Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=043bd03be7a21d08d94983d7279eb6ce0e6748b1
commit 043bd03be7a21d08d94983d7279eb6ce0e6748b1 Author: DeX77 <de...@frugalware.org> Date: Tue Aug 8 14:49:34 2017 +0200 denyhosts-2.6-6-x86_64 * replaced by fail2ban diff --git a/source/network-extra/denyhosts/CVE-2013-6890.patch b/source/network-extra/denyhosts/CVE-2013-6890.patch deleted file mode 100644 index 496f3f1..0000000 --- a/source/network-extra/denyhosts/CVE-2013-6890.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up DenyHosts-2.6/DenyHosts/regex.py.CVE-2013-6890 DenyHosts-2.6/DenyHosts/regex.py ---- DenyHosts-2.6/DenyHosts/regex.py.CVE-2013-6890 2014-01-06 16:39:32.505865176 -0600 -+++ DenyHosts-2.6/DenyHosts/regex.py 2014-01-06 22:05:52.675094771 -0600 -@@ -6,23 +6,22 @@ import re - - #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""") - --SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""") -+SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""") - #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""") - --FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - --FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - --FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+FAILED_ENTRY_REGEX3 = None - --FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") -+FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""") - --FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""") -+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""") - --FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -- --FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") -+FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - -+FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""") - - # these are reserved for future versions - FAILED_ENTRY_REGEX8 = None -@@ -42,7 +41,7 @@ for i in FAILED_ENTRY_REGEX_RANGE: - FAILED_ENTRY_REGEX_MAP[i] = rx - - --SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") -+SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - - TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""") - diff --git a/source/network-extra/denyhosts/FrugalBuild b/source/network-extra/denyhosts/FrugalBuild deleted file mode 100644 index 4ae5174..0000000 --- a/source/network-extra/denyhosts/FrugalBuild +++ /dev/null @@ -1,48 +0,0 @@ -# Compiling Time: 0.01 SBU -# Maintainer: crazy <cr...@frugalware.org> -# Contributor: BMH1980 <bmh1...@frugalware.org> - -options+=('asneeded') - -pkgname=denyhosts -pkgver=2.6 -pkgrel=6 -pkgdesc="DenyHosts is a utility to help sys admins thwart ssh hackers" -_F_sourceforge_name="DenyHosts" -Finclude sourceforge -source=($source http://$pkgname.sf.net/faq.html $pkgname.service $pkgname.cfg) -groups=('network-extra') -archs=('i686' 'x86_64') -depends=('python>=2.7') -backup=('etc/denyhosts.cfg') -_F_systemd_units=($pkgname=) -Finclude systemd -options+=('noversrc') -sha1sums=('02143843cb7c37c986c222b7acc11f7b75eb7373' \ - '1b5277da9da5474af2eab1468a6bf6219f346b6e' \ - '0c5343b66970b4084b9bf600fc4d71447288adbc' \ - 'a8d7e5762e6b5c6d9f70243e98bc96cec760b1b3') - - -# FSA fix *** -source=(${source[@]} CVE-2013-6890.patch) -sha1sums=(${sha1sums[@]} '04b64d2befcc1ae3f0f842a018e4d8cda2f31a7d') -# *********** - - -build() -{ - Fcd DenyHosts-$pkgver - Fbuild - Fmkdir /etc /usr/share/{denyhosts/data,doc/$pkgname-$pkgver} - Fln denyhosts.py /usr/bin/denyhosts - Fmv /usr/share/denyhosts/*.txt /usr/share/doc/$pkgname-$pkgver/ - Fmv /usr/share/denyhosts/plugins/README.contrib /usr/share/doc/$pkgname-$pkgver/ - Frm /usr/share/denyhosts/{daemon-control-dist,setup.py} - Ffile /etc/$pkgname.cfg - Fdoc faq.html - Ffile /lib/systemd/system/$pkgname.service - Fgenscriptlet -} - - diff --git a/source/network-extra/denyhosts/denyhosts.cfg b/source/network-extra/denyhosts/denyhosts.cfg deleted file mode 100644 index 676dc2e..0000000 --- a/source/network-extra/denyhosts/denyhosts.cfg +++ /dev/null @@ -1,464 +0,0 @@ - ############ THESE SETTINGS ARE REQUIRED ############ - -######################################################################## -# -# SECURE_LOG: the log file that contains sshd logging info -# if you are not sure, grep "sshd:" /var/log/* -# -# The file to process can be overridden with the --file command line -# argument -# -SECURE_LOG = /var/log/messages -######################################################################## - -######################################################################## -# HOSTS_DENY: the file which contains restricted host access information -# -HOSTS_DENY = /etc/hosts.deny -####################################################################### - -######################################################################## -# PURGE_DENY: removed HOSTS_DENY entries that are older than this time -# when DenyHosts is invoked with the --purge flag -# -# format is: i[dhwmy] -# Where 'i' is an integer (eg. 7) -# 'm' = minutes -# 'h' = hours -# 'd' = days -# 'w' = weeks -# 'y' = years -# -PURGE_DENY = -####################################################################### - -####################################################################### -# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY -# -# man 5 hosts_access for details -# -# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 -# -BLOCK_SERVICE = sshd -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_INVALID: block each host after the number of failed login -# attempts has exceeded this value. This value applies to invalid -# user login attempts (eg. non-existent user accounts) -# -DENY_THRESHOLD_INVALID = 5 -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_VALID: block each host after the number of failed -# login attempts has exceeded this value. This value applies to valid -# user login attempts (eg. user accounts that exist in /etc/passwd) except -# for the "root" user -# -DENY_THRESHOLD_VALID = 10 -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_ROOT: block each host after the number of failed -# login attempts has exceeded this value. This value applies to -# "root" user login attempts only. -# -DENY_THRESHOLD_ROOT = 1 -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed -# login attempts has exceeded this value. This value applies to -# usernames that appear in the WORK_DIR/restricted-usernames file only. -# -DENY_THRESHOLD_RESTRICTED = 1 -####################################################################### - -####################################################################### -# -# WORK_DIR: the path that DenyHosts will use for writing data to -# (it will be created if it does not already exist). -# -# Note: it is recommended that you use an absolute pathname -# for this value (eg. /home/foo/denyhosts/data) -# -WORK_DIR = /usr/share/denyhosts/data -####################################################################### - -####################################################################### -# -# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS -# -# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO -# If set to YES, if a suspicious login attempt results from an allowed-host -# then it is considered suspicious. If this is NO, then suspicious logins -# from allowed-hosts will not be reported. All suspicious logins from -# ip addresses that are not in allowed-hosts will always be reported. -# -SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES -###################################################################### - -###################################################################### -# -# HOSTNAME_LOOKUP -# -# HOSTNAME_LOOKUP=YES|NO -# If set to YES, for each IP address that is reported by Denyhosts, -# the corresponding hostname will be looked up and reported as well -# (if available). -# -HOSTNAME_LOOKUP=YES -###################################################################### - -###################################################################### -# -# LOCK_FILE -# -# LOCK_FILE=/path/denyhosts -# If this file exists when DenyHosts is run, then DenyHosts will exit -# immediately. Otherwise, this file will be created upon invocation -# and deleted upon exit. This ensures that only one instance is -# running at a time. -# -LOCK_FILE = /var/run/denyhosts.pid -###################################################################### - - ############ THESE SETTINGS ARE OPTIONAL ############ - - -####################################################################### -# -# ADMIN_EMAIL: if you would like to receive emails regarding newly -# restricted hosts and suspicious logins, set this address to -# match your email address. If you do not want to receive these reports -# leave this field blank (or run with the --noemail option) -# -ADMIN_EMAIL = -####################################################################### - -####################################################################### -# -# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email -# reports (see ADMIN_EMAIL) then these settings specify the -# email server address (SMTP_HOST) and the server port (SMTP_PORT) -# -SMTP_HOST = localhost -SMTP_PORT = 25 -####################################################################### - -####################################################################### -# -# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your -# smtp email server requires authentication -# -#SMTP_USERNAME=foo -#SMTP_PASSWORD=bar -###################################################################### - -####################################################################### -# -# SMTP_FROM: you can specify the "From:" address in messages sent -# from DenyHosts when it reports thwarted abuse attempts -# -SMTP_FROM = DenyHosts <nobody@localhost> -####################################################################### - -####################################################################### -# -# SMTP_SUBJECT: you can specify the "Subject:" of messages sent -# by DenyHosts when it reports thwarted abuse attempts -SMTP_SUBJECT = DenyHosts Report -###################################################################### - -###################################################################### -# -# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header -# when sending email messages. -# -# for possible values for this parameter refer to: man strftime -# -# the default: -# -#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z -###################################################################### - -###################################################################### -# -# ALLOWED_HOSTS_HOSTNAME_LOOKUP -# -# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO -# If set to YES, for each entry in the WORK_DIR/allowed-hosts file, -# the hostname will be looked up. If your versions of tcp_wrappers -# and sshd sometimes log hostnames in addition to ip addresses -# then you may wish to specify this option. -# -#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO -###################################################################### - -###################################################################### -# -# AGE_RESET_VALID: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to login attempts -# to all valid users (those within /etc/passwd) with the -# exception of root. If not defined, this count will never -# be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_VALID=5d -###################################################################### - -###################################################################### -# -# AGE_RESET_ROOT: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to all login -# attempts to the "root" user account. If not defined, -# this count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_ROOT=25d -###################################################################### - -###################################################################### -# -# AGE_RESET_RESTRICTED: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to all login -# attempts to entries found in the WORK_DIR/restricted-usernames file. -# If not defined, the count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_RESTRICTED=25d -###################################################################### - -###################################################################### -# -# AGE_RESET_INVALID: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to login attempts -# made to any invalid username (those that do not appear -# in /etc/passwd). If not defined, count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_INVALID=10d -###################################################################### - -###################################################################### -# -# RESET_ON_SUCCESS: If this parameter is set to "yes" then the -# failed count for the respective ip address will be reset to 0 -# if the login is successful. -# -# The default is RESET_ON_SUCCESS = no -# -#RESET_ON_SUCCESS = yes -##################################################################### - -###################################################################### -# -# PLUGIN_DENY: If set, this value should point to an executable -# program that will be invoked when a host is added to the -# HOSTS_DENY file. This executable will be passed the host -# that will be added as it's only argument. -# -#PLUGIN_DENY=/usr/bin/true -###################################################################### - -###################################################################### -# -# PLUGIN_PURGE: If set, this value should point to an executable -# program that will be invoked when a host is removed from the -# HOSTS_DENY file. This executable will be passed the host -# that is to be purged as it's only argument. -# -#PLUGIN_PURGE=/usr/bin/true -###################################################################### - -###################################################################### -# -# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain -# a regular expression that can be used to identify additional -# hackers for your particular ssh configuration. This functionality -# extends the built-in regular expressions that DenyHosts uses. -# This parameter can be specified multiple times. -# See this faq entry for more details: -# http://denyhosts.sf.net/faq.html#userdef_regex -# -#USERDEF_FAILED_ENTRY_REGEX= -###################################################################### - - ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## - -####################################################################### -# -# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) -# this is the logfile that DenyHosts uses to report it's status. -# To disable logging, leave blank. (default is: /var/log/denyhosts) -# -DAEMON_LOG = /var/log/denyhosts -###################################################################### - -####################################################################### -# -# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode -# (--daemon flag) this specifies the timestamp format of -# the DAEMON_LOG messages (default is the ISO8061 format: -# ie. 2005-07-22 10:38:01,745) -# -# for possible values for this parameter refer to: man strftime -# -#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S -###################################################################### - -####################################################################### -# -# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode -# (--daemon flag) this specifies the message format of