READ) {
- /* got data on this one. Read from it */
-- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.",
kevs[0].ident);
-+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.",
kevs[0].ident);
- readentry = list_seek(& sources_list, & kevs[0].ident);
- assert(readentry != NULL);
- assert(readentry->active);
Index: patches/patch-src_sshguard_procauth_c
===================================================================
RCS file: patches/patch-src_sshguard_procauth_c
diff -N patches/patch-src_sshguard_procauth_c
--- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000
1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert
Exp $
---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010
-+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010
-@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
- dup2(ps2me[1], 1);
-
- sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'.");
-- execlp("ps", "ps", "axo", "pid,ppid", NULL);
-+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0);
-
- sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.",
strerror(errno));
- exit(-1);
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/sshguard/pkg/PLIST,v
retrieving revision 1.4
diff -u -p -r1.4 PLIST
--- pkg/PLIST 25 Mar 2014 12:33:31 -0000 1.4
+++ pkg/PLIST 24 Jun 2018 14:45:49 -0000
@@ -1,6 +1,20 @@
-@comment $OpenBSD: PLIST,v 1.4 2014/03/25 12:33:31 ajacoutot Exp $
-@pkgpath security/sshguard,tcpd
-@man man/man8/sshguard.8
-@bin sbin/sshguard
-share/doc/pkg-readmes/${FULLPKGNAME}
+@comment $OpenBSD: PLIST,v$
@rcscript ${RCDIR}/sshguard
+@bin libexec/sshg-blocker
+libexec/sshg-fw-firewalld
+@bin libexec/sshg-fw-hosts
+libexec/sshg-fw-ipfilter
+libexec/sshg-fw-ipfw
+libexec/sshg-fw-ipset
+libexec/sshg-fw-iptables
+libexec/sshg-fw-nft-sets
+libexec/sshg-fw-null
+libexec/sshg-fw-pf
+libexec/sshg-logtail
+@bin libexec/sshg-parser
+@man man/man7/sshguard-setup.7
+@man man/man8/sshguard.8
+sbin/sshguard
+share/examples/sshguard/
+share/examples/sshguard/sshguard.conf.sample
+share/examples/sshguard/whitelistfile.example
Index: pkg/README
===================================================================
RCS file: pkg/README
diff -N pkg/README
--- pkg/README 25 Mar 2014 12:31:50 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: README,v 1.2 2014/03/25 12:31:50 ajacoutot Exp $
-
-+-----------------------------------------------------------------------
-| Running ${FULLPKGNAME} on OpenBSD
-+-----------------------------------------------------------------------
-
-To use sshguard with pf(4), add the following to /etc/pf.conf:
-
-table <sshguard> persist
-
-block in quick on egress proto tcp from <sshguard> \
- to any port ssh label "ssh bruteforce"
Index: pkg/sshguard.rc
===================================================================
RCS file: /cvs/ports/security/sshguard/pkg/sshguard.rc,v
retrieving revision 1.4
diff -u -p -r1.4 sshguard.rc
--- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4
+++ pkg/sshguard.rc 24 Jun 2018 14:45:49 -0000
@@ -3,11 +3,15 @@
# $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $
daemon="${TRUEPREFIX}/sbin/sshguard"
-daemon_flags="-l /var/log/authlog"
. /etc/rc.d/rc.subr
rc_bg=YES
rc_reload=NO
+pexp="/bin/sh ${pexp}"
+
+rc_stop() {
+ pkill -HUP -xf "${pexp}"
+}
rc_cmd $1
