svn commit: r414461 - in head/security/sshguard: . files
Mark Felder
feld at FreeBSD.org
Mon May 2 16:26:06 UTC 2016
Author: feld
Date: Mon May 2 16:26:04 2016
New Revision: 414461
URL: https://svnweb.freebsd.org/changeset/ports/414461
Log:
security/sshguard: Update to 1.6.4
- Add PID file support back to rc script
- Rename some rc script parameters to better align with sshguard(8)
sshguard_safety_thresh -> sshguard_danger_thresh
sshguard_pardon_min_interval -> sshguard_release_interval
sshguard_prescribe_interval -> sshguard_reset_interval
Release notes:
This release brings updated signatures, usability improvements, and bug
fixes. Highlights in this release include:
- Match Postfix pre-authentication disconnects
- Fix bashisms in iptables backend
- Fix size argument in inet_ntop() call
- Remove excessive logging when polling from files
- Keep looking for unreadable files while polling
- Update Dovecot signature for POP3
- Match "Connection reset" message for SSH
- Resurrect PID file option by popular demand
- Adjust default abuse threshold
Most notably, some default options have changed. The abuse threshold has
been reduced to 30 (3 attacks) and the initial block time has been
lowered to 2 minutes (from 7). These settings can be overridden from the
command line. Package maintainers should check their scripts.
The PID file option (-p) has been resurrected.
Added:
head/security/sshguard/files/patch-man_sshguard.8 (contents, props changed)
Deleted:
head/security/sