diff options
| author | feld <feld@FreeBSD.org> | 2014-05-22 21:17:34 +0800 |
|---|---|---|
| committer | feld <feld@FreeBSD.org> | 2014-05-22 21:17:34 +0800 |
| commit | 8c93c2f63fe40b88d4f20f8ff05ef90295811d9b (patch) | |
| tree | 96b3fb74bc260c74a9a12bf7ee15e8e649e5016a /security | |
| parent | 899cace715fe512bcce0e92897c3a3672c1fb568 (diff) | |
| download | freebsd-ports-gnome-8c93c2f63fe40b88d4f20f8ff05ef90295811d9b.tar.gz freebsd-ports-gnome-8c93c2f63fe40b88d4f20f8ff05ef90295811d9b.tar.zst freebsd-ports-gnome-8c93c2f63fe40b88d4f20f8ff05ef90295811d9b.zip | |
Adopting security/sshguard
rc script passes rclint
Removed clever built-in sysadmin countermeasure:
Previously sshguard would automatically add a line to your
/etc/syslog.conf file. You could activate sshguard by uncommenting this
line. However, every time you reinstall/update sshguard this line will
also be automatically removed rendering the program inactive and your
system unprotected.
Sponsored by: SupraNet Communications, Inc
Diffstat (limited to 'security')
| -rw-r--r-- | security/sshguard/Makefile | 6 | ||||
| -rw-r--r-- | security/sshguard/files/pkg-message.in | 9 | ||||
| -rw-r--r-- | security/sshguard/files/sshguard.in | 22 | ||||
| -rw-r--r-- | security/sshguard/pkg-deinstall | 39 | ||||
| -rw-r--r-- | security/sshguard/pkg-install | 41 |
5 files changed, 21 insertions, 96 deletions
diff --git a/security/sshguard/Makefile b/security/sshguard/Makefile index 831c8aa59487..c0a594c04ea1 100644 --- a/security/sshguard/Makefile +++ b/security/sshguard/Makefile @@ -3,11 +3,11 @@ PORTNAME= sshguard PORTVERSION= 1.5 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MASTER_SITES= SF/sshguard/sshguard/sshguard-${PORTVERSION} -MAINTAINER= ports@FreeBSD.org +MAINTAINER= feld@FreeBSD.org COMMENT?= Protect hosts from brute force attacks against ssh and other services CONFLICTS?= sshguard-ipfilter-1.* sshguard-ipfw-1.* sshguard-pf-1.* @@ -32,7 +32,7 @@ PKGMSG_FWBLOCK=" To activate or configure PF see http://sshguard.sf.net/doc/set .elif ${SSHGUARDFW} == ipfw PKGMSG_FWBLOCK=" Verify that IPFW is active with \"ipfw show\"." .elif ${SSHGUARDFW} == hosts -PKGMSG_FWBLOCK=" Sshguard is going to use /etc/hosts.allow, I have touched it for you." +PKGMSG_FWBLOCK=" Sshguard is going to use /etc/hosts.allow. Please remember to touch /etc/hosts.allow\!" .elif ${SSHGUARDFW} == ipfilter PKGMSG_FWBLOCK=" Sshguard will use /etc/ipf.rules as ruleset." .endif diff --git a/security/sshguard/files/pkg-message.in b/security/sshguard/files/pkg-message.in index 98c1093c2232..1410db47fdde 100644 --- a/security/sshguard/files/pkg-message.in +++ b/security/sshguard/files/pkg-message.in @@ -3,8 +3,13 @@ %%PKGMSG_FWBLOCK%% - Your /etc/syslog.conf has been added a line for sshguard; uncomment it - and use "/etc/rc.d/syslogd reload" for activating it. + If you would like to use sshguard via syslogd, add an entry to your + /etc/syslog.conf like the following: + + auth.info;authpriv.info |exec %%PREFIX%%/sbin/sshguard + + and use "/etc/rc.d/syslogd reload" to activate it. Note, you can add + additional arguments to the sshguard command if you so desire. Alternatively, you can also start sshguard as a daemon by using the rc.d script installed at %%PREFIX%%/etc/rc.d/sshguard . diff --git a/security/sshguard/files/sshguard.in b/security/sshguard/files/sshguard.in index 334fcd6e4592..3ba64337f71e 100644 --- a/security/sshguard/files/sshguard.in +++ b/security/sshguard/files/sshguard.in @@ -61,25 +61,25 @@ . /etc/rc.subr -name="sshguard" -rcvar="sshguard_enable" +name=sshguard +rcvar=sshguard_enable load_rc_config sshguard -: ${sshguard_enable:="NO"} -: ${sshguard_blacklist="40:/var/db/sshguard/blacklist.db"} -: ${sshguard_safety_thresh="40"} -: ${sshguard_pardon_min_interval="1200"} -: ${sshguard_prescribe_interval="420"} +: ${sshguard_enable:=NO} +: ${sshguard_blacklist=40:/var/db/sshguard/blacklist.db} +: ${sshguard_safety_thresh=40} +: ${sshguard_pardon_min_interval=1200} +: ${sshguard_prescribe_interval=420} : ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"} -: ${sshguard_watch_logs="/var/log/auth.log:/var/log/maillog"} +: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog} -pidfile=${sshguard_pidfile:-"/var/run/sshguard.pid"} +pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"} -command="/usr/sbin/daemon" +command=/usr/sbin/daemon actual_command="%%PREFIX%%/sbin/sshguard" procname="${actual_command}" -start_precmd="sshguard_prestart" +start_precmd=sshguard_prestart command_args="-cf ${actual_command} -b ${sshguard_blacklist} \${sshguard_watch_params} -a ${sshguard_safety_thresh} -p ${sshguard_pardon_min_interval} -s ${sshguard_prescribe_interval} -w ${sshguard_whitelistfile} -i ${pidfile}" sshguard_prestart() diff --git a/security/sshguard/pkg-deinstall b/security/sshguard/pkg-deinstall deleted file mode 100644 index ff6aa3c6f36a..000000000000 --- a/security/sshguard/pkg-deinstall +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh - -# If: -# 1) syslog.conf exists -# 2) it does contain some directive for sshguard -# then do the following: -# @ if the directive was the default directive (as installed by pkg-install) -# then remove it -# @ if the directive is some custom (uncommented) directive, comment it -# and reload syslogd eventually. - -# real syslog.conf configuration file path -SYSLOGCONF=/etc/syslog.conf -# configuration line to add -SSHGUARDCONFLINE="auth.info;authpriv.info |exec $PKG_PREFIX/sbin/sshguard" - -case "$2" in - "DEINSTALL") - if test -f "$SYSLOGCONF" && grep -q '^[^#].*sshguard' "$SYSLOGCONF" - then - if ! TMPFILE=`mktemp -q /tmp/syslogcXX`; then - echo "Couldn't create temporary file" - exit 1 - fi - if grep -qx "$SSHGUARDCONFLINE" "$SYSLOGCONF" - then - # remove default sshguard entry from syslog.conf - echo "I'm removing the default sshguard syslog entry for you..." - grep -vx "$SSHGUARDCONFLINE" "$SYSLOGCONF" > $TMPFILE - else - # comment customized sshguard configuration line - echo "I'm commenting your custom sshguard syslog entry for you..." - sed "s/^[^#].*sshguard.*/#&/" < "$SYSLOGCONF" > $TMPFILE - fi - mv $TMPFILE "$SYSLOGCONF" - /etc/rc.d/syslogd reload - fi - ;; -esac diff --git a/security/sshguard/pkg-install b/security/sshguard/pkg-install deleted file mode 100644 index ee494443d191..000000000000 --- a/security/sshguard/pkg-install +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh - -# If: -# 1) syslog.conf exists -# 2) it doesn't already contain some (uncommented) sshguard directive -# then add $SSHGUARDCONFLINE (commented) right at the end of the header -# comments section in syslog.conf - -# real syslog.conf configuration file path -SYSLOGCONF=/etc/syslog.conf -# configuration line to add -SSHGUARDCONFLINE="auth.info;authpriv.info |exec $PKG_PREFIX/sbin/sshguard" - -case "$2" in - "POST-INSTALL") - if test "$SSHGUARDFW" = hosts - then - touch /etc/hosts.allow - fi - if (test -f "$SYSLOGCONF" && ! grep -q sshguard "$SYSLOGCONF") - then - # append default sshguard entry in syslog.conf (first line after comments header) - TMPFILE=`mktemp -q /tmp/syslogcXX` - # make sure our file has the same permissions as the original, since we mv it back - cp -p $SYSLOGCONF ${TMPFILE} - : > ${TMPFILE} - inheader=1 - cat "$SYSLOGCONF" | while read cline ; - do - if (test $inheader -eq 1 && !(echo "$cline" | grep -q "^[[:space:]]*#")) - then - # got off of header comments - inheader=0 - echo "#$SSHGUARDCONFLINE" >> $TMPFILE - fi - echo "$cline" >> $TMPFILE - done - mv $TMPFILE "$SYSLOGCONF" - fi -;; -esac |