svn commit: r350643 - in head/security/sshguard: . files
Chris Rees
crees at FreeBSD.org
Tue Apr 8 19:03:03 UTC 2014
Author: crees
Date: Tue Apr 8 19:03:02 2014
New Revision: 350643
URL: http://svnweb.freebsd.org/changeset/ports/350643
QAT: https://qat.redports.org/buildarchive/r350643/
Log:
Fix old sshguard bug; does not detect ssh invalid users logins
PR: ports/174571
Submitted by: Francois Charlier <fcharlier at ploup.net>
Reset maintainer after 16 month timeout
While here, stage, remove some insanity and fixup rc script
Added:
head/security/sshguard/files/patch-src-parser-attack_scanner.l (contents, props changed)
Modified:
head/security/sshguard/Makefile
head/security/sshguard/files/sshguard.in
head/security/sshguard/pkg-install
Modified: head/security/sshguard/Makefile
==============================================================================
--- head/security/sshguard/Makefile Tue Apr 8 18:54:10 2014 (r350642)
+++ head/security/sshguard/Makefile Tue Apr 8 19:03:02 2014 (r350643)
@@ -3,40 +3,30 @@
PORTNAME= sshguard
PORTVERSION= 1.5
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= security
MASTER_SITES= SF/sshguard/sshguard/sshguard-${PORTVERSION}
-MAINTAINER= mij at bitchx.it
+MAINTAINER= ports at FreeBSD.org
COMMENT?= Protect hosts from brute force attacks against ssh and other services
CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.*
-PLIST_FILES= sbin/sshguard
+USES= tar:bzip2
+
+PLIST_FILES= sbin/sshguard man/man8/sshguard.8.gz
-MAN8= sshguard.8
-MANCOMPRESSED= no
-USE_BZIP2= yes
USE_RC_SUBR= sshguard
MAKE_ARGS+= ACLOCAL="${TRUE}" AUTOCONF="${TRUE}" AUTOMAKE="${TRUE}"
-HAS_CONFIGURE= yes
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+=--with-firewall=${SSHGUARDFW}
-# sublist will be set afterward
+SUB_LIST+= PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK}
SUB_FILES= pkg-message
# backend type in { hosts, ipfw, pf }
SSHGUARDFW?= hosts
-NO_STAGE= yes
-.include <bsd.port.pre.mk>
-
-.if defined(PREFIX)
-CONFIGURE_ARGS+= --prefix=${PREFIX}
-.endif
-
-# set path for manpages
-CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man
-
.if ${SSHGUARDFW} == pf
PKGMSG_FWBLOCK=" To activate or configure PF see http://sshguard.sf.net/doc/setup/blockingpf.html"
.elif ${SSHGUARDFW} == ipfw
@@ -47,16 +37,4 @@ PKGMSG_FWBLOCK=" Sshguard is going to u
PKGMSG_FWBLOCK=" Sshguard will use /etc/ipf.rules as ruleset."
.endif
-# for substitution in subfiles
-SUB_LIST+= PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK}
-
-CONFIGURE_ARGS+= --with-firewall=${SSHGUARDFW}
-
-post-install:
- @PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL
- @${CAT} ${PKGMESSAGE}
-
-pre-deinstall:
- @PKG_PREFIX=${PREFIX} ${SH} ${PKGDEINSTALL} ${PKGNAME} DEINSTALL
-
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
Added: head/security/sshguard/files/patch-src-parser-attack_scanner.l
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/sshguard/files/patch-src-parser-attack_scanner.l Tue Apr 8 19:03:02 2014 (r350643)
@@ -0,0 +1,11 @@
+--- src/parser/attack_scanner.l.orig 2012-12-19 10:58:02.992356246 +0000
++++ src/parser/attack_scanner.l 2012-12-19 10:58:22.407356894 +0000
+@@ -127,7 +127,7 @@
+
+
+ /* SSH: invalid or rejected user (cross platform [generated by openssh]) */
+-"Invalid user ".+" from " { return SSH_INVALUSERPREF; }
++[Ii]"nvalid user ".+" from " { return SSH_INVALUSERPREF; }
+ /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */
+ /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */
+ "User ".+" from " { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; }
Modified: head/security/sshguard/files/sshguard.in
==============================================================================
--- head/security/sshguard/files/sshguard.in Tue Apr 8 18:54:10 2014 (r350642)
+++ head/security/sshguard/files/sshguard.in Tue Apr 8 19:03:02 2014 (r350643)
@@ -31,6 +31,7 @@
# PROVIDE: sshguard
# REQUIRE: LOGIN cleanvar
+# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf to enable sshguard:
@@ -62,14 +63,10 @@
name="sshguard"
rcvar="sshguard_enable"
-command="/usr/sbin/daemon"
-actual_command="%%PREFIX%%/sbin/${name}"
-procname="${actual_command}"
load_rc_config $name
-: ${sshguard_enable="NO"}
-: ${sshguard_pidfile="/var/run/${name}.pid"}
+: ${sshguard_enable:="NO"}
: ${sshguard_blacklist="40:/var/db/sshguard/blacklist.db"}
: ${sshguard_safety_thresh="40"}
: ${sshguard_pardon_min_interval="1200"}
@@ -77,8 +74,11 @@ load_rc_config $name
: ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"}
: ${sshguard_watch_logs="/var/log/auth.log:/var/log/maillog"}
-pidfile="${sshguard_pidfile}"
-sshguard_watch_params=`echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ `
+pidfile=${sshguard_pidfile:-"/var/run/${name}.pid"}
+
+command="/usr/sbin/daemon"
+actual_command="%%PREFIX%%/sbin/${name}"
+procname="${actual_command}"
start_precmd="${name}_prestart"
command_args="-cf ${actual_command} -b ${sshguard_blacklist} ${sshguard_watch_params} -a ${sshguard_safety_thresh} -p ${sshguard_pardon_min_interval} -s ${sshguard_prescribe_interval} -w ${sshguard_whitelistfile} -i ${sshguard_pidfile}"
@@ -87,6 +87,7 @@ sshguard_prestart()
{
mkdir -p `dirname ${sshguard_blacklist##*:}`
[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
+ sshguard_watch_params=`echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ `
}
run_rc_command "$1"
Modified: head/security/sshguard/pkg-install
==============================================================================
--- head/security/sshguard/pkg-install Tue Apr 8 18:54:10 2014 (r350642)
+++ head/security/sshguard/pkg-install Tue Apr 8 19:03:02 2014 (r350643)
@@ -13,7 +13,7 @@ SSHGUARDCONFLINE="auth.info;authpriv.inf
case "$2" in
"POST-INSTALL")
- if test "x$SSHGUARDFW" = xhosts
+ if test "$SSHGUARDFW" = hosts
then
touch /etc/hosts.allow
fi
@@ -23,7 +23,7 @@ case "$2" in
TMPFILE=`mktemp -q /tmp/syslogcXX`
# make sure our file has the same permissions as the original, since we mv it back
cp -p $SYSLOGCONF ${TMPFILE}
- echo > ${TMPFILE}
+ : > ${TMPFILE}
inheader=1
cat "$SYSLOGCONF" | while read cline ;
do
More information about the svn-ports-head
mailing list