diff options
-rw-r--r-- | network/sshguard/README | 34 | ||||
-rw-r--r-- | network/sshguard/doinst.sh | 1 | ||||
-rw-r--r-- | network/sshguard/rc.sshguard | 116 | ||||
-rw-r--r-- | network/sshguard/slack-desc | 12 | ||||
-rw-r--r-- | network/sshguard/sshguard.SlackBuild | 28 | ||||
-rw-r--r-- | network/sshguard/sshguard.conf | 17 | ||||
-rw-r--r-- | network/sshguard/sshguard.info | 8 |
7 files changed, 149 insertions, 67 deletions
diff --git a/network/sshguard/README b/network/sshguard/README index 9e31763a3282e..fd59f1d8b665e 100644 --- a/network/sshguard/README +++ b/network/sshguard/README @@ -1,17 +1,23 @@ -SSHGuard protects hosts from brute-force attacks against SSH and -other services. It has been written entirely in C and has no external -dependencies and no configuration file. SSHGuard aggregates system -logs and blocks repeat offenders. It can read log messages from -standard input (suitable for piping from syslog) or monitor one or -more log files. Log messages are parsed, line-by-line, for recognized -patterns. If an attack, such as several login failures within a few -seconds, is detected, the offending IP is blocked. Offenders are -unblocked after a set interval, but can be semi-permanently banned -using the blacklist option. +sshguard protects hosts from brute-force attacks against SSH and other +services. It aggregates system logs and blocks repeat offenders using +one of several firewall backends, including iptables, ipfw, and pf. + +sshguard can read log messages from standard input (suitable for piping +from syslog) or monitor one or more log files. Log messages are parsed, +line-by-line, for recognized patterns. If an attack, such as several +login failures within a few seconds, is detected, the offending IP is +blocked. Offenders are unblocked after a set interval, but can be semi- +permanently banned using the blacklist option. IMPORTANT: -You will need to properly set up "sshguard" chain in iptables. For -further information PLEASE CONSULT MAN PAGE, installed together with -this package. The information available on the website tends to be -outdated, (it is well worth reading anyway). +1. You will need to properly set up an "sshguard" chain in your firewall + backend. For further information consult `sshguard-setup(7)`. + +2. Starting with version 2.0.0, SSHGuard **requires** a config file + to start. `sshguard.conf` as shipped with this SlackBuild provides + defaults such that they reassemble the values that were previously + specified on the command line in the `rc.sshguard` script. + + See `examples/sshguard.conf.sample` in the doc directory for + additional config options. diff --git a/network/sshguard/doinst.sh b/network/sshguard/doinst.sh index 8e1f8328313bf..ff3107fbc3eed 100644 --- a/network/sshguard/doinst.sh +++ b/network/sshguard/doinst.sh @@ -19,4 +19,5 @@ preserve_perms() { config $NEW } +config etc/sshguard.conf.new preserve_perms etc/rc.d/rc.sshguard.new diff --git a/network/sshguard/rc.sshguard b/network/sshguard/rc.sshguard index 24c4f29d88a7f..c08033b3c7d0a 100644 --- a/network/sshguard/rc.sshguard +++ b/network/sshguard/rc.sshguard @@ -1,45 +1,105 @@ -#!/bin/sh +#!/bin/bash + +declare -r daemon_name=sshguard +declare -r daemon_prog=/usr/sbin/sshguard + +################################################################################ +the_daemon() +################################################################################ +{ + daemon --name "${daemon_name}" "${@}" +} ################################################################################ -sshguard_start() { +the_damon_start() ################################################################################ - if [ -n "$(pidof sshguard)" ]; then - echo "sshguard seems to be