svn commit: r446263 - in head: . security security/sshguard security/sshguard/files

McGregor, Dan dkm560 at mail.usask.ca
Fri Jul 21 17:59:54 UTC 2017 

________________________________________
From: Adam Weinberger <adamw at adamw.org>
Sent: July 20, 2017 10:10 PM
To: Mark Felder; McGregor, Dan
Cc: ports-committers at freebsd.org; svn-ports-all at freebsd.org; svn-ports-head at freebsd.org
Subject: Re: svn commit: r446263 - in head: . security security/sshguard security/sshguard/files

> On 20 Jul, 2017, at 9:34, Mark Felder <feld at FreeBSD.org> wrote:
>
> Author: feld
> Date: Thu Jul 20 15:34:08 2017
> New Revision: 446263
> URL: https://svnweb.freebsd.org/changeset/ports/446263
>
> Log:
>  security/sshguard: Update to 2.0.0
>
>  PR:          219409

Dan,

Something for UPDATING would be pretty reasonable here, given that (a) people will have to manually uninstall sshguard-* and install sshguard, (b) user intervention is required to reconfigure sshguard in a new sshguard.conf file, and (c) "service sshguard ..." is broken unless PID_FILE is uncommented in that sshguard.conf.

Can you write up some UPDATING text, and take a look at the PID_FILE issue?

# Adam



Yes, I'm writing something now. There's been some discussion on the sshguard mailing list too.


