Hello community, here is the log from the commit of package sshguard for openSUSE:Factory checked in at 2019-02-24 17:13:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sshguard (Old) and /work/SRC/openSUSE:Factory/.sshguard.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sshguard" Sun Feb 24 17:13:47 2019 rev:9 rq:672781 version:2.3.1 Changes: -------- --- /work/SRC/openSUSE:Factory/sshguard/sshguard.changes 2018-11-09 07:56:42.783553870 +0100 +++ /work/SRC/openSUSE:Factory/.sshguard.new.28833/sshguard.changes 2019-02-24 17:13:50.400467229 +0100 @@ -1,0 +2,81 @@ +Wed Feb 6 11:39:18 UTC 2019 - [email protected] + +- Removed not needed files and service files + as sshguard can now parse journal files +- /etc/sysconfig/sshguard is not used any more + as sshguard uses it's own config file + +------------------------------------------------------------------- +Mon Feb 4 22:47:20 UTC 2019 - Jan Engelhardt <[email protected]> + +- Use noun phrase in summary. +- Join %service_* to reduce generated boilerplate. + +------------------------------------------------------------------- +Thu Jan 24 08:19:29 UTC 2019 - [email protected] + +- Build version 2.3.1 + * Fix OpenSSH "Did not receive identification string" + * Fix syslog banner detection on macOS + +- Build version 2.3.0 + * Add signatures for Courier IMAP/POP and OpenVPN + * Add signatures for TLS failures against Cyrus IMAP + * Match more attacks against SSHD, Cockpit, and Dovecot + * Update SSH invalid user signature for macOS + * Add to and remove from ipfw table quietly + * Reduce "Connection closed... [preauth]" score to 2 + * Switch ipsets to hash:net + * Don't recreate existing ipsets + * Match more log banners (Fix greedy SYSLOG_BANNER) + +- Build version 2.2.0 + * Add '--disable-maintainer-mode' in configure for package maintainers + * BusyBox log banner detection + * Match Exim "auth mechanism not supported" + * Match Exim "auth when not advertised" + * Match Postfix greylist early retry + * OpenSMTPD monitoring support + * Recognize IPv6 addresses with interface name + * Ignore CR in addition to LF + * Only log attacks if not already blocked or whitelisted + * Use correct signal names in driver shell script + +- Build version 2.1.0 + * Add nftables backend + * Add monitoring support for new service: Cockpit, Linux server dashboard + * Match "maximum authentication attempts" for SSH + * Match Debian-style "Failed password for invalid user" for SSH + * Add monitoring support for new service: Common webserver probes, in + Common Log Format + * Match 'Disconnecting invalid user' for SSH + * Add monitoring support for new service: WordPress, in Common Log Format + * Add monitoring support for new service: SSHGuard + * Firewall backends now support blocking subnets. + * Add new IPV6_SUBNET and IPV4_SUBNET configuration options. Defaults + to traditional single-address blocking. + * Add monitoring support for new service: OpenSMTPD + * Log whitelist matches with higher priority + * Match port number in "invalid user" attack + * FirewallD backend reloads firewall configuration less often. + +- Build version 2.0.0 + * Add firewalld backend + * Add ipset backend + * Annotate logs using -a flag to sshg-parser + * Match "no matching cipher" for SSH + * Preliminary support for Capsicum and pledge() + * Resurrect ipfilter backend + * Support reading from os_log on macOS 10.12 and systemd journal + * Add warning when reading from standard input + * Build and install all backends by default + * Improve log messages and tweak logging priorities + * Runtime flags now configurable in the configuration file + * SSHGuard requires a configuration file to start + * Remove process validation (-f option) + * Fix ipfw backend on FreeBSD 11 + * Fix initial block time + * Update Dovecot pattern for macOS + * Use standard score for Sendmail auth attack + +------------------------------------------------------------------- Old: ---- sshguard-1.7.1.tar.gz sshguard-journal-tail sshguard-journal.service sshguard.sysconfig New: ---- sshguard-2.3.1.tar.gz sshguard.