already running." - return - fi +{ + if ! the_daemon --running; then + echo "Starting ${daemon_name}: ${daemon_prog}" - /usr/sbin/sshguard -l /var/log/messages 1>/dev/null & + the_daemon -- ${daemon_prog} + else + echo "${daemon_name} seems to be already running." + fi } ################################################################################ -sshguard_stop() { +the_damon_stop() ################################################################################ - if [ -z "$(pidof sshguard)" ]; then - echo "sshguard does not seem to be running." - return - fi +{ + if the_daemon --running; then + echo "Stopping ${daemon_name}." - kill $(pidof sshguard) + the_daemon --stop + else + echo "${daemon_name} does not seem to be running." + fi } ################################################################################ -sshguard_restart() { +the_damon_restart() ################################################################################ - sshguard_stop - sleep 1 - sshguard_start +{ + if the_daemon --running; then + the_damon_stop + the_daemon_wait_stopped + the_damon_start + else + echo "${daemon_name} does not seem to be running." + fi } -case "$1" in -'start') - sshguard_start - ;; -'stop') - sshguard_stop - ;; -'restart') - sshguard_restart - ;; +################################################################################ +the_daemon_wait_stopped() +################################################################################ +{ + # All time values given in a unit of 0.1 second. + + local -r timeout=50 + local delay=1 + local delay_sum=0 + local -r test_expr=(the_daemon --running) + + # Poll (with timeout) for the daemon to exit. + + while "${test_expr[@]}" && [[ ${delay_sum} -lt ${timeout} ]]; do + sleep $(echo "${delay} / 10.0" | bc -l) + delay_sum=$((delay_sum + delay)) + + # Double the delay in each iteration to lower the CPU use. + + delay=$((delay * 2)) + + # Adjust next's iteration delay prevent waiting longer than _timeout_ + # in case the time already waited and the delay to be waited in + # the next iteration would be greater than the requested _timeout_. + + if [[ $((delay_sum + delay)) -gt ${timeout} ]]; then + delay=$((timeout - delay_sum)) + fi + done + + if "${test_expr[@]}"; then + echo "Timeout waiting for ${daemon_name} to stop." + + exit 1 + fi +} + +case "${1}" in +start) + the_damon_start +;; + +stop) + the_damon_stop +;; + +restart) + the_damon_restart +;; + *) - echo "usage: $0 start|stop|restart" + echo "usage: ${0} start|stop|restart" +;; esac diff --git a/network/sshguard/slack-desc b/network/sshguard/slack-desc index 2747ed724170c..3ff04458b1e0e 100644 --- a/network/sshguard/slack-desc +++ b/network/sshguard/slack-desc @@ -8,12 +8,12 @@ |-----handy-ruler------------------------------------------------------| sshguard: sshguard (SSH brute-force attack protection) sshguard: -sshguard: SSHGuard protects hosts from brute-force attacks against SSH and -sshguard: other services. It aggregates system logs and blocks repeat -sshguard: offenders. SSHGuard can read log messages from standard input -sshguard: (suitable for piping from syslog) or monitor one or more log files. -sshguard: If an attack, such as several login failures within a few seconds, -sshguard: is detected, the offending IP is blocked. +sshguard: sshguard protects hosts from brute-force attacks against SSH and other +sshguard: services. It aggregates system logs and blocks repeat offenders using +sshguard: one of several firewall backends, including iptables, ipfw, and pf. sshguard: sshguard: Homepage: https://www.sshguard.net/ sshguard: +sshguard: +sshguard: +sshguard: diff --git a/network/sshguard/sshguard.SlackBuild b/network/sshguard/sshguard.SlackBuild index 790c51dc1ead3..45b565d94a6d2 