From owner-svn-ports-all@FreeBSD.ORG Tue Apr 8 19:03:03 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8D7C0E6F; Tue, 8 Apr 2014 19:03:03 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 795DB16DA; Tue, 8 Apr 2014 19:03:03 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s38J33gB065576; Tue, 8 Apr 2014 19:03:03 GMT (envelope-from crees@svn.freebsd.org) Received: (from crees@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s38J32hS065572; Tue, 8 Apr 2014 19:03:02 GMT (envelope-from crees@svn.freebsd.org) Message-Id: <201404081903.s38J32hS065572@svn.freebsd.org> From: Chris Rees Date: Tue, 8 Apr 2014 19:03:02 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r350643 - in head/security/sshguard: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 19:03:03 -0000 Author: crees Date: Tue Apr 8 19:03:02 2014 New Revision: 350643 URL: http://svnweb.freebsd.org/changeset/ports/350643 QAT: https://qat.redports.org/buildarchive/r350643/ Log: Fix old sshguard bug; does not detect ssh invalid users logins PR: ports/174571 Submitted by: Francois Charlier Reset maintainer after 16 month timeout While here, stage, remove some insanity and fixup rc script Added: head/security/sshguard/files/patch-src-parser-attack_scanner.l (contents, props changed) Modified: head/security/sshguard/Makefile head/security/sshguard/files/sshguard.in head/security/sshguard/pkg-install Modified: head/security/sshguard/Makefile ============================================================================== --- head/security/sshguard/Makefile Tue Apr 8 18:54:10 2014 (r350642) +++ head/security/sshguard/Makefile Tue Apr 8 19:03:02 2014 (r350643) @@ -3,40 +3,30 @@ PORTNAME= sshguard PORTVERSION= 1.5 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= security MASTER_SITES= SF/sshguard/sshguard/sshguard-${PORTVERSION} -MAINTAINER= mij@bitchx.it +MAINTAINER= ports@FreeBSD.org COMMENT?= Protect hosts from brute force attacks against ssh and other services CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.* -PLIST_FILES= sbin/sshguard +USES= tar:bzip2 + +PLIST_FILES= sbin/sshguard man/man8/sshguard.8.gz -MAN8= sshguard.8 -MANCOMPRESSED= no -USE_BZIP2= yes USE_RC_SUBR= sshguard MAKE_ARGS+= ACLOCAL="${TRUE}" AUTOCONF="${TRUE}" AUTOMAKE="${TRUE}" -HAS_CONFIGURE= yes +GNU_CONFIGURE= yes +CONFIGURE_ARGS+=--with-firewall=${SSHGUARDFW} -# sublist will be set afterward +SUB_LIST+= PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK} SUB_FILES= pkg-message # backend type in { hosts, ipfw, pf } SSHGUARDFW?= hosts -NO_STAGE= yes -.include - -.if defined(PREFIX) -CONFIGURE_ARGS+= --prefix=${PREFIX} -.endif - -# set path for manpages -CONFIGURE_ARGS+= --mandir=${MANPREFIX}/man - .if ${SSHGUARDFW} == pf PKGMSG_FWBLOCK=" To activate or configure PF see http://sshguard.sf.net/doc/setup/blockingpf.html" .elif ${SSHGUARDFW} == ipfw @@ -47,16 +37,4 @@ PKGMSG_FWBLOCK=" Sshguard is going to u PKGMSG_FWBLOCK=" Sshguard will use /etc/ipf.rules as ruleset." .endif -# for substitution in subfiles -SUB_LIST+= PKGMSG_FWBLOCK=${PKGMSG_FWBLOCK} - -CONFIGURE_ARGS+= --with-firewall=${SSHGUARDFW} - -post-install: - @PKG_PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL - @${CAT} ${PKGMESSAGE} - -pre-deinstall: - @PKG_PREFIX=${PREFIX} ${SH} ${PKGDEINSTALL} ${PKGNAME} DEINSTALL - -.include +.include Added: head/security/sshguard/files/patch-src-parser-attack_scanner.l ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sshguard/files/patch-src-parser-attack_scanner.l Tue Apr 8 19:03:02 2014 (r350643) @@ -0,0 +1,11 @@ +--- src/parser/attack_scanner.l.orig 2012-12-19 10:58:02.992356246 +0000 ++++ src/parser/attack_scanner.l 2012-12-19 10:58:22.407356894 +0000 +@@ -127,7 +127,7 @@ + + + /* SSH: invalid or rejected user (cross platform [generated by openssh]) */ +-"Invalid user ".