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sshguard.spec ++++++ --- /var/tmp/diff_new_pack.PBB2g9/_old 2019-02-24 17:13:51.156467094 +0100 +++ /var/tmp/diff_new_pack.PBB2g9/_new 2019-02-24 17:13:51.160467094 +0100 @@ -1,7 +1,7 @@ # # spec file for package sshguard # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,35 +18,31 @@ #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +%if 0%{?suse_version} > 1140 +%define has_systemd 1 +BuildRequires: pkgconfig(systemd) +%{?systemd_requires} +%else +Requires(pre): %fillup_prereq %endif - Name: sshguard -Version: 1.7.1 +Version: 2.3.1 Release: 0 -Summary: Protect hosts from brute force attacks against ssh +Summary: SSH brute force attack protector License: ISC Group: Productivity/Networking/Security -Url: http://www.sshguard.net +URL: http://www.sshguard.net Source0: http://sourceforge.net/projects/%{name}/files/%{name}/%{version}/%{name}-%{version}.tar.gz -Source1: sshguard.sysconfig +Source1: sshguard.conf Source2: sshguard.service Source3: sshguard.init Source4: sshguard.whitelist -Source5: sshguard-journal.service -Source6: sshguard-journal-tail # PATCH-FIX-UPSTREAM sshguard-gcc5.patch Patch0: sshguard-gcc5.patch Requires: openssh -BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires(pre): %fillup_prereq -%if 0%{?suse_version} > 1140 -BuildRequires: pkgconfig(systemd) -%{?systemd_requires} -%define has_systemd 1 -%else -Requires(pre): %fillup_prereq -%endif %description Sshguard protects networked hosts from brute force attacks @@ -66,13 +62,10 @@ %install %make_install -install -D -m0644 %{SOURCE1} %{buildroot}%{_fillupdir}/sysconfig.sshguard +install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{name}.conf %if 0%{?has_systemd} ln -sf service %{buildroot}/%{_sbindir}/rc%{name} install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/sshguard.service -ln -sf service %{buildroot}/%{_sbindir}/rc%{name}-journal -install -D -m0644 %{SOURCE5} %{buildroot}%{_unitdir}/sshguard-journal.service -install -D -m0744 %{SOURCE6} %{buildroot}/%{_sbindir}/sshguard-journal-tail %else install -D -m0744 %{SOURCE3} %{buildroot}%{_sysconfdir}/init.d/sshguard ln -s ../..%{_sysconfdir}/init.d/sshguard %{buildroot}%{_sbindir}/rcsshguard @@ -85,47 +78,47 @@ %pre %if 0%{?has_systemd} %service_add_pre %{name}.service -%service_add_pre %{name}-journal.service %endif %post %if 0%{?has_systemd} %fillup_only sshguard -%service_add_post sshguard.service -%service_add_post sshguard-journal.service +%service_add_post %{name}.service %else -%fillup_and_insserv sshguard +%fillup_and_insserv %{name} %endif %preun %if 0%{?has_systemd} -%service_del_preun sshguard.service -%service_del_preun sshguard-journal.service +%service_del_preun %{name}.service %else -%stop_on_removal sshguard +%stop_on_removal %{name} %endif %postun %if 0%{?has_systemd} -%service_del_postun sshguard.service -%service_del_postun sshguard-journal.service +%service_del_postun %{name}.service %else -%restart_on_update sshguard +%restart_on_update %{name} %insserv_cleanup %endif %files -%defattr(-,root,root,-) -%doc CHANGELOG.rst README.rst COPYING examples/ doc/ +%if 0%{?suse_version} < 1330 +%doc CHANGELOG.rst README.rst examples/ doc/ COPYING +%else +%doc CHANGELOG.rst README.rst examples/ doc/ +%license COPYING +%endif %{_sbindir}/* -%doc %{_mandir}/man8/%{name}* -%{_fillupdir}/sysconfig.sshguard +%{_mandir}/man8/%{name}* +%{_mandir}/man7/%{name}-setup* %if 0%{?has_systemd} %{_unitdir}/sshguard.service -%{_unitdir}/sshguard-journal.service %else %config %{_sysconfdir}/init.d/sshguard %endif +%config(noreplace) %{_sysconfdir}/%{name}.conf %dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}/whitelist %dir %{_localstatedir}/lib/%{name} ++++++ sshguard-1.7.1.tar.gz -> sshguard-2.3.1.tar.gz ++++++ ++++ 163823 lines of diff (skipped) ++++++ sshguard-gcc5.patch ++++++ --- /var/tmp/diff_new_pack.PBB2g9/_old 2019-02-24 17:13:51.408467049 +0100 +++ /var/tmp/diff_new_pack.PBB2g9/_new 2019-02-24 17:13:51.408467049 +0100 @@ -1,11 +1,13 @@ -diff -ru sshguard-1.6.3.orig/src/sshguard_whitelist.c sshguard-1.6.3/src/sshguard_whitelist.c ---- sshguard-1.6.3.orig/src/sshguard_whitelist.c 2016-02-18 10:54:51.752229898 +0100 -+++ sshguard-1.6.3/src/sshguard_whitelist.c 2016-02-18 11:00:02.760786847 +0100 -@@ -18,6 +18,7 @@ - * SSHGuard. See http://www.sshguard.net - */ - -+#define _GNU_SOURCE - #include <arpa/inet.h> - #include <assert.h> - #include <netdb.h> +diff -crB sshguard-2.3.1/src/blocker/sshguard_whitelist.c sshguard-2.3.1-dev/src/blocker/sshguard_whitelist.c +*** sshguard-2.3.1/src/blocker/sshguard_whitelist.c 2018-12-16 03:41:51.000000000 +0100 +--- sshguard-2.3.1/src/blocker/sshguard_whitelist.c 2019-01-24 09:34:29.600313298 +0100 +*************** +*** 18,23 **** +--- 18,24 ---- + * SSHGuard. See http://www.sshguard.net + */ + ++ #define _GNU_SOURCE + #include <arpa/inet.h> + #include <assert.h> + #include <netdb.h> ++++++ sshguard.conf ++++++ # #!/bin/sh # sshguard.conf -- SSHGuard configuration # Options that are uncommented in this example are set to their default # values. Options without defaults are commented out. #### REQUIRED CONFIGURATION #### # Full path to backend executable (required, no default) BACKEND="/usr/lib/sshg-fw-iptables" # Space-separated list of log files to monitor. Ignored if LOGREADER is set. # (optional, no default) #FILES="/var/log/auth.log /var/log/authlog /var/log/maillog" # Shell command that provides logs on standard output. (optional, no default) # Example 1: ssh and sendmail from systemd journal: #LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -t sendmail -o cat" # Example 2: ssh from os_log (macOS 10.12+) #LOGREADER="/usr/bin/log stream --style syslog --predicate '(processImagePath contains \"sshd\")'" LOGREADER="LANG=C /usr/bin/journalctl -afb -p info -n1 -t sshd -o cat" #### OPTIONS #### # Block attackers when their cumulative attack score exceeds THRESHOLD. # Most attacks have a score of 10. (optional, default 30) THRESHOLD=30 # Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD. # Subsequent blocks increase by a factor of 1.5. (optional, default 120) BLOCK_TIME=120 # Remember potential attackers for up to DETECTION_TIME seconds before # resetting their score. (optional, default 1800) DETECTION_TIME=1800 # Size of IPv6 'subnet to block. Defaults to a single address, CIDR notation. (optional, default to 128) IPV6_SUBNET=128 # Size of IPv4 subnet to block. Defaults to a single address, CIDR notation. (optional, default to 32) IPV4_SUBNET=32 #### EXTRAS #### # !! Warning: These features may not work correctly with sandboxing. !! # Full path to PID file (optional, no default) PID_FILE="/run/sshguard.pid" # Colon-separated blacklist threshold and full path to blacklist file. # (optional, no default) BLACKLIST_FILE="90:/var/lib/sshguard/db/blacklist.db" # IP addresses listed in the WHITELIST_FILE are considered to be # friendlies and will never be blocked. WHITELIST_FILE="/etc/sshguard/whitelist" ++++++ sshguard.init ++++++ --- /var/tmp/diff_new_pack.PBB2g9/_old 2019-02-24 17:13:51.432467045 +0100 +++ /var/tmp/diff_new_pack.PBB2g9/_new 2019-02-24 17:13:51.432467045 +0100 @@ -22,7 +22,7 @@ else exit 5; fi; } # Check for existence of needed config file and read it -SSHGUARD_CONFIG=/etc/sysconfig/sshguard +SSHGUARD_CONFIG=/etc/sshguard.conf test -r $SSHGUARD_CONFIG || { echo "$SSHGUARD_CONFIG not existing"; if [ "$1" = "stop" ]; then exit 0; else exit 6; fi; } @@ -34,35 +34,22 @@ setup_cmdline() { cmdline="" if [ "$1" != "stop" ]; then - test -n $MONITORED_LOGS || \ - { echo "At least one logfile must be defined in MONITORED_LOGS"; - exit 6; } - fi - for _logs in $MONITORED_LOGS; do - cmdline="$cmdline -l $_logs" - done - # set defaults - test -z $PORTS && PORTS=22 - - test -n $ATTACK_ATTEMPTS && cmdline="$cmdline -a $ATTACK_ATTEMPTS" - test -n $RELEASE_TIMEOUT && cmdline="$cmdline -p $RELEASE_TIMEOUT" - test -n $FORGET_TIMEOUT && cmdline="$cmdline -s $FORGET_TIMEOUT" - test -n "$WHITELIST" && cmdline="$cmdline -w $WHITELIST" - test -n "$BLACKLIST" && cmdline="$cmdline -b $BLACKLIST" + + test -n $THRESHOLD && cmdline="$cmdline -a $THRESHOLD" + test -n $BLOCK_TIME && cmdline="$cmdline -p $BLOCK_TIME" + test -n $DETECTION_TIME && cmdline="$cmdline -s $DETECTION_TIME" + test -n "$WHITELIST_FILE" && cmdline="$cmdline -w $WHITELIST_FILE" + test -n "$BLACKLIST_FILE" && cmdline="$cmdline -b $BLACKLIST_FILE" } iptables_start() { /usr/sbin/iptables -N sshguard /usr/sbin/ip6tables -N sshguard - /usr/sbin/iptables -I INPUT 1 -p tcp --dport $PORTS -j sshguard - /usr/sbin/ip6tables -I INPUT 1 -p tcp --dport $PORTS -j sshguard } iptables_stop() { /usr/sbin/iptables -F sshguard /usr/sbin/ip6tables -F sshguard - /usr/sbin/iptables -D INPUT -p tcp --dport $PORTS -j sshguard - /usr/sbin/ip6tables -D INPUT -p tcp --dport $PORTS -j sshguard /usr/sbin/iptables -X sshguard /usr/sbin/ip6tables -X sshguard } ++++++ sshguard.service ++++++ --- /var/tmp/diff_new_pack.PBB2g9/_old 2019-02-24 17:13:51.444467043 +0100 +++ /var/tmp/diff_new_pack.PBB2g9/_new 2019-02-24 17:13:51.444467043 +0100 @@ -3,17 +3,13 @@ After=network.target [Service] -EnvironmentFile=-/etc/sysconfig/sshguard +EnvironmentFile=-/etc/sshguard.conf ExecStartPre=/usr/sbin/iptables -N sshguard ExecStartPre=/usr/sbin/ip6tables -N sshguard -ExecStartPre=/usr/sbin/iptables -I INPUT 1 -p tcp --dport $PORTS -j sshguard -ExecStartPre=/usr/sbin/ip6tables -I INPUT 1 -p tcp --dport $PORTS -j sshguard -ExecStart=/usr/sbin/sshguard -a $ATTACK_TRESHOLD -p $RELEASE_TIMEOUT -s $FORGET_TIMEOUT -w $WHITELIST -b $BLACKLIST -l $MONITORED_LOGS +ExecStart=/usr/sbin/sshguard -a $THRESHOLD -p $BLOCK_TIME -s $DETECTION_TIME -w $WHITELIST_FILE -b $BLACKLIST_FILE ExecReload=/bin/kill -HUP $MAINPID ExecStopPost=/usr/sbin/iptables -F sshguard ExecStopPost=/usr/sbin/ip6tables -F sshguard -ExecStopPost=/usr/sbin/iptables -D INPUT -p tcp --dport $PORTS -j sshguard -ExecStopPost=/usr/sbin/ip6tables -D INPUT -p tcp --dport $PORTS -j sshguard ExecStopPost=/usr/sbin/iptables -X sshguard ExecStopPost=/usr/sbin/ip6tables -X sshguard KillMode=process