--
Adam Weinberger
adamw at adamw.org
https://www.adamw.org



>
> Added:
>  head/security/sshguard/files/patch-examples-sshguard.conf.sample   (contents, props changed)
>  head/security/sshguard/files/patch-src-sshguard.in   (contents, props changed)
>  head/security/sshguard/pkg-plist   (contents, props changed)
> Modified:
>  head/MOVED
>  head/security/Makefile
>  head/security/sshguard/Makefile
>  head/security/sshguard/distinfo
>  head/security/sshguard/files/pkg-message.in
>  head/security/sshguard/files/sshguard.in
>
> Modified: head/MOVED
> ==============================================================================
> --- head/MOVED        Thu Jul 20 15:30:52 2017        (r446262)
> +++ head/MOVED        Thu Jul 20 15:34:08 2017        (r446263)
> @@ -9466,3 +9466,6 @@ dns/opendnssec13|dns/opendnssec14|2017-07-13|Has expir
> multimedia/banshee||2017-07-13|Has expired: Project is not being actively maintained upstream anymore
> www/libhtp-suricata||2017-07-16|No longer required. security/suricata now uses official (not forked) libhtp
> databases/py-odbc|databases/py-pyodbc|2017-07-18|Rename to comply with PyPI scheme
> +security/sshguard-ipfw|security/sshguard|2017-07-20|Merged with security/sshguard
> +security/sshguard-pf|security/sshguard|2017-07-20|Merged with security/sshguard
> +security/sshguard-null|security/sshguard|2017-07-20|Merged with security/sshguard
>
> Modified: head/security/Makefile
> ==============================================================================
> --- head/security/Makefile    Thu Jul 20 15:30:52 2017        (r446262)
> +++ head/security/Makefile    Thu Jul 20 15:34:08 2017        (r446263)
> @@ -1153,9 +1153,6 @@
>     SUBDIR += ssh_askpass_gtk2
>     SUBDIR += sshblock
>     SUBDIR += sshguard
> -    SUBDIR += sshguard-ipfw
> -    SUBDIR += sshguard-null
> -    SUBDIR += sshguard-pf
>     SUBDIR += sshpass
>     SUBDIR += ssl-admin
>     SUBDIR += sslscan
>
> Modified: head/security/sshguard/Makefile
> ==============================================================================
> --- head/security/sshguard/Makefile   Thu Jul 20 15:30:52 2017        (r446262)
> +++ head/security/sshguard/Makefile   Thu Jul 20 15:34:08 2017        (r446263)
> @@ -2,62 +2,28 @@
> # $FreeBSD$
>
> PORTNAME=     sshguard
> -PORTVERSION= 1.7.1
> -PORTREVISION=        0
> +PORTVERSION= 2.0.0
> CATEGORIES=   security
> MASTER_SITES= SF/sshguard/sshguard/${PORTVERSION}
>
> -MAINTAINER=  ports at FreeBSD.org
> -COMMENT?=    Protect hosts from brute force attacks against ssh and other services
> +MAINTAINER=  dan.mcgregor at usask.ca
> +COMMENT=     Protect hosts from brute force attacks against ssh and other services
>
> -SSHGUARDFW?= none
> -
> -# If SSHGUARDFW is not set by a slave port, then we only use the
> -# following which makes this a metaport to choose a backend
> -.if ${SSHGUARDFW} == none
> -NO_BUILD=YES
> -NO_INSTALL=YES
> -NO_ARCH=YES
> -
> -OPTIONS_SINGLE=      BACKEND
> -OPTIONS_SINGLE_BACKEND=      IPFW NULL PF
> -OPTIONS_DEFAULT=     IPFW
> -
> -IPFW_DESC=   IPFW firewall backend
> -NULL_DESC=   null firewall backend (detection only)
> -PF_DESC=     pf firewall backend
> -
> -IPFW_RUN_DEPENDS=    sshguard-ipfw>0:security/sshguard-ipfw
> -NULL_RUN_DEPENDS=    sshguard-null>0:security/sshguard-null
> -PF_RUN_DEPENDS=              sshguard-pf>0:security/sshguard-pf
> -
> -.include <bsd.port.options.mk>
> -
> -# The remaining settings are used by the slave ports
> -.else
> -
> LICENSE=      BSD2CLAUSE
>
> USES=         autoreconf
>
> -PLIST_FILES= libexec/sshg-fw libexec/sshg-logtail libexec/sshg-parser \
> -             sbin/sshguard man/man8/sshguard.8.gz
> -
> USE_RC_SUBR=  sshguard
> MAKE_ARGS+=   ACLOCAL="${TRUE}" AUTOCONF="${TRUE}" AUTOMAKE="${TRUE}"
> GNU_CONFIGURE=        yes
> -CONFIGURE_ARGS+=--with-firewall=${SSHGUARDFW}
>
> -SUB_LIST+=   PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK}
> SUB_FILES=    pkg-message
> -.endif
>
> -.if ${SSHGUARDFW} == pf
> -PKGMSG_FWBLOCK="  To activate or configure PF see http://www.sshguard.net/docs/setup/firewall/pf/"
> -.elif ${SSHGUARDFW} == ipfw
> -PKGMSG_FWBLOCK="  IPFW support has been rewritten. Sshguard will now add entries to table 22."
> -.elif ${SSHGUARDFW} == null
> -PKGMSG_FWBLOCK="  Sshguard null backend does detection only. It does not take action."
> -.endif
> +post-patch:
> +     @${REINPLACE_CMD} -e 's|%PREFIX%|${PREFIX}|' ${WRKSRC}/doc/sshguard.8.rst
> +
> +post-install:
> +     ${INSTALL} -d ${STAGEDIR}${PREFIX}/etc
> +     ${INSTALL} -m 644 ${WRKSRC}/examples/sshguard.conf.sample ${STAGEDIR}${PREFIX}/etc
>
> .include <bsd.port.mk>
>
> Modified: head/security/sshguard/distinfo
> ==============================================================================
> --- head/security/sshguard/distinfo   Thu Jul 20 15:30:52 2017        (r446262)
> +++ head/security/sshguard/distinfo   Thu Jul 20 15:34:08 2017        (r446263)
> @@ -1,3 +1,3 @@
> -TIMESTAMP = 1483998292
> -SHA256 (sshguard-1.7.1.tar.gz) = 2e527589c9b33219222d827dff63974229d044de945729aa47271c4a29aaa195
