UPDATE: security/sshguard 1.5 --> 2.3.0

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

UPDATE: security/sshguard 1.5 --> 2.3.0

Andreas Kusalananda Kähäri-4

sshguard 1.5 in the ports tree is very old (2011), and release 2.3.0 is
from 2018-12-16.

The attached diff brings sshguard up to version 2.3.0.  I've also added
myself as maintainer.

The changes are too numerous to list (see [1]), but one highlight includes

* OpenSMTPD monitoring support (in 2.2.0)

The previous issus with starting/stopping the sshguard service have been
resolved (see [2]) and it seems to run just fine on my system (only
using it for SSH blocking).

[1]
https://bitbucket.org/sshguard/sshguard/src/c4a90842e7d3c2c25d5417f96d49acc50f740f9c/CHANGELOG.rst?at=v2.3.0&fileviewer=file-view-default

[2] https://marc.info/?l=openbsd-ports&m=154410607613935&w=2

Regards,

--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

sshguard.diff (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Andreas Kusalananda Kähäri-4
Just resending this.

I got some comments from Stuart Henderson on a previous iteration of
this, and the issues that he mentioned (unorthodox HUP for terminating
the service, and various other fixes to the Makefile) have all been
resolved.  The weird does-not-start-on-boot issue that the 1.5 release
apparently also has (according to some that followed up earlier, and
that I spent some time debugging when I packaged 2.2.0) has been
resolved by ignoring HUP in a couple of places.

Regards,
Andreas

On Wed, Dec 19, 2018 at 06:34:25PM +0100, Andreas Kusalananda Kähäri wrote:

>
> sshguard 1.5 in the ports tree is very old (2011), and release 2.3.0 is
> from 2018-12-16.
>
> The attached diff brings sshguard up to version 2.3.0.  I've also added
> myself as maintainer.
>
> The changes are too numerous to list (see [1]), but one highlight includes
>
> * OpenSMTPD monitoring support (in 2.2.0)
>
> The previous issus with starting/stopping the sshguard service have been
> resolved (see [2]) and it seems to run just fine on my system (only
> using it for SSH blocking).
>
> [1]
> https://bitbucket.org/sshguard/sshguard/src/c4a90842e7d3c2c25d5417f96d49acc50f740f9c/CHANGELOG.rst?at=v2.3.0&fileviewer=file-view-default
>
> [2] https://marc.info/?l=openbsd-ports&m=154410607613935&w=2
>
> Regards,
>
> --
> Andreas Kusalananda Kähäri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.

> Index: Makefile
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/Makefile,v
> retrieving revision 1.13
> diff -u -p -r1.13 Makefile
> --- Makefile 4 Sep 2018 12:46:21 -0000 1.13
> +++ Makefile 18 Dec 2018 16:30:17 -0000
> @@ -2,22 +2,31 @@
>  
>  COMMENT= protect against brute force attacks on sshd and others
>  
> -DISTNAME= sshguard-1.5
> -REVISION= 6
> +DISTNAME= sshguard-2.3.0
>  CATEGORIES= security
>  
> +HOMEPAGE= https://www.sshguard.net/
> +
> +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
> +
> +MAINTAINER= Andreas Kusalananda Kahari <[hidden email]>
> +
>  # BSD
>  PERMIT_PACKAGE_CDROM= Yes
>  
>  WANTLIB+= c pthread
>  
> -HOMEPAGE= https://www.sshguard.net/
> -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
> -EXTRACT_SUFX= .tar.bz2
> -
>  CONFIGURE_STYLE=gnu
> -CONFIGURE_ARGS= --with-firewall=pf
>  
>  NO_TEST= Yes
> +
> +post-patch:
> + ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \
> + ${WRKSRC}/examples/sshguard.conf.sample
> +
> +post-install:
> + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard
> + ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \
> + ${PREFIX}/share/examples/sshguard
>  
>  .include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/distinfo,v
> retrieving revision 1.3
> diff -u -p -r1.3 distinfo
> --- distinfo 27 Jan 2014 15:49:15 -0000 1.3
> +++ distinfo 18 Dec 2018 16:31:02 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk=
> -SIZE (sshguard-1.5.tar.bz2) = 303767
> +SHA256 (sshguard-2.3.0.tar.gz) = 1LU/h6PCZlLloombFlBrgV+lajaq9b3pwnBL+xoMoGg=
> +SIZE (sshguard-2.3.0.tar.gz) = 755702
> Index: patches/patch-configure
> ===================================================================
> RCS file: patches/patch-configure
> diff -N patches/patch-configure
> --- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,13 +0,0 @@
> -$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $
> -
> -Index: configure
> ---- configure.orig
> -+++ configure
> -@@ -5949,7 +5949,6 @@ then
> -     STD99_CFLAGS="-xc99"
> - else
> -     # other compiler (assume gcc-compatibile :( )
> --    OPTIMIZER_CFLAGS="-O2"
> -     WARNING_CFLAGS="-Wall"
> -     STD99_CFLAGS="-std=c99"
> - fi
> Index: patches/patch-doc_sshguard_8
> ===================================================================
> RCS file: patches/patch-doc_sshguard_8
> diff -N patches/patch-doc_sshguard_8
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-doc_sshguard_8 4 Dec 2018 21:52:04 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +
> +Index: doc/sshguard.8
> +--- doc/sshguard.8.orig
> ++++ doc/sshguard.8
> +@@ -119,8 +119,8 @@ Set to enable verbose output from sshg\-blocker.
> + .SH FILES
> + .INDENT 0.0
> + .TP
> +-.B %PREFIX%/etc/sshguard.conf
> +-See sample configuration file.
> ++.B ${SYSCONFDIR}/sshguard.conf
> ++See sample configuration file in ${PREFIX}/share/examples/sshguard/sshguard.conf.sample
> + .UNINDENT
> + .SH WHITELISTING
> + .sp
> Index: patches/patch-examples_sshguard_conf_sample
> ===================================================================
> RCS file: patches/patch-examples_sshguard_conf_sample
> diff -N patches/patch-examples_sshguard_conf_sample
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-examples_sshguard_conf_sample 4 Dec 2018 16:14:34 -0000
> @@ -0,0 +1,17 @@
> +$OpenBSD$
> +
> +Index: examples/sshguard.conf.sample
> +--- examples/sshguard.conf.sample.orig
> ++++ examples/sshguard.conf.sample
> +@@ -7,9 +7,11 @@
> + #### REQUIRED CONFIGURATION ####
> + # Full path to backend executable (required, no default)
> + #BACKEND="/usr/local/libexec/sshg-fw-iptables"
> ++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf"
> +
> + # Space-separated list of log files to monitor. (optional, no default)
> + #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
> ++FILES=/var/log/authlog
> +
> + # Shell command that provides logs on standard output. (optional, no default)
> + # Example 1: ssh and sendmail from systemd journal:
> Index: patches/patch-src_blocker_blocker_c
> ===================================================================
> RCS file: patches/patch-src_blocker_blocker_c
> diff -N patches/patch-src_blocker_blocker_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_blocker_blocker_c 6 Dec 2018 10:37:47 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +Index: src/blocker/blocker.c
> +--- src/blocker/blocker.c.orig
> ++++ src/blocker/blocker.c
> +@@ -139,7 +139,8 @@ int main(int argc, char *argv[]) {
> +
> +     /* termination signals */
> +     signal(SIGTERM, sigfin_handler);
> +-    signal(SIGHUP, sigfin_handler);
> ++    /* Don't install handler for HUP */
> ++    /* signal(SIGHUP, sigfin_handler); */
> +     signal(SIGINT, sigfin_handler);
> +     atexit(finishup);
> +
> Index: patches/patch-src_fwalls_command_c
> ===================================================================
> RCS file: patches/patch-src_fwalls_command_c
> diff -N patches/patch-src_fwalls_command_c
> --- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $
> -
> -Allow building with gcc3.
> -
> ---- src/fwalls/command.c.orig Fri Sep  9 22:07:56 2011
> -+++ src/fwalls/command.c Fri Sep  9 22:08:12 2011
> -@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind,
> -     return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR);
> - }
> -
> --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) {
> -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