each logged -# entry. By default the following format is used: -# -# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s -# -# Where the "%(asctime)s" portion is expanded to the format -# defined by DAEMON_LOG_TIME_FORMAT -# -# This string is passed to python's logging.Formatter contstuctor. -# For details on the possible format types please refer to: -# http://docs.python.org/lib/node357.html -# -#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s -###################################################################### - -####################################################################### -# -# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) -# this is the amount of time DenyHosts will sleep between polling -# the SECURE_LOG. See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -DAEMON_SLEEP = 30s -####################################################################### - -####################################################################### -# -# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, -# run the purge mechanism to expire old entries in HOSTS_DENY -# This has no effect if PURGE_DENY is blank. -# -DAEMON_PURGE = 1h -####################################################################### - - ######### THESE SETTINGS ARE SPECIFIC TO ########## - ######### DAEMON SYNCHRONIZATION ########## - -####################################################################### -# -# Synchronization mode allows the DenyHosts daemon the ability -# to periodically send and receive denied host data such that -# DenyHosts daemons worldwide can automatically inform one -# another regarding banned hosts. This mode is disabled by -# default, you must uncomment SYNC_SERVER to enable this mode. -# -# for more information, please refer to: -# http:/denyhosts.sourceforge.net/faq.html#sync -# -####################################################################### - -####################################################################### -# -# SYNC_SERVER: The central server that communicates with DenyHost -# daemons. Currently, denyhosts.net is the only available server -# however, in the future, it may be possible for organizations to -# install their own server for internal network synchronization -# -# To disable synchronization (the default), do nothing. -# -# To enable synchronization, you must uncomment the following line: -# -#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 -####################################################################### - -####################################################################### -# -# SYNC_INTERVAL: the interval of time to perform synchronizations if -# SYNC_SERVER has been uncommented. The default is 1 hour. -# -#SYNC_INTERVAL = 1h -# -####################################################################### - -####################################################################### -# -# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have -# been denied? This option only applies if SYNC_SERVER has -# been uncommented. -# The default is SYNC_UPLOAD = yes -# -#SYNC_UPLOAD = no -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have -# been denied by others? This option only applies if SYNC_SERVER has -# been uncommented. -# The default is SYNC_DOWNLOAD = yes -# -#SYNC_DOWNLOAD = no -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this paramter -# filters the returned hosts to those that have been blocked this many -# times by others. That is, if set to 1, then if a single DenyHosts -# server has denied an ip address then you will receive the denied host. -# -# The default is SYNC_DOWNLOAD_THRESHOLD = 3 -# -#SYNC_DOWNLOAD_THRESHOLD = 3 -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the -# value specified for this option limits the downloaded data -# to this resiliency period or greater. -# -# Resiliency is defined as the timespan between a hackers first known -# attack and it's most recent attack. Example: -# -# If the centralized denyhosts.net server records an attack at 2 PM -# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h -# will not download this ip address. -# -# However, if the attacker is recorded again at 6:15 PM then the -# ip address will be downloaded by your DenyHosts instance. -# -# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD -# and only hosts that satisfy both values will be downloaded. -# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 -# -# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) -# -# Only obtain hackers that have been at it for 5 hours or more: -#SYNC_DOWNLOAD_RESILIENCY = 5h -####################################################################### diff --git a/source/network-extra/denyhosts/denyhosts.service b/source/network-extra/denyhosts/denyhosts.service deleted file mode 100644 index a27dc9c..0000000 --- a/source/network-extra/denyhosts/denyhosts.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=DenyHosts -After=network.target - -[Service] -ExecStart=/usr/bin/denyhosts --daemon --config=/etc/denyhosts.cfg -PIDFile=/var/run/denyhosts.pid -Type=forking - -[Install] -WantedBy=multi-user.target _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git