Message ID | 1563307012-3724-1-git-send-email-angelo@amarulasolutions.com |
---|---|
State | Accepted |
Commit | d335e44d91a18be877f1036802f1bb9bd5bb256d |
Headers | show |
Series | [v2] package/sshguard: new package | expand |
>>>>> "Angelo" == Angelo Compagnucci <angelo@amarulasolutions.com> writes: > sshguard protects hosts from brute-force attacks against SSH and other > services. > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com> > --- > CHANGELOG: > v1-> v2: > * Fixed license (suggested by Thomas) > * Fixed sysv script (suggested by Thomas) > * Moved from using git to use tarball > DEVELOPERS | 1 + > package/Config.in | 1 + > package/sshguard/Config.in | 10 +++++++++ > package/sshguard/S39sshguard | 50 ++++++++++++++++++++++++++++++++++++++++++ > package/sshguard/sshguard.hash | 3 +++ > package/sshguard/sshguard.mk | 34 ++++++++++++++++++++++++++++ > 6 files changed, 99 insertions(+) This had a number of check-package warnings, please consider running check-package before submitting in the future, thanks. > diff --git a/package/sshguard/Config.in b/package/sshguard/Config.in > new file mode 100644 > index 0000000..6bf1800 > --- /dev/null > +++ b/package/sshguard/Config.in > @@ -0,0 +1,10 @@ > +config BR2_PACKAGE_SSHGUARD > + bool "sshguard" > + depends on BR2_PACKAGE_IPTABLES Iptables doesn't have a lot of strange dependencies, so I think it makes more sense to use a select here. We also normally add a # runtime comment to explain why we don't need to add it to _DEPENDENCIES. > +++ b/package/sshguard/S39sshguard > @@ -0,0 +1,50 @@ > +#!/bin/sh > + > +DAEMON="sshguard" > +PIDFILE="/var/run/$DAEMON.pid" > + > +start() { > + printf 'Starting %s: ' "$DAEMON" > + iptables -L sshguard > /dev/null 2>&1 || \ > + (iptables -N sshguard && \ > + iptables -A INPUT -j sshguard) Indentation / wrapping looks a bit odd here. > +++ b/package/sshguard/sshguard.mk > @@ -0,0 +1,34 @@ > +################################################################################ > +# > +# sshguard > +# > +################################################################################ > + > +SSHGUARD_VERSION = 2.4.0 > +SSHGUARD_SOURCE = sshguard-$(SSHGUARD_VERSION).tar.gz It is the default, so can be dropped. > +SSHGUARD_SITE = https://sourceforge.net/projects/sshguard/files/sshguard/$(SSHGUARD_VERSION) > +SSHGUARD_LICENSE = MIT, X11, GPL-2.0+, Public Domain, ISC That is quite creative ;) The main license seems to be ISC, with the hash functions public domain and the SimCList code BSD-3-Clause. I do not see MIT or X11 code anywhere (except for the oneliner reference in install-sh, but that isn't used on the target). The only GPL reference I see is in the parser generated by bison, but that has an exception saying: As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work under terms of your choice So I simply made this: SSHGUARD_LICENSE = ISC, Public Domain (fnv hash), BSD-3-Clause (SimCList) > +define SSHGUARD_INSTALL_CONFIG > + $(INSTALL) -D -m 0644 $(@D)/examples/sshguard.conf.sample \ > + $(TARGET_DIR)/etc/sshguard.conf > + $(SED) '/^#BACKEND/c\BACKEND="/usr/libexec/sshg-fw-iptables"' $(TARGET_DIR)/etc/sshguard.conf > + $(SED) '/^#FILES/c\FILES="/var/log/messages"' $(TARGET_DIR)/etc/sshguard.conf NIT: This could be done in a single sed invocationm which would also shorten the very long line. > +endef > +SSHGUARD_POST_INSTALL_TARGET_HOOKS += SSHGUARD_INSTALL_CONFIG > + > +define SSHGUARD_INSTALL_INIT_SYSV > + $(INSTALL) -D -m 755 package/sshguard/S39sshguard \ > + $(TARGET_DIR)/etc/init.d/S39sshguard > +endef I don't see why this should be S39 when we only bring up the network in S40 and start ssh servers at S50, so I've changed this to S49. Committed with these fixes, thanks.