> -     /* block each address individually */
> -     int i;
> -
> Index: patches/patch-src_sshguard_fw_h
> ===================================================================
> RCS file: patches/patch-src_sshguard_fw_h
> diff -N patches/patch-src_sshguard_fw_h
> --- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $
> -
> -Allow building with gcc3.
> -
> ---- src/sshguard_fw.h.orig Fri Sep  9 22:07:03 2011
> -+++ src/sshguard_fw.h Fri Sep  9 22:07:20 2011
> -@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind,
> -  *
> -  * @return FWALL_OK or FWALL_ERR
> -  */
> --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]);
> -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]);
> -
> -
> - /**
> Index: patches/patch-src_sshguard_in
> ===================================================================
> RCS file: patches/patch-src_sshguard_in
> diff -N patches/patch-src_sshguard_in
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_sshguard_in 6 Dec 2018 10:35:54 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +Index: src/sshguard.in
> +--- src/sshguard.in.orig
> ++++ src/sshguard.in
> +@@ -5,6 +5,9 @@
> + # entire process group (subshell) on exit/interrupts.
> + trap "trap - TERM && kill 0" INT TERM EXIT
> +
> ++# Ignore HUP
> ++trap "" HUP
> ++
> + libexec="@libexecdir@"
> + version="@sshguardversion@"
> +
> Index: patches/patch-src_sshguard_logsuck_c
> ===================================================================
> RCS file: patches/patch-src_sshguard_logsuck_c
> diff -N patches/patch-src_sshguard_logsuck_c
> --- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,12 +0,0 @@
> -$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $
> ---- src/sshguard_logsuck.c.orig Wed Feb  9 13:01:47 2011
> -+++ src/sshguard_logsuck.c Sat Mar  5 19:27:53 2011
> -@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
> -         if (ret > 0) {
> -             if (kevs[0].filter == EVFILT_READ) {
> -                 /* got data on this one. Read from it */
> --                sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident);
> -+                sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident);
> -                 readentry = list_seek(& sources_list, & kevs[0].ident);
> -                 assert(readentry != NULL);
> -                 assert(readentry->active);
> Index: patches/patch-src_sshguard_procauth_c
> ===================================================================
> RCS file: patches/patch-src_sshguard_procauth_c
> diff -N patches/patch-src_sshguard_procauth_c
> --- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,12 +0,0 @@
> -$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $
> ---- src/sshguard_procauth.c.orig Mon Aug  9 02:44:15 2010
> -+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010
> -@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
> -         dup2(ps2me[1], 1);
> -
> -         sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'.");
> --        execlp("ps", "ps", "axo", "pid,ppid", NULL);
> -+        execlp("ps", "ps", "axo", "pid,ppid", (char *)0);
> -
> -         sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno));
> -         exit(-1);
> Index: pkg/PLIST
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/pkg/PLIST,v
> retrieving revision 1.5
> diff -u -p -r1.5 PLIST
> --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.5
> +++ pkg/PLIST 5 Dec 2018 08:15:56 -0000
> @@ -1,6 +1,23 @@
>  @comment $OpenBSD: PLIST,v 1.5 2018/09/04 12:46:21 espie Exp $
>  @pkgpath security/sshguard,tcpd
> +@rcscript ${RCDIR}/sshguard
> +@bin libexec/sshg-blocker
> +libexec/sshg-fw-firewalld
> +@bin libexec/sshg-fw-hosts
> +libexec/sshg-fw-ipfilter
> +libexec/sshg-fw-ipfw
> +libexec/sshg-fw-ipset
> +libexec/sshg-fw-iptables
> +libexec/sshg-fw-nft-sets
> +libexec/sshg-fw-null
> +libexec/sshg-fw-pf
> +libexec/sshg-logtail
> +@bin libexec/sshg-parser
> +@man man/man7/sshguard-setup.7
>  @man man/man8/sshguard.8
> -@bin sbin/sshguard
> +sbin/sshguard
>  share/doc/pkg-readmes/${PKGSTEM}
> -@rcscript ${RCDIR}/sshguard
> +share/examples/sshguard/
> +share/examples/sshguard/sshguard.conf.sample
> +@sample ${SYSCONFDIR}/sshguard.conf
> +share/examples/sshguard/whitelistfile.example
> Index: pkg/README
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
> retrieving revision 1.3
> diff -u -p -r1.3 README
> --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
> +++ pkg/README 5 Dec 2018 08:16:29 -0000
> @@ -4,7 +4,8 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
>  | Running ${PKGSTEM} on OpenBSD
>  +-----------------------------------------------------------------------
>  
> -To use sshguard with pf(4), add the following to /etc/pf.conf:
> +To use ${PKGSTEM} with pf(4), add something similar to the following to
> +${SYSCONFDIR}/pf.conf:
>  
>  table <sshguard> persist
>  
> Index: pkg/sshguard.rc
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/pkg/sshguard.rc,v
> retrieving revision 1.4
> diff -u -p -r1.4 sshguard.rc
> --- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4
> +++ pkg/sshguard.rc 6 Dec 2018 11:44:46 -0000
> @@ -3,9 +3,10 @@
>  # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $
>  
>  daemon="${TRUEPREFIX}/sbin/sshguard"
> -daemon_flags="-l /var/log/authlog"
>  
>  . /etc/rc.d/rc.subr
> +
> +pexp="${TRUEPREFIX}/libexec/sshg-blocker .*"
>  
>  rc_bg=YES
>  rc_reload=NO


--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Remi Pointel
On 12/24/18 8:24 PM, Andreas Kusalananda Kähäri wrote:

> Just resending this.
>
> I got some comments from Stuart Henderson on a previous iteration of
> this, and the issues that he mentioned (unorthodox HUP for terminating
> the service, and various other fixes to the Makefile) have all been
> resolved.  The weird does-not-start-on-boot issue that the 1.5 release
> apparently also has (according to some that followed up earlier, and
> that I spent some time debugging when I packaged 2.2.0) has been
> resolved by ignoring HUP in a couple of places.
>
> Regards

Hi,

sounds good to me, just remove the "NO_TEST = Yes" because there are
regression tests.

Cheers,

Remi.

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Andreas Kusalananda Kähäri-4
On Tue, Jan 01, 2019 at 07:03:36PM +0100, Remi Pointel wrote:

> On 12/24/18 8:24 PM, Andreas Kusalananda Kähäri wrote:
> > Just resending this.
> >
> > I got some comments from Stuart Henderson on a previous iteration of
> > this, and the issues that he mentioned (unorthodox HUP for terminating
> > the service, and various other fixes to the Makefile) have all been
> > resolved.  The weird does-not-start-on-boot issue that the 1.5 release
> > apparently also has (according to some that followed up earlier, and
> > that I spent some time debugging when I packaged 2.2.0) has been
> > resolved by ignoring HUP in a couple of places.
> >
> > Regards
>
> Hi,
>
> sounds good to me, just remove the "NO_TEST = Yes" because there are
> regression tests.
>
> Cheers,
>
> Remi.
I enabled the tests.  The 147 supplied tests runs and passes (no fails).
The tests do not require any additional dependencies.

New diff attached.  Thanks!


--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

sshguard.diff (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Gonzalo L. Rodriguez-2
On Wed, 02 Jan 2019 at 10:56:39 +0100, Andreas Kusalananda Kähäri wrote:

> On Tue, Jan 01, 2019 at 07:03:36PM +0100, Remi Pointel wrote:
> > On 12/24/18 8:24 PM, Andreas Kusalananda Kähäri wrote:
> > > Just resending this.
> > >
> > > I got some comments from Stuart Henderson on a previous iteration of
> > > this, and the issues that he mentioned (unorthodox HUP for terminating
> > > the service, and various other fixes to the Makefile) have all been
> > > resolved.  The weird does-not-start-on-boot issue that the 1.5 release
> > > apparently also has (according to some that followed up earlier, and
> > > that I spent some time debugging when I packaged 2.2.0) has been
> > > resolved by ignoring HUP in a couple of places.
> > >
> > > Regards
> >
> > Hi,
> >
> > sounds good to me, just remove the "NO_TEST = Yes" because there are
> > regression tests.
> >
> > Cheers,
> >
> > Remi.
>
> I enabled the tests.  The 147 supplied tests runs and passes (no fails).
> The tests do not require any additional dependencies.
>
> New diff attached.  Thanks!
>
>
> --
> Andreas Kusalananda Kähäri,
> National Bioinformatics Infrastructure Sweden (NBIS),
> Uppsala University, Sweden.

