Index: head/security/sshguard/Makefile =================================================================== --- head/security/sshguard/Makefile (revision 471011) +++ head/security/sshguard/Makefile (revision 471012) @@ -1,27 +1,28 @@ # Created by: Mij # $FreeBSD$ PORTNAME= sshguard PORTVERSION= 2.1.0 +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= SF/sshguard/sshguard/${PORTVERSION} MAINTAINER= dan.mcgregor@usask.ca COMMENT= Protect hosts from brute-force attacks against SSH and other services LICENSE= BSD2CLAUSE USE_RC_SUBR= sshguard GNU_CONFIGURE= yes SUB_FILES= pkg-message post-patch: @${REINPLACE_CMD} -e 's|%PREFIX%|${PREFIX}|' ${WRKSRC}/doc/sshguard.8.rst @${REINPLACE_CMD} -e 's|/usr/local|${PREFIX}|' ${WRKSRC}/examples/sshguard.conf.sample post-install: ${INSTALL} -d ${STAGEDIR}${PREFIX}/etc ${INSTALL} -m 644 ${WRKSRC}/examples/sshguard.conf.sample ${STAGEDIR}${PREFIX}/etc .include Index: head/security/sshguard/files/patch-examples-sshguard.conf.sample =================================================================== --- head/security/sshguard/files/patch-examples-sshguard.conf.sample (revision 471011) +++ head/security/sshguard/files/patch-examples-sshguard.conf.sample (revision 471012) @@ -1,33 +1,33 @@ --- examples/sshguard.conf.sample.orig 2017-12-06 22:18:20 UTC +++ examples/sshguard.conf.sample @@ -6,10 +6,12 @@ #### REQUIRED CONFIGURATION #### # Full path to backend executable (required, no default) -#BACKEND="/usr/local/libexec/sshg-fw-iptables" +#BACKEND="/usr/local/libexec/sshg-fw-hosts" +#BACKEND="/usr/local/libexec/sshg-fw-ipfw" +#BACKEND="/usr/local/libexec/sshg-fw-pf" # Space-separated list of log files to monitor. (optional, no default) -#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog" +FILES="/var/log/auth.log /var/log/maillog" # Shell command that provides logs on standard output. (optional, no default) # Example 1: ssh and sendmail from systemd journal: @@ -40,12 +42,12 @@ DETECTION_TIME=1800 # !! Warning: These features may not work correctly with sandboxing. !! # Full path to PID file (optional, no default) -#PID_FILE=/run/sshguard.pid +#PID_FILE=/var/run/sshguard.pid # Colon-separated blacklist threshold and full path to blacklist file. # (optional, no default) -#BLACKLIST_FILE=90:/var/lib/sshguard/enemies -+#BLACKLIST_FILE=30:/var/db/sshguard/blacklist.db ++#BLACKLIST_FILE=120:/var/db/sshguard/blacklist.db # IP addresses listed in the WHITELIST_FILE are considered to be # friendlies and will never be blocked. -#WHITELIST_FILE=/etc/friends +#WHITELIST_FILE=/usr/local/etc/sshguard.whitelist Index: head/security/sshguard/files/sshguard.in =================================================================== --- head/security/sshguard/files/sshguard.in (revision 471011) +++ head/security/sshguard/files/sshguard.in (revision 471012) @@ -1,118 +1,118 @@ #!/bin/sh #- # Copyright (c) 2012 iXsystems, Inc. # All rights reserved. # # Written by: Xin Li # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # # $FreeBSD$ # # PROVIDE: sshguard # REQUIRE: LOGIN cleanvar # KEYWORD: shutdown # # Add the following lines to /etc/rc.conf to enable sshguard: # sshguard_enable (bool): Set to "NO" by default. # Set it to "YES" to enable sshguard # sshguard_pidfile (str): Path to PID file. # Set to "/var/run/sshguard.pid" by default # sshguard_watch_logs (str): Colon splitted list of logs to watch. # Unset by default. Overrides the configuration file. # The following options directly maps to their command line options, # and override the configuration file, so most are unset by default. # Please read manual page sshguard(8) for detailed information: # sshguard_blacklist (str): [thr:]/path/to/blacklist. # Set to "30:/var/db/sshguard/blacklist.db" # by default. # sshguard_danger_thresh (int): Danger threshold. # sshguard_release_interval (int): # Minimum interval an address remains # blocked. # sshguard_reset_interval (int): # Interval before a suspected attack is # forgotten and danger is reset to 0. # sshguard_whitelistfile (str): Path to the whitelist. # sshguard_flags (str): Set additional command line arguments. # . /etc/rc.subr name=sshguard rcvar=sshguard_enable load_rc_config sshguard : ${sshguard_enable:=NO} -: ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db} +: ${sshguard_blacklist=120:/var/db/sshguard/blacklist.db} : ${sshguard_danger_thresh=} : ${sshguard_release_interval=} : ${sshguard_reset_interval=} : ${sshguard_whitelistfile=} : ${sshguard_watch_logs=} pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"} command=/usr/sbin/daemon actual_command="%%PREFIX%%/sbin/sshguard" procname="%%PREFIX%%/libexec/sshg-blocker" start_precmd=sshguard_prestart command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} \${sshguard_danger_params} \${sshguard_release_params} \${sshguard_reset_params} \${sshguard_whitelist_params} -i ${pidfile}" sshguard_prestart() { # Clear rc_flags so sshguard_flags can be passed to sshguard # instaed of daemon(8) rc_flags="" if [ ! -z ${sshguard_blacklist} ]; then mkdir -p $(dirname ${sshguard_blacklist##*:}) sshguard_blacklist_params="-b ${sshguard_blacklist}" fi if [ ! -z ${sshguard_whitelistfile} ]; then [ -e "${sshguard_whitelistfile}" ] || touch ${sshguard_whitelistfile} sshguard_whitelist_params="-w ${sshguard_whitelistfile}" fi if [ ! -z ${sshguard_danger_thresh} ]; then sshguard_danger_params="-a ${sshguard_danger_thresh}" fi if [ ! -z ${sshguard_release_interval} ]; then sshguard_release_params="-p ${sshguard_release_interval}" fi if [ ! -z ${sshguard_reset_interval} ]; then sshguard_reset_params="-s ${sshguard_reset_interval}" fi if [ ! -z "${sshguard_watch_logs}" ]; then sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ ) fi } run_rc_command "$1"