+" from " { return SSH_INVALUSERPREF; } ++[Ii]"nvalid user ".+" from " { return SSH_INVALUSERPREF; } + /* match disallowed user (not in AllowUsers/AllowGroups or in DenyUsers/DenyGroups) on Linux Ubuntu/FreeBSD */ + /* "User tinydns from 1.2.3.4 not allowed because not listed in AllowUsers" */ + "User ".+" from " { BEGIN(ssh_notallowed); return SSH_NOTALLOWEDPREF; } Modified: head/security/sshguard/files/sshguard.in ============================================================================== --- head/security/sshguard/files/sshguard.in Tue Apr 8 18:54:10 2014 (r350642) +++ head/security/sshguard/files/sshguard.in Tue Apr 8 19:03:02 2014 (r350643) @@ -31,6 +31,7 @@ # PROVIDE: sshguard # REQUIRE: LOGIN cleanvar +# KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable sshguard: @@ -62,14 +63,10 @@ name="sshguard" rcvar="sshguard_enable" -command="/usr/sbin/daemon" -actual_command="%%PREFIX%%/sbin/${name}" -procname="${actual_command}" load_rc_config $name -: ${sshguard_enable="NO"} -: ${sshguard_pidfile="/var/run/${name}.pid"} +: ${sshguard_enable:="NO"} : ${sshguard_blacklist="40:/var/db/sshguard/blacklist.db"} : ${sshguard_safety_thresh="40"} : ${sshguard_pardon_min_interval="1200"} @@ -77,8 +74,11 @@ load_rc_config $name : ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"} : ${sshguard_watch_logs="/var/log/auth.log:/var/log/maillog"} -pidfile="${sshguard_pidfile}" -sshguard_watch_params=`echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ ` +pidfile=${sshguard_pidfile:-"/var/run/${name}.pid"} + +command="/usr/sbin/daemon" +actual_command="%%PREFIX%%/sbin/${name}" +procname="${actual_command}" start_precmd="${name}_prestart" command_args="-cf ${actual_command} -b ${sshguard_blacklist} ${sshguard_watch_params} -a ${sshguard_safety_thresh} -p ${sshguard_pardon_min_interval} -s ${sshguard_prescribe_interval} -w ${sshguard_whitelistfile} -i ${sshguard_pidfile}" @@ -87,6 +87,7 @@ sshguard_prestart() { mkdir -p `dirname ${sshguard_blacklist##*:}` [ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile} + sshguard_watch_params=`echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ ` } run_rc_command "$1" Modified: head/security/sshguard/pkg-install ============================================================================== --- head/security/sshguard/pkg-install Tue Apr 8 18:54:10 2014 (r350642) +++ head/security/sshguard/pkg-install Tue Apr 8 19:03:02 2014 (r350643) @@ -13,7 +13,7 @@ SSHGUARDCONFLINE="auth.info;authpriv.inf case "$2" in "POST-INSTALL") - if test "x$SSHGUARDFW" = xhosts + if test "$SSHGUARDFW" = hosts then touch /etc/hosts.allow fi @@ -23,7 +23,7 @@ case "$2" in TMPFILE=`mktemp -q /tmp/syslogcXX` # make sure our file has the same permissions as the original, since we mv it back cp -p $SYSLOGCONF ${TMPFILE} - echo > ${TMPFILE} + : > ${TMPFILE} inheader=1 cat "$SYSLOGCONF" | while read cline ; do