> Index: Makefile
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/Makefile,v
> retrieving revision 1.13
> diff -u -p -r1.13 Makefile
> --- Makefile 4 Sep 2018 12:46:21 -0000 1.13
> +++ Makefile 2 Jan 2019 09:37:46 -0000
> @@ -2,22 +2,29 @@
>  
>  COMMENT= protect against brute force attacks on sshd and others
>  
> -DISTNAME= sshguard-1.5
> -REVISION= 6
> +DISTNAME= sshguard-2.3.0
>  CATEGORIES= security
>  
> +HOMEPAGE= https://www.sshguard.net/
> +
> +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
> +
> +MAINTAINER= Andreas Kusalananda Kahari <[hidden email]>
> +
>  # BSD
>  PERMIT_PACKAGE_CDROM= Yes
>  
>  WANTLIB+= c pthread
>  
> -HOMEPAGE= https://www.sshguard.net/
> -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
> -EXTRACT_SUFX= .tar.bz2
> -
>  CONFIGURE_STYLE=gnu
> -CONFIGURE_ARGS= --with-firewall=pf
>  
> -NO_TEST= Yes
> +post-patch:
> + ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \
> + ${WRKSRC}/examples/sshguard.conf.sample
> +
> +post-install:
> + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard
> + ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \
> + ${PREFIX}/share/examples/sshguard
>  
>  .include <bsd.port.mk>
> Index: distinfo
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/distinfo,v
> retrieving revision 1.3
> diff -u -p -r1.3 distinfo
> --- distinfo 27 Jan 2014 15:49:15 -0000 1.3
> +++ distinfo 18 Dec 2018 16:31:02 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk=
> -SIZE (sshguard-1.5.tar.bz2) = 303767
> +SHA256 (sshguard-2.3.0.tar.gz) = 1LU/h6PCZlLloombFlBrgV+lajaq9b3pwnBL+xoMoGg=
> +SIZE (sshguard-2.3.0.tar.gz) = 755702
> Index: patches/patch-configure
> ===================================================================
> RCS file: patches/patch-configure
> diff -N patches/patch-configure
> --- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,13 +0,0 @@
> -$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $
> -
> -Index: configure
> ---- configure.orig
> -+++ configure
> -@@ -5949,7 +5949,6 @@ then
> -     STD99_CFLAGS="-xc99"
> - else
> -     # other compiler (assume gcc-compatibile :( )
> --    OPTIMIZER_CFLAGS="-O2"
> -     WARNING_CFLAGS="-Wall"
> -     STD99_CFLAGS="-std=c99"
> - fi
> Index: patches/patch-doc_sshguard_8
> ===================================================================
> RCS file: patches/patch-doc_sshguard_8
> diff -N patches/patch-doc_sshguard_8
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-doc_sshguard_8 4 Dec 2018 21:52:04 -0000
> @@ -0,0 +1,16 @@
> +$OpenBSD$
> +
> +Index: doc/sshguard.8
> +--- doc/sshguard.8.orig
> ++++ doc/sshguard.8
> +@@ -119,8 +119,8 @@ Set to enable verbose output from sshg\-blocker.
> + .SH FILES
> + .INDENT 0.0
> + .TP
> +-.B %PREFIX%/etc/sshguard.conf
> +-See sample configuration file.
> ++.B ${SYSCONFDIR}/sshguard.conf
> ++See sample configuration file in ${PREFIX}/share/examples/sshguard/sshguard.conf.sample
> + .UNINDENT
> + .SH WHITELISTING
> + .sp
> Index: patches/patch-examples_sshguard_conf_sample
> ===================================================================
> RCS file: patches/patch-examples_sshguard_conf_sample
> diff -N patches/patch-examples_sshguard_conf_sample
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-examples_sshguard_conf_sample 4 Dec 2018 16:14:34 -0000
> @@ -0,0 +1,17 @@
> +$OpenBSD$
> +
> +Index: examples/sshguard.conf.sample
> +--- examples/sshguard.conf.sample.orig
> ++++ examples/sshguard.conf.sample
> +@@ -7,9 +7,11 @@
> + #### REQUIRED CONFIGURATION ####
> + # Full path to backend executable (required, no default)
> + #BACKEND="/usr/local/libexec/sshg-fw-iptables"
> ++BACKEND="${TRUEPREFIX}/libexec/sshg-fw-pf"
> +
> + # Space-separated list of log files to monitor. (optional, no default)
> + #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
> ++FILES=/var/log/authlog
> +
> + # Shell command that provides logs on standard output. (optional, no default)
> + # Example 1: ssh and sendmail from systemd journal:
> Index: patches/patch-src_blocker_blocker_c
> ===================================================================
> RCS file: patches/patch-src_blocker_blocker_c
> diff -N patches/patch-src_blocker_blocker_c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_blocker_blocker_c 6 Dec 2018 10:37:47 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +Index: src/blocker/blocker.c
> +--- src/blocker/blocker.c.orig
> ++++ src/blocker/blocker.c
> +@@ -139,7 +139,8 @@ int main(int argc, char *argv[]) {
> +
> +     /* termination signals */
> +     signal(SIGTERM, sigfin_handler);
> +-    signal(SIGHUP, sigfin_handler);
> ++    /* Don't install handler for HUP */
> ++    /* signal(SIGHUP, sigfin_handler); */
> +     signal(SIGINT, sigfin_handler);
> +     atexit(finishup);
> +
> Index: patches/patch-src_fwalls_command_c
> ===================================================================
> RCS file: patches/patch-src_fwalls_command_c
> diff -N patches/patch-src_fwalls_command_c
> --- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $
> -
> -Allow building with gcc3.
> -
> ---- src/fwalls/command.c.orig Fri Sep  9 22:07:56 2011
> -+++ src/fwalls/command.c Fri Sep  9 22:08:12 2011
> -@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind,
> -     return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR);
> - }
> -
> --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) {
> -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
