aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--network/sshguard/README34
-rw-r--r--network/sshguard/doinst.sh1
-rw-r--r--network/sshguard/rc.sshguard116
-rw-r--r--network/sshguard/slack-desc12
-rw-r--r--network/sshguard/sshguard.SlackBuild28
-rw-r--r--network/sshguard/sshguard.conf17
-rw-r--r--network/sshguard/sshguard.info8
7 files changed, 149 insertions, 67 deletions
diff --git a/network/sshguard/README b/network/sshguard/README
index 9e31763a3282e..fd59f1d8b665e 100644
--- a/network/sshguard/README
+++ b/network/sshguard/README
@@ -1,17 +1,23 @@
-SSHGuard protects hosts from brute-force attacks against SSH and
-other services. It has been written entirely in C and has no external
-dependencies and no configuration file. SSHGuard aggregates system
-logs and blocks repeat offenders. It can read log messages from
-standard input (suitable for piping from syslog) or monitor one or
-more log files. Log messages are parsed, line-by-line, for recognized
-patterns. If an attack, such as several login failures within a few
-seconds, is detected, the offending IP is blocked. Offenders are
-unblocked after a set interval, but can be semi-permanently banned
-using the blacklist option.
+sshguard protects hosts from brute-force attacks against SSH and other
+services. It aggregates system logs and blocks repeat offenders using
+one of several firewall backends, including iptables, ipfw, and pf.
+
+sshguard can read log messages from standard input (suitable for piping
+from syslog) or monitor one or more log files. Log messages are parsed,
+line-by-line, for recognized patterns. If an attack, such as several
+login failures within a few seconds, is detected, the offending IP is
+blocked. Offenders are unblocked after a set interval, but can be semi-
+permanently banned using the blacklist option.
IMPORTANT:
-You will need to properly set up "sshguard" chain in iptables. For
-further information PLEASE CONSULT MAN PAGE, installed together with
-this package. The information available on the website tends to be
-outdated, (it is well worth reading anyway).
+1. You will need to properly set up an "sshguard" chain in your firewall
+ backend. For further information consult `sshguard-setup(7)`.
+
+2. Starting with version 2.0.0, SSHGuard **requires** a config file
+ to start. `sshguard.conf` as shipped with this SlackBuild provides
+ defaults such that they reassemble the values that were previously
+ specified on the command line in the `rc.sshguard` script.
+
+ See `examples/sshguard.conf.sample` in the doc directory for
+ additional config options.
diff --git a/network/sshguard/doinst.sh b/network/sshguard/doinst.sh
index 8e1f8328313bf..ff3107fbc3eed 100644
--- a/network/sshguard/doinst.sh
+++ b/network/sshguard/doinst.sh
@@ -19,4 +19,5 @@ preserve_perms() {
config $NEW
}
+config etc/sshguard.conf.new
preserve_perms etc/rc.d/rc.sshguard.new
diff --git a/network/sshguard/rc.sshguard b/network/sshguard/rc.sshguard
index 24c4f29d88a7f..c08033b3c7d0a 100644
--- a/network/sshguard/rc.sshguard
+++ b/network/sshguard/rc.sshguard
@@ -1,45 +1,105 @@
-#!/bin/sh
+#!/bin/bash
+
+declare -r daemon_name=sshguard
+declare -r daemon_prog=/usr/sbin/sshguard
+
+################################################################################
+the_daemon()
+################################################################################
+{
+ daemon --name "${daemon_name}" "${@}"
+}
################################################################################
-sshguard_start() {
+the_damon_start()
################################################################################
- if [ -n "$(pidof sshguard)" ]; then
- echo "sshguard seems to be already running."
- return
- fi
+{
+ if ! the_daemon --running; then
+ echo "Starting ${daemon_name}: ${daemon_prog}"
- /usr/sbin/sshguard -l /var/log/messages 1>/dev/null &
+ the_daemon -- ${daemon_prog}
+ else
+ echo "${daemon_name} seems to be already running."
+ fi
}
################################################################################
-sshguard_stop() {
+the_damon_stop()
################################################################################
- if [ -z "$(pidof sshguard)" ]; then
- echo "sshguard does not seem to be running."