> -SIZE (sshguard-1.7.1.tar.gz) = 832220
> +TIMESTAMP = 1500391750
> +SHA256 (sshguard-2.0.0.tar.gz) = e87c6c4a6dddf06f440ea76464eb6197869c0293f0a60ffa51f8a6a0d7b0cb06
> +SIZE (sshguard-2.0.0.tar.gz) = 886995
>
> Added: head/security/sshguard/files/patch-examples-sshguard.conf.sample
> ==============================================================================
> --- /dev/null 00:00:00 1970   (empty, because file is newly added)
> +++ head/security/sshguard/files/patch-examples-sshguard.conf.sample  Thu Jul 20 15:34:08 2017        (r446263)
> @@ -0,0 +1,36 @@
> +diff --git examples/sshguard.conf.sample examples/sshguard.conf.sample
> +index d881e51..87b7acc 100644
> +--- examples/sshguard.conf.sample
> ++++ examples/sshguard.conf.sample
> +@@ -6,11 +6,13 @@
> +
> + #### REQUIRED CONFIGURATION ####
> + # Full path to backend executable (required, no default)
> +-#BACKEND="/usr/local/libexec/sshg-fw-hosts"
> ++BACKEND="/usr/local/libexec/sshg-fw-null"
> ++#BACKEND="/usr/local/libexec/sshg-fw-ipfw"
> ++#BACKEND="/usr/local/libexec/sshg-fw-pf"
> +
> + # Space-separated list of log files to monitor. Ignored if LOGREADER is set.
> + # (optional, no default)
> +-#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
> ++#FILES="/var/log/auth.log /var/log/maillog"
> +
> + # Shell command that provides logs on standard output. Takes precedence over
> + # FILES. (optional, no default)
> +@@ -36,12 +38,12 @@ DETECTION_TIME=1800
> + # !! Warning: These features may not work correctly with sandboxing. !!
> +
> + # Full path to PID file (optional, no default)
> +-#PID_FILE=/run/sshguard.pid
> ++#PID_FILE=/var/run/sshguard.pid
> +
> + # Colon-separated blacklist threshold and full path to blacklist file.
> + # (optional, no default)
> +-#BLACKLIST_FILE=90:/var/lib/sshguard/enemies
> ++#BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db
> +
> + # IP addresses listed in the WHITELIST_FILE are considered to be
> + # friendlies and will never be blocked.
> +-#WHITELIST_FILE=/etc/friends
> ++#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist
>
> Added: head/security/sshguard/files/patch-src-sshguard.in
> ==============================================================================
> --- /dev/null 00:00:00 1970   (empty, because file is newly added)
> +++ head/security/sshguard/files/patch-src-sshguard.in        Thu Jul 20 15:34:08 2017        (r446263)
> @@ -0,0 +1,10 @@
> +diff --git src/sshguard.in src/sshguard.in
> +index 40c864b..249ddb5 100644
> +--- src/sshguard.in
> ++++ src/sshguard.in
> +@@ -85,4 +85,4 @@ elif [ -z "$tailcmd" ]; then
> + fi
> +
> + eval $tailcmd | $libexec/sshg-parser | \
> +-    $libexec/sshg-blocker $flags | ($BACKEND; kill -PIPE $$)
> ++    $libexec/sshg-blocker $flags | ($BACKEND ; pkill -PIPE -P $$)
>
> Modified: head/security/sshguard/files/pkg-message.in
> ==============================================================================
> --- head/security/sshguard/files/pkg-message.in       Thu Jul 20 15:30:52 2017        (r446262)
> +++ head/security/sshguard/files/pkg-message.in       Thu Jul 20 15:34:08 2017        (r446263)
> @@ -1,12 +1,10 @@
> ##########################################################################
>   Sshguard installed successfully.
>
> -%%PKGMSG_FWBLOCK%%
> -
>   You can start sshguard as a daemon by using the
>   rc.d script installed at %%PREFIX%%/etc/rc.d/sshguard .
>
> -  See sshguard(8) and http://www.sshguard.net/docs/setup for additional info.
> +  See sshguard-setup(7) and http://www.sshguard.net/docs/setup for additional info.
>
>   Please note that a few rc script parameters have been renamed to
>   better reflect the documentation:
>
> Modified: head/security/sshguard/files/sshguard.in
> ==============================================================================
> --- head/security/sshguard/files/sshguard.in  Thu Jul 20 15:30:52 2017        (r446262)
> +++ head/security/sshguard/files/sshguard.in  Thu Jul 20 15:34:08 2017        (r446263)
> @@ -81,7 +81,7 @@ pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
>
> command=/usr/sbin/daemon
> actual_command="%%PREFIX%%/sbin/sshguard"
> -procname="${actual_command}"
> +procname="%%PREFIX%%/libexec/sshg-blocker"
> start_precmd=sshguard_prestart
> command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
>
>
> Added: head/security/sshguard/pkg-plist
> ==============================================================================
> --- /dev/null 00:00:00 1970   (empty, because file is newly added)
> +++ head/security/sshguard/pkg-plist  Thu Jul 20 15:34:08 2017        (r446263)
> @@ -0,0 +1,15 @@
> + at sample etc/sshguard.conf.sample
> +sbin/sshguard
> +libexec/sshg-blocker
> +libexec/sshg-fw-firewalld
> +libexec/sshg-fw-hosts
> +libexec/sshg-fw-ipfilter
> +libexec/sshg-fw-ipfw
> +libexec/sshg-fw-ipset
> +libexec/sshg-fw-iptables
> +libexec/sshg-fw-null
> +libexec/sshg-fw-pf
> +libexec/sshg-logtail
> +libexec/sshg-parser
> +man/man7/sshguard-setup.7.gz
> +man/man8/sshguard.8.gz
>

More information about the svn-ports-all mailing list