> -     /* block each address individually */
> -     int i;
> -
> Index: patches/patch-src_sshguard_fw_h
> ===================================================================
> RCS file: patches/patch-src_sshguard_fw_h
> diff -N patches/patch-src_sshguard_fw_h
> --- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $
> -
> -Allow building with gcc3.
> -
> ---- src/sshguard_fw.h.orig Fri Sep  9 22:07:03 2011
> -+++ src/sshguard_fw.h Fri Sep  9 22:07:20 2011
> -@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind,
> -  *
> -  * @return FWALL_OK or FWALL_ERR
> -  */
> --int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]);
> -+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]);
> -
> -
> - /**
> Index: patches/patch-src_sshguard_in
> ===================================================================
> RCS file: patches/patch-src_sshguard_in
> diff -N patches/patch-src_sshguard_in
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-src_sshguard_in 6 Dec 2018 10:35:54 -0000
> @@ -0,0 +1,15 @@
> +$OpenBSD$
> +
> +Index: src/sshguard.in
> +--- src/sshguard.in.orig
> ++++ src/sshguard.in
> +@@ -5,6 +5,9 @@
> + # entire process group (subshell) on exit/interrupts.
> + trap "trap - TERM && kill 0" INT TERM EXIT
> +
> ++# Ignore HUP
> ++trap "" HUP
> ++
> + libexec="@libexecdir@"
> + version="@sshguardversion@"
> +
> Index: patches/patch-src_sshguard_logsuck_c
> ===================================================================
> RCS file: patches/patch-src_sshguard_logsuck_c
> diff -N patches/patch-src_sshguard_logsuck_c
> --- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,12 +0,0 @@
> -$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $
> ---- src/sshguard_logsuck.c.orig Wed Feb  9 13:01:47 2011
> -+++ src/sshguard_logsuck.c Sat Mar  5 19:27:53 2011
> -@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
> -         if (ret > 0) {
> -             if (kevs[0].filter == EVFILT_READ) {
> -                 /* got data on this one. Read from it */
> --                sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident);
> -+                sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident);
> -                 readentry = list_seek(& sources_list, & kevs[0].ident);
> -                 assert(readentry != NULL);
> -                 assert(readentry->active);
> Index: patches/patch-src_sshguard_procauth_c
> ===================================================================
> RCS file: patches/patch-src_sshguard_procauth_c
> diff -N patches/patch-src_sshguard_procauth_c
> --- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,12 +0,0 @@
> -$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $
> ---- src/sshguard_procauth.c.orig Mon Aug  9 02:44:15 2010
> -+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010
> -@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
> -         dup2(ps2me[1], 1);
> -
> -         sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'.");
> --        execlp("ps", "ps", "axo", "pid,ppid", NULL);
> -+        execlp("ps", "ps", "axo", "pid,ppid", (char *)0);
> -
> -         sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno));
> -         exit(-1);
> Index: pkg/PLIST
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/pkg/PLIST,v
> retrieving revision 1.5
> diff -u -p -r1.5 PLIST
> --- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.5
> +++ pkg/PLIST 5 Dec 2018 08:15:56 -0000
> @@ -1,6 +1,23 @@
>  @comment $OpenBSD: PLIST,v 1.5 2018/09/04 12:46:21 espie Exp $
>  @pkgpath security/sshguard,tcpd
> +@rcscript ${RCDIR}/sshguard
> +@bin libexec/sshg-blocker
> +libexec/sshg-fw-firewalld
> +@bin libexec/sshg-fw-hosts
> +libexec/sshg-fw-ipfilter
> +libexec/sshg-fw-ipfw
> +libexec/sshg-fw-ipset
> +libexec/sshg-fw-iptables
> +libexec/sshg-fw-nft-sets
> +libexec/sshg-fw-null
> +libexec/sshg-fw-pf
> +libexec/sshg-logtail
> +@bin libexec/sshg-parser
> +@man man/man7/sshguard-setup.7
>  @man man/man8/sshguard.8
> -@bin sbin/sshguard
> +sbin/sshguard
>  share/doc/pkg-readmes/${PKGSTEM}
> -@rcscript ${RCDIR}/sshguard
> +share/examples/sshguard/
> +share/examples/sshguard/sshguard.conf.sample
> +@sample ${SYSCONFDIR}/sshguard.conf
> +share/examples/sshguard/whitelistfile.example
> Index: pkg/README
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
> retrieving revision 1.3
> diff -u -p -r1.3 README
> --- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
> +++ pkg/README 5 Dec 2018 08:16:29 -0000
> @@ -4,7 +4,8 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
>  | Running ${PKGSTEM} on OpenBSD
>  +-----------------------------------------------------------------------
>  
> -To use sshguard with pf(4), add the following to /etc/pf.conf:
> +To use ${PKGSTEM} with pf(4), add something similar to the following to
> +${SYSCONFDIR}/pf.conf:
>  
>  table <sshguard> persist
>  
> Index: pkg/sshguard.rc
> ===================================================================
> RCS file: /extra/cvs/ports/security/sshguard/pkg/sshguard.rc,v
> retrieving revision 1.4
> diff -u -p -r1.4 sshguard.rc
> --- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4
> +++ pkg/sshguard.rc 6 Dec 2018 11:44:46 -0000
> @@ -3,9 +3,10 @@
>  # $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $
>  
>  daemon="${TRUEPREFIX}/sbin/sshguard"
> -daemon_flags="-l /var/log/authlog"
>  
>  . /etc/rc.d/rc.subr
> +
> +pexp="${TRUEPREFIX}/libexec/sshg-blocker .*"
>  
>  rc_bg=YES
>  rc_reload=NO