- return
- fi
+{
+ if the_daemon --running; then
+ echo "Stopping ${daemon_name}."
- kill $(pidof sshguard)
+ the_daemon --stop
+ else
+ echo "${daemon_name} does not seem to be running."
+ fi
}
################################################################################
-sshguard_restart() {
+the_damon_restart()
################################################################################
- sshguard_stop
- sleep 1
- sshguard_start
+{
+ if the_daemon --running; then
+ the_damon_stop
+ the_daemon_wait_stopped
+ the_damon_start
+ else
+ echo "${daemon_name} does not seem to be running."
+ fi
}
-case "$1" in
-'start')
- sshguard_start
- ;;
-'stop')
- sshguard_stop
- ;;
-'restart')
- sshguard_restart
- ;;
+################################################################################
+the_daemon_wait_stopped()
+################################################################################
+{
+ # All time values given in a unit of 0.1 second.
+
+ local -r timeout=50
+ local delay=1
+ local delay_sum=0
+ local -r test_expr=(the_daemon --running)
+
+ # Poll (with timeout) for the daemon to exit.
+
+ while "${test_expr[@]}" && [[ ${delay_sum} -lt ${timeout} ]]; do
+ sleep $(echo "${delay} / 10.0" | bc -l)
+ delay_sum=$((delay_sum + delay))
+
+ # Double the delay in each iteration to lower the CPU use.
+
+ delay=$((delay * 2))
+
+ # Adjust next's iteration delay prevent waiting longer than _timeout_
+ # in case the time already waited and the delay to be waited in
+ # the next iteration would be greater than the requested _timeout_.
+
+ if [[ $((delay_sum + delay)) -gt ${timeout} ]]; then
+ delay=$((timeout - delay_sum))
+ fi
+ done
+
+ if "${test_expr[@]}"; then
+ echo "Timeout waiting for ${daemon_name} to stop."
+
+ exit 1
+ fi
+}
+
+case "${1}" in
+start)
+ the_damon_start
+;;
+
+stop)
+ the_damon_stop
+;;
+
+restart)
+ the_damon_restart
+;;
+
*)
- echo "usage: $0 start|stop|restart"
+ echo "usage: ${0} start|stop|restart"
+;;
esac
diff --git a/network/sshguard/slack-desc b/network/sshguard/slack-desc
index 2747ed724170c..3ff04458b1e0e 100644
--- a/network/sshguard/slack-desc
+++ b/network/sshguard/slack-desc
@@ -8,12 +8,12 @@
|-----handy-ruler------------------------------------------------------|
sshguard: sshguard (SSH brute-force attack protection)
sshguard:
-sshguard: SSHGuard protects hosts from brute-force attacks against SSH and
-sshguard: other services. It aggregates system logs and blocks repeat
-sshguard: offenders. SSHGuard can read log messages from standard input
-sshguard: (suitable for piping from syslog) or monitor one or more log files.
-sshguard: If an attack, such as several login failures within a few seconds,
-sshguard: is detected, the offending IP is blocked.
+sshguard: sshguard protects hosts from brute-force attacks against SSH and other
+sshguard: services. It aggregates system logs and blocks repeat offenders using
+sshguard: one of several firewall backends, including iptables, ipfw, and pf.
sshguard:
sshguard: Homepage: https://www.sshguard.net/
sshguard:
+sshguard:
+sshguard:
+sshguard:
diff --git a/network/sshguard/sshguard.SlackBuild b/network/sshguard/sshguard.SlackBuild
index 790c51dc1ead3..45b565d94a6d2 100644
--- a/network/sshguard/sshguard.SlackBuild
+++ b/network/sshguard/sshguard.SlackBuild
@@ -2,7 +2,7 @@
# Slackware build script for sshguard
-# Copyright 2016 Andrzej Telszewski, Banie
+# Copyright 2022 Andrzej Telszewski, Koszalin
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
@@ -25,7 +25,7 @@
cd $(dirname $0) ; CWD=$(pwd)
PRGNAM=sshguard
-VERSION=${VERSION:-1.7.0}
+VERSION=${VERSION:-2.4.2}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
PKGTYPE=${PKGTYPE:-tgz}
@@ -38,9 +38,6 @@ if [ -z "$ARCH" ]; then
esac
fi
-# If the variable PRINT_PACKAGE_NAME is set, then this script will report what
-# the name of the created package would be, and then exit. This information
-# could be useful to other scripts.