100644 --- a/network/sshguard/sshguard.SlackBuild +++ b/network/sshguard/sshguard.SlackBuild @@ -2,7 +2,7 @@ # Slackware build script for sshguard -# Copyright 2016 Andrzej Telszewski, Banie +# Copyright 2022 Andrzej Telszewski, Koszalin # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PRGNAM=sshguard -VERSION=${VERSION:-1.7.0} +VERSION=${VERSION:-2.4.2} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} PKGTYPE=${PKGTYPE:-tgz} @@ -38,9 +38,6 @@ if [ -z "$ARCH" ]; then esac fi -# If the variable PRINT_PACKAGE_NAME is set, then this script will report what -# the name of the created package would be, and then exit. This information -# could be useful to other scripts. if [ ! -z "${PRINT_PACKAGE_NAME}" ]; then echo "$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE" exit 0 @@ -64,27 +61,25 @@ else LIBDIRSUFFIX="" fi -set -e +set -eu rm -rf $PKG mkdir -p $TMP $PKG $OUTPUT cd $TMP + rm -rf $PRGNAM-$VERSION tar xvf $CWD/$PRGNAM-$VERSION.tar.gz cd $PRGNAM-$VERSION + chown -R root:root . -find -L . \ - \( -perm 777 -o -perm 775 -o -perm 750 -o -perm 711 -o -perm 555 \ - -o -perm 511 \) -exec chmod 755 {} \; -o \ - \( -perm 666 -o -perm 664 -o -perm 640 -o -perm 600 -o -perm 444 \ - -o -perm 440 -o -perm 400 \) -exec chmod 644 {} \; +chmod -R a-st,u+rwX,go-w+rX . CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ --prefix=/usr \ + --sysconfdir=/etc \ --mandir=/usr/man \ - --with-firewall=iptables \ --build=$ARCH-slackware-linux make @@ -93,6 +88,9 @@ make install DESTDIR=$PKG find $PKG -print0 | xargs -0 file | grep -e "executable" -e "shared object" | grep ELF \ | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null || true +mkdir -p $PKG/etc +cat $CWD/${PRGNAM}.conf > $PKG/etc/${PRGNAM}.conf.new + mkdir -p $PKG/etc/rc.d cat $CWD/rc.$PRGNAM > $PKG/etc/rc.d/rc.$PRGNAM.new @@ -100,13 +98,13 @@ find $PKG/usr/man -type f -exec gzip -9 {} \; for i in $( find $PKG/usr/man -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION -cp -a doc/{developers,setup,sshguard.8}.rst examples CHANGELOG.rst COPYING \ - README.rst $PKG/usr/doc/$PRGNAM-$VERSION +cp -a doc/{sshguard-setup.7,sshguard.8}.rst examples COPYING \ + {CHANGELOG,CONTRIBUTING,README}.rst $PKG/usr/doc/$PRGNAM-$VERSION cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc -cat $CWD/doinst.sh > $PKG/install/doinst.sh +cat $CWD/doinst.sh > $PKG/install/doinst.sh cd $PKG /sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.$PKGTYPE diff --git a/network/sshguard/sshguard.conf b/network/sshguard/sshguard.conf new file mode 100644 index 0000000000000..07c13b3e45c65 --- /dev/null +++ b/network/sshguard/sshguard.conf @@ -0,0 +1,17 @@ +#!/bin/sh + +# sshguard.conf -- SSHGuard configuration +# Based on /usr/doc/sshguard-2.4.2/examples/sshguard.conf.sample + +# Full path to backend executable. + +BACKEND="/usr/libexec/sshg-fw-iptables" + +# Space-separated list of log files to monitor. + +FILES="/var/log/messages" + +# Do not provide PID file path. +# It is handled by daemon(1). + +PID_FILE= diff --git a/network/sshguard/sshguard.info b/network/sshguard/sshguard.info index 06a268516c15c..efdd417d4ba97 100644 --- a/network/sshguard/sshguard.info +++ b/network/sshguard/sshguard.info @@ -1,10 +1,10 @@ PRGNAM="sshguard" -VERSION="1.7.0" +VERSION="2.4.2" HOMEPAGE="https://www.sshguard.net/" -DOWNLOAD="https://download.sourceforge.net/project/sshguard/sshguard/1.7.0/sshguard-1.7.0.tar.gz" -MD5SUM="db251a2e31cb5af203d10c42be33ea9c" +DOWNLOAD="https://download.sourceforge.net/project/sshguard/sshguard/2.4.2/sshguard-2.4.2.tar.gz" +MD5SUM="0f83f5e7e1b197fb3bd4e9dfe9e601e6" DOWNLOAD_x86_64="" MD5SUM_x86_64="" REQUIRES="" MAINTAINER="Andrzej Telszewski" -EMAIL="atelszewski@gmail.com" +EMAIL="andrzej@telszewski.com" |