I am kinda OK with this, after the:

/etc/rc.d/sshguard -fd stop

$ ps auwx | grep sshguard
root     37238  0.0  0.1   840   664 p1  Ip    12:19PM    0:00.01 /bin/sh
/usr/local/sbin/sshguard

Not quite dead, you have the same on your setup?



--
Sending from my toaster.

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Andreas Kusalananda Kähäri-3
On Thu, Jan 03, 2019 at 12:24:04PM +0100, Gonzalo L. Rodriguez wrote:

> On Wed, 02 Jan 2019 at 10:56:39 +0100, Andreas Kusalananda Kähäri wrote:
> > On Tue, Jan 01, 2019 at 07:03:36PM +0100, Remi Pointel wrote:
> > > On 12/24/18 8:24 PM, Andreas Kusalananda Kähäri wrote:
> > > > Just resending this.
> > > >
> > > > I got some comments from Stuart Henderson on a previous iteration of
> > > > this, and the issues that he mentioned (unorthodox HUP for terminating
> > > > the service, and various other fixes to the Makefile) have all been
> > > > resolved.  The weird does-not-start-on-boot issue that the 1.5 release
> > > > apparently also has (according to some that followed up earlier, and
> > > > that I spent some time debugging when I packaged 2.2.0) has been
> > > > resolved by ignoring HUP in a couple of places.
> > > >
> > > > Regards
> > >
> > > Hi,
> > >
> > > sounds good to me, just remove the "NO_TEST = Yes" because there are
> > > regression tests.
> > >
> > > Cheers,
> > >
> > > Remi.
> >
> > I enabled the tests.  The 147 supplied tests runs and passes (no fails).
> > The tests do not require any additional dependencies.
> >
> > New diff attached.  Thanks!
> >
> >
> > --
> > Andreas Kusalananda Kähäri,
> > National Bioinformatics Infrastructure Sweden (NBIS),
> > Uppsala University, Sweden.
>
> > Index: Makefile
[cut]

>  rc_reload=NO
>
> I am kinda OK with this, after the:
>
> /etc/rc.d/sshguard -fd stop
>
> $ ps auwx | grep sshguard
> root     37238  0.0  0.1   840   664 p1  Ip    12:19PM    0:00.01 /bin/sh
> /usr/local/sbin/sshguard
>
> Not quite dead, you have the same on your setup?
>
>
>
> --
> Sending from my toaster.


This is expected.  All parts of the daemon has died at that stage, and
the only thing left running in the log reader (tail).  It too will stop
as soon as it notices that nothing is reading from the other end of the
pipe that it's writing to.  It will typically terminate as soon as the
next log message is written to /var/log/authlog.

Andreas

--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Corsaire01
Hello everyone.

I found out that /etc/sshguard.conf is completely ignored, it is just on my
system ?
I got triggered when the machines in my own network got banned although I
did enable the WHITELIST_FILE option.

furthermore, default options in the file and default options after starting
the daemon are different

/etc/sshguard.conf
#### OPTIONS ####
# Block attackers when their cumulative attack score exceeds THRESHOLD.
# Most attacks have a score of 10. (optional, default 30)
THRESHOLD=30

# Block attackers for initially BLOCK_TIME seconds after exceeding
THRESHOLD.
# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
BLOCK_TIME=120

# IP addresses listed in the WHITELIST_FILE are considered to be
# friendlies and will never be blocked.
WHITELIST_FILE=/etc/friends