if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then
echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE"
exit 0
@@ -64,27 +61,25 @@ else
LIBDIRSUFFIX=""
fi
-set -e
+set -eu
rm -rf $PKG
mkdir -p $TMP $PKG $OUTPUT
cd $TMP
+
rm -rf $PRGNAM-$VERSION
tar xvf $CWD/$PRGNAM-$VERSION.tar.gz
cd $PRGNAM-$VERSION
+
chown -R root:root .
-find -L . \
- \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \
- -o -perm 511 \) -exec chmod 755 {} \; -o \
- \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \
- -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \;
+chmod -R a-st,u+rwX,go-w+rX .
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
--prefix=/usr \
+ --sysconfdir=/etc \
--mandir=/usr/man \
- --with-firewall=iptables \
--build=$ARCH-slackware-linux
make
@@ -93,6 +88,9 @@ make install DESTDIR=$PKG
find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \
| cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true
+mkdir -p $PKG/etc
+cat $CWD/${PRGNAM}.conf > $PKG/etc/${PRGNAM}.conf.new
+
mkdir -p $PKG/etc/rc.d
cat $CWD/rc.$PRGNAM > $PKG/etc/rc.d/rc.$PRGNAM.new
@@ -100,13 +98,13 @@ find $PKG/usr/man -type f -exec gzip -9 {} \;
for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done
mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
-cp -a doc/{developers,setup,sshguard.8}.rst examples CHANGELOG.rst COPYING \
- README.rst $PKG/usr/doc/$PRGNAM-$VERSION
+cp -a doc/{sshguard-setup.7,sshguard.8}.rst examples COPYING \
+ {CHANGELOG,CONTRIBUTING,README}.rst $PKG/usr/doc/$PRGNAM-$VERSION
cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
mkdir -p $PKG/install
cat $CWD/slack-desc > $PKG/install/slack-desc
-cat $CWD/doinst.sh > $PKG/install/doinst.sh
+cat $CWD/doinst.sh > $PKG/install/doinst.sh
cd $PKG
/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE
diff --git a/network/sshguard/sshguard.conf b/network/sshguard/sshguard.conf
new file mode 100644
index 0000000000000..07c13b3e45c65
--- /dev/null
+++ b/network/sshguard/sshguard.conf
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# sshguard.conf -- SSHGuard configuration
+# Based on /usr/doc/sshguard-2.4.2/examples/sshguard.conf.sample
+
+# Full path to backend executable.
+
+BACKEND="/usr/libexec/sshg-fw-iptables"
+
+# Space-separated list of log files to monitor.
+
+FILES="/var/log/messages"
+
+# Do not provide PID file path.
+# It is handled by daemon(1).
+
+PID_FILE=
diff --git a/network/sshguard/sshguard.info b/network/sshguard/sshguard.info
index 06a268516c15c..efdd417d4ba97 100644
--- a/network/sshguard/sshguard.info
+++ b/network/sshguard/sshguard.info
@@ -1,10 +1,10 @@
PRGNAM="sshguard"
-VERSION="1.7.0"
+VERSION="2.4.2"
HOMEPAGE="https://www.sshguard.net/"
-DOWNLOAD="https://download.sourceforge.net/project/sshguard/sshguard/1.7.0/sshguard-1.7.0.tar.gz"
-MD5SUM="db251a2e31cb5af203d10c42be33ea9c"
+DOWNLOAD="https://download.sourceforge.net/project/sshguard/sshguard/2.4.2/sshguard-2.4.2.tar.gz"
+MD5SUM="0f83f5e7e1b197fb3bd4e9dfe9e601e6"
DOWNLOAD_x86_64=""
MD5SUM_x86_64=""
REQUIRES=""
MAINTAINER="Andrzej Telszewski"
-EMAIL="atelszewski@gmail.com"
+EMAIL="andrzej@telszewski.com"