On Fri, Nov 23, 2018 at 03:36:09PM +0000, Stuart Henderson wrote: > On 2018/11/22 21:05, Andreas Kusalananda Kähäri wrote: > > On Thu, Nov 22, 2018 at 02:39:54PM +0000, Stuart Henderson wrote: > > > > On Sun, 22 Apr 2018 at 16:03:23 +0200, Andreas Kusalananda Kähäri wrote: > > > > > I posted about this update in late March when I had issues getting the > > > > > sshguard service to properly shut down, but that issue has since been > > > > > resolved (rc_stop() needs to send it the HUP signal). > > > > > > HUP to shutdown?! is there some analysis on this, that's really weird.
This has now been resolved. (but startup remains an issue, see end) > > > > Looking at > > > > https://bitbucket.org/sshguard/sshguard/src/ff8b525254a6c6e01e0f484cc3feba93e28a326e/src/sshguard.in?at=master&fileviewer=file-view-default > > > > > > The main sshguard utility is a shell script that starts a log "tail" > > reader, a log parser, a "blocker" (which I presume decides whether a > > behaviour warrants blocking or not) and a firewall-specific backend that > > actually does the blocking. These are started in a shell pipeline: > > > > eval $tailcmd | $libexec/sshg-parser | \ > > $libexec/sshg-blocker $flags | ($BACKEND; kill -PIPE $$) > > > > (the unquoted variable expansions..., I won't comment more on them) > > > > The bulk of the main shell script is just setting up the values of the > > variables used in this pipeline. > > > > At the start of the script, there's > > > > trap "trap - TERM && kill 0" INT TERM EXIT > > > > ... which does my head in a bit. It's *really* easy to start sshguard > > and have one of the components of this pipeline not work correctly (it's > > usually one and the same, but I forget which one now). This usually > > happens when it's started from pkg_scripts at boot (but not when started > > manually later for some reason). Sending the main script a HUP was > > about the *only* way I could reliably get all components of the pipeline > > to exit cleanly. > > > > I'm assuming that it expects /bin/sh to be bash, and this could be one > > of the reasons why it misbehaves under our /bin/sh (I haven't tested > > with bash). > > > > I have only ever looked at the shell script portion of sshguard 2.1.0 > > and the BitBucket Git thing I linked to and quoted above may well be > > newer than that. I gave up when I couldn't get it to start/shut down > > reliably. > > > > When it *ran*, it worked flawlessly. > > > > I've been meaning to get back to this to sort it out for OpenBSD, but > > have forgotten and have had other things getting in the way. > > Thanks - no objection to the update then, but would appreciate a link to > the list archive for this > (https://marc.info/?l=openbsd-ports&m=154291717732337&w=2) > in commit log for the benefit of people looking later :) Attached is a port of sshguard-2.2.0 which appears to work, sort of. It does not start at boot when started from pkg_scripts. It *does* start reliably when started manually with "rcctl start sshguard" and it shuts down reliably both at system shutdown and manually (and in-between, it runs well). Any help with possible diagnoses of the startup problem would be helpful. I haven't found any other port that starts a shell script as a daemon, but I have only looked for "/bin/sh" in the rc scripts for that. The "stop" action in the rc script is a bit unorthodox: kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx "${pexp}" )" )" ... and that's to send a TERM signal to all the processes in the relevant process group (sshguard consists of a total of seven separate processes). The main script does do something similar to this ("kill 0" in a trap), but this may require bash to work (and even then it doesn't seem to work reliably). I have attached a diff for the port as well as a tar archive of it. Regards, -- Andreas Kusalananda Kähäri, National Bioinformatics Infrastructure Sweden (NBIS), Uppsala University, Sweden.
Index: Makefile =================================================================== RCS file: /extra/cvs/ports/security/sshguard/Makefile,v retrieving revision 1.13 diff -u -p -r1.13 Makefile --- Makefile 4 Sep 2018 12:46:21 -0000 1.13 +++ Makefile 4 Dec 2018 23:12:47 -0000 @@ -2,22 +2,31 @@ COMMENT= protect against brute force attacks on sshd and others -DISTNAME= sshguard-1.5 -REVISION= 6 +DISTNAME= sshguard-2.2.0 CATEGORIES= security +HOMEPAGE= https://www.sshguard.net/ + +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} + # BSD PERMIT_PACKAGE_CDROM= Yes WANTLIB+= c pthread -HOMEPAGE= https://www.sshguard.net/ -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/} -EXTRACT_SUFX= .tar.bz2 - -CONFIGURE_STYLE=gnu -CONFIGURE_ARGS= --with-firewall=pf +CONFIGURE_STYLE=simple +CONFIGURE_ARGS= --sysconfdir="${SYSCONFDIR}" \ + --mandir="${TRUEPREFIX}/man" NO_TEST= Yes + +post-patch: + ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \ + ${WRKSRC}/examples/sshguard.conf.sample + +post-install: + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard + ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \ + ${PREFIX}/share/examples/sshguard .include <bsd.port.mk> Index: distinfo =================================================================== RCS file: /extra/cvs/ports/security/sshguard/distinfo,v retrieving revision 1.3 diff -u -p -r1.3 distinfo --- distinfo 27 Jan 2014 15:49:15 -0000 1.3 +++ distinfo 4 Dec 2018 10:29:38 -0000 @@ -1,2 +1,2 @@ -SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk= -SIZE (sshguard-1.5.tar.bz2) = 303767 +SHA256 (sshguard-2.2.0.tar.gz) = Kv8H/ubsM+T/1UEZFrdRiZd68dd7htrF84NN06o2VsI= +SIZE (sshguard-2.2.0.tar.gz) = 737612 Index: patches/patch-configure =================================================================== RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,13 +0,0 @@ -$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $ - -Index: configure ---- configure.orig -+++ configure -@@ -5949,7 +5949,6 @@ then - STD99_CFLAGS="-xc99" - else - # other compiler (assume gcc-compatibile :( ) -- OPTIMIZER_CFLAGS="-O2" - WARNING_CFLAGS="-Wall" - STD99_CFLAGS="-std=c99" - fi Index: patches/patch-src_fwalls_command_c =================================================================== RCS file: patches/patch-src_fwalls_command_c diff -N patches/patch-src_fwalls_command_c --- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011 -+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011 -@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind, - return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR); - } - --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) { -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) { - /* block each address individually */ - int i; - Index: patches/patch-src_sshguard_fw_h =================================================================== RCS file: patches/patch-src_sshguard_fw_h diff -N patches/patch-src_sshguard_fw_h --- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,15 +0,0 @@ -$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $ - -Allow building with gcc3. - ---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011 -+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011 -@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind, - * - * @return FWALL_OK or FWALL_ERR - */ --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]); -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]); - - - /** Index: patches/patch-src_sshguard_logsuck_c =================================================================== RCS file: patches/patch-src_sshguard_logsuck_c diff -N patches/patch-src_sshguard_logsuck_c --- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $ ---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011 -+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011 -@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen, - if (ret > 0) { - if (kevs[0].filter == EVFILT_READ) { - /* got data on this one. Read from it */ -- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident); -+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident); - readentry = list_seek(& sources_list, & kevs[0].ident); - assert(readentry != NULL); - assert(readentry->active); Index: patches/patch-src_sshguard_procauth_c =================================================================== RCS file: patches/patch-src_sshguard_procauth_c diff -N patches/patch-src_sshguard_procauth_c --- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $ ---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010 -+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010 -@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren - dup2(ps2me[1], 1); - - sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'."); -- execlp("ps", "ps", "axo", "pid,ppid", NULL); -+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0); - - sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno)); - exit(-1); Index: pkg/PLIST =================================================================== RCS file: /extra/cvs/ports/security/sshguard/pkg/PLIST,v retrieving revision 1.5 diff -u -p -r1.5 PLIST --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.5 +++ pkg/PLIST 4 Dec 2018 16:05:24 -0000 @@ -1,6 +1,22 @@ @comment $OpenBSD: PLIST,v 1.5 2018/09/04 12:46:21 espie Exp $ @pkgpath security/sshguard,tcpd +@rcscript ${RCDIR}/sshguard +@bin libexec/sshg-blocker +libexec/sshg-fw-firewalld +@bin libexec/sshg-fw-hosts +libexec/sshg-fw-ipfilter +libexec/sshg-fw-ipfw +libexec/sshg-fw-ipset +libexec/sshg-fw-iptables +libexec/sshg-fw-nft-sets +libexec/sshg-fw-null +libexec/sshg-fw-pf +libexec/sshg-logtail +@bin libexec/sshg-parser +@man man/man7/sshguard-setup.7 @man man/man8/sshguard.8 -@bin sbin/sshguard +sbin/sshguard share/doc/pkg-readmes/${PKGSTEM} -@rcscript ${RCDIR}/sshguard +share/examples/sshguard/ +share/examples/sshguard/sshguard.conf.sample +share/examples/sshguard/whitelistfile.example Index: pkg/README =================================================================== RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v retrieving revision 1.3 diff -u -p -r1.3 README --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3 +++ pkg/README 4 Dec 2018 21:10:55 -0000 @@ -4,7 +4,13 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46: | Running ${PKGSTEM} on OpenBSD +----------------------------------------------------------------------- -To use sshguard with pf(4), add the following to /etc/pf.conf: +Copy the example configuration file: + + cp ${PREFIX}/share/examples/sshguard/sshguard.conf.sample \ + ${SYSCONFDIR}/sshguard.conf + +To use ${PKGSTEM} with pf(4), add something similar to the following to +${SYSCONFDIR}/pf.conf: table <sshguard> persist Index: pkg/sshguard.rc =================================================================== RCS file: /extra/cvs/ports/security/sshguard/pkg/sshguard.rc,v retrieving revision 1.4 diff -u -p -r1.4 sshguard.rc --- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4 +++ pkg/sshguard.rc 4 Dec 2018 21:09:13 -0000 @@ -3,9 +3,17 @@ # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $ daemon="${TRUEPREFIX}/sbin/sshguard" -daemon_flags="-l /var/log/authlog" . /etc/rc.d/rc.subr + +pexp="/bin/sh $pexp" + +rc_stop () { + # Need to send TERM to all processes in the process group not just + # to the ones matching "$pexp". The main sshguard shell script does + # set up a trap for doing this, but it relies on running under bash. + kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx "${pexp}" )" )" +} rc_bg=YES rc_reload=NO
sshguard.tar.gz
Description: application/tar-gz