# /etc/rc.d/sshguard start
# ps auwxx | grep sshguard
root     40901  0.0  0.2   844   836 C0  Ip     6:01PM    0:00.00 /bin/sh
/usr/local/sbin/sshguard -a 10 -l /var/log/authlog -p 14400 -w
/var/db/sshguard/whitelist.db
root     83350  0.0  0.1   844   652 C0  Ip     6:01PM    0:00.00 /bin/sh
/usr/local/sbin/sshguard -a 10 -l /var/log/authlog -p 14400 -w
/var/db/sshguard/whitelist.db
root     68041  0.0  0.3  1144  1580 C0  Ip     6:01PM    0:00.02
/usr/local/libexec/sshg-blocker -a 10 -p 14400 -s 1800 -N 128 -n 32 -w
/var/db/sshguard/whitelist.db
root     65827  0.0  0.1   844   584 C0  Ip     6:01PM    0:00.01 /bin/sh
/usr/local/sbin/sshguard -a 10 -l /var/log/authlog -p 14400 -w
/var/db/sshguard/whitelist.db


At this point I would see to add options in /etc/rc.d/sshguard in the line
daemon="/usr/local/sbin/sshguard"
but is this recommendable... config files are supposed to be in /etc for a
reason.

btw, you can put your whitelist in /var/db/sshguard/whitelist.db as
advertised by the ps

OpenBSD 6.5 with 'pkg_add sshguard' here



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-ports-f108501.html

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Andreas Kusalananda Kähäri-4
On Sun, May 05, 2019 at 02:25:37AM -0700, Corsaire01 wrote:

> Hello everyone.
>
> I found out that /etc/sshguard.conf is completely ignored, it is just on my
> system ?
> I got triggered when the machines in my own network got banned although I
> did enable the WHITELIST_FILE option.
>
> furthermore, default options in the file and default options after starting
> the daemon are different
>
> /etc/sshguard.conf
> #### OPTIONS ####
> # Block attackers when their cumulative attack score exceeds THRESHOLD.
> # Most attacks have a score of 10. (optional, default 30)
> THRESHOLD=30
>
> # Block attackers for initially BLOCK_TIME seconds after exceeding
> THRESHOLD.
> # Subsequent blocks increase by a factor of 1.5. (optional, default 120)
> BLOCK_TIME=120
>
> # IP addresses listed in the WHITELIST_FILE are considered to be
> # friendlies and will never be blocked.
> WHITELIST_FILE=/etc/friends
>
>
> # /etc/rc.d/sshguard start
> # ps auwxx | grep sshguard
> root     40901  0.0  0.2   844   836 C0  Ip     6:01PM    0:00.00 /bin/sh
> /usr/local/sbin/sshguard -a 10 -l /var/log/authlog -p 14400 -w
> /var/db/sshguard/whitelist.db
> root     83350  0.0  0.1   844   652 C0  Ip     6:01PM    0:00.00 /bin/sh
> /usr/local/sbin/sshguard -a 10 -l /var/log/authlog -p 14400 -w
> /var/db/sshguard/whitelist.db
> root     68041  0.0  0.3  1144  1580 C0  Ip     6:01PM    0:00.02
> /usr/local/libexec/sshg-blocker -a 10 -p 14400 -s 1800 -N 128 -n 32 -w
> /var/db/sshguard/whitelist.db
> root     65827  0.0  0.1   844   584 C0  Ip     6:01PM    0:00.01 /bin/sh
> /usr/local/sbin/sshguard -a 10 -l /var/log/authlog -p 14400 -w
> /var/db/sshguard/whitelist.db
>
>
> At this point I would see to add options in /etc/rc.d/sshguard in the line
> daemon="/usr/local/sbin/sshguard"

Is that what you have done now (above) because I can't really see a
default installation of sshguard pass _any_ command line options to the
/usr/local/sbin/sshguard script.

It could be that you had an old "sshguard_flags" setting in
/etc/rc.conf.local" maybe?  This should no longer be needed and all
configuration can be done in /etc/sshguard.conf.

> but is this recommendable... config files are supposed to be in /etc for a
> reason.
>
> btw, you can put your whitelist in /var/db/sshguard/whitelist.db as
> advertised by the ps

I've just tested installing sshguard freshly, and it _definitely_ picks
up the WHITELIST_FILE from /etc/sshguard.conf


>
> OpenBSD 6.5 with 'pkg_add sshguard' here
>
>
>
> --
> Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-ports-f108501.html

Regards,

--
Kusalananda
Sweden

Reply | Threaded
Open this post in threaded view
|

Re: UPDATE: security/sshguard 1.5 --> 2.3.0

Corsaire01
> It could be that you had an old "sshguard_flags" setting in
/etc/rc.conf.local" maybe?  This should no longer be needed and all
configuration can be done in /etc/sshguard.conf.

You're right, there were setting in /etc/rc.conf.local inherited form
previous versions.

This is a nasty trap...



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-ports-f108501.html