diff --git a/DEVELOPERS b/DEVELOPERS index 4ab4e36..61e11b5 100644 --- a/DEVELOPERS +++ b/DEVELOPERS @@ -175,6 +175,7 @@ F: package/python-can/ F: package/python-pillow/ F: package/python-pydal/ F: package/python-web2py/ +F: package/sshguard/ F: package/sysdig/ N: Anisse Astier <anisse@astier.eu> diff --git a/package/Config.in b/package/Config.in index 90dddfd..03b86f6 100644 --- a/package/Config.in +++ b/package/Config.in @@ -2052,6 +2052,7 @@ endif source "package/spice/Config.in" source "package/spice-protocol/Config.in" source "package/squid/Config.in" + source "package/sshguard/Config.in" source "package/sshpass/Config.in" source "package/sslh/Config.in" source "package/strongswan/Config.in" diff --git a/package/sshguard/Config.in b/package/sshguard/Config.in new file mode 100644 index 0000000..6bf1800 --- /dev/null +++ b/package/sshguard/Config.in @@ -0,0 +1,10 @@ +config BR2_PACKAGE_SSHGUARD + bool "sshguard" + depends on BR2_PACKAGE_IPTABLES + help + sshguard protects hosts from brute-force attacks against SSH and + other services. It aggregates system logs and blocks repeat offenders + using one of several firewall backends, including iptables, ipfw, + and pf. + + https://www.sshguard.net diff --git a/package/sshguard/S39sshguard b/package/sshguard/S39sshguard new file mode 100644 index 0000000..d277b9a --- /dev/null +++ b/package/sshguard/S39sshguard @@ -0,0 +1,50 @@ +#!/bin/sh + +DAEMON="sshguard" +PIDFILE="/var/run/$DAEMON.pid" + +start() { + printf 'Starting %s: ' "$DAEMON" + iptables -L sshguard > /dev/null 2>&1 || \ + (iptables -N sshguard && \ + iptables -A INPUT -j sshguard) + start-stop-daemon -S -q -b -p /run/sshguard.pid \ + -x /usr/sbin/sshguard -- -i /run/sshguard.pid + status=$? + if [ "$status" -eq 0 ]; then + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +stop() { + printf 'Stopping %s: ' "$DAEMON" + start-stop-daemon -K -q -p "$PIDFILE" + status=$? + if [ "$status" -eq 0 ]; then + rm -f "$PIDFILE" + echo "OK" + else + echo "FAIL" + fi + return "$status" +} + +restart() { + stop + sleep 1 + start +} + +case "$1" in + start|stop|restart) + "$1";; + reload) + # Restart, since there is no true "reload" feature. + restart;; + *) + echo "Usage: $0 {start|stop|restart|reload}" + exit 1 +esac diff --git a/package/sshguard/sshguard.hash b/package/sshguard/sshguard.hash new file mode 100644 index 0000000..5b9a0f0 --- /dev/null +++ b/package/sshguard/sshguard.hash @@ -0,0 +1,3 @@ +# sha256 from https://sourceforge.net/projects/sshguard/files/sshguard/2.4.0/sshguard-2.4.0.sha256 +sha256 065ca4091b3a96802714b560dbbc3d9f0e67574e99e2b6e8857aa1027d17d6c0 sshguard-2.4.0.tar.gz +sha256 c3ae64f12153a1bc55bc234d09f40a08ab0e0149fffc972c0b7f02d5a12c1a5c COPYING diff --git a/package/sshguard/sshguard.mk b/package/sshguard/sshguard.mk new file mode 100644 index 0000000..1ec137e --- /dev/null +++ b/package/sshguard/sshguard.mk @@ -0,0 +1,34 @@ +################################################################################ +# +# sshguard +# +################################################################################ + +SSHGUARD_VERSION = 2.4.0 +SSHGUARD_SOURCE = sshguard-$(SSHGUARD_VERSION).tar.gz +SSHGUARD_SITE = https://sourceforge.net/projects/sshguard/files/sshguard/$(SSHGUARD_VERSION) +SSHGUARD_LICENSE = MIT, X11, GPL-2.0+, Public Domain, ISC +SSHGUARD_LICENSE_FILES = COPYING + +define SSHGUARD_INSTALL_CONFIG + $(INSTALL) -D -m 0644 $(@D)/examples/sshguard.conf.sample \ + $(TARGET_DIR)/etc/sshguard.conf + $(SED) '/^#BACKEND/c\BACKEND="/usr/libexec/sshg-fw-iptables"' $(TARGET_DIR)/etc/sshguard.conf + $(SED) '/^#FILES/c\FILES="/var/log/messages"' $(TARGET_DIR)/etc/sshguard.conf +endef +SSHGUARD_POST_INSTALL_TARGET_HOOKS += SSHGUARD_INSTALL_CONFIG + +define SSHGUARD_INSTALL_INIT_SYSV + $(INSTALL) -D -m 755 package/sshguard/S39sshguard \ + $(TARGET_DIR)/etc/init.d/S39sshguard +endef + +define SSHGUARD_INSTALL_INIT_SYSTEMD + $(INSTALL) -D -m 0644 $(@D)/examples/sshguard.service \ + $(TARGET_DIR)/usr/lib/systemd/system/sshguard.service + mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants + ln -fs ../../../../usr/lib/systemd/system/sshguard.service \ + $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/sshguard.service +endef + +$(eval $(autotools-package))
sshguard protects hosts from brute-force attacks against SSH and other services. Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com> --- CHANGELOG: v1->v2: * Fixed license (suggested by Thomas) * Fixed sysv script (suggested by Thomas) * Moved from using git to use tarball DEVELOPERS | 1 + package/Config.in | 1 + package/sshguard/Config.in | 10 +++++++++ package/sshguard/S39sshguard | 50 ++++++++++++++++++++++++++++++++++++++++++ package/sshguard/sshguard.hash | 3 +++ package/sshguard/sshguard.mk | 34 ++++++++++++++++++++++++++++ 6 files changed, 99 insertions(+) create mode 100644 package/sshguard/Config.in create mode 100644 package/sshguard/S39sshguard create mode 100644 package/sshguard/sshguard.hash create mode 100644 package/sshguard/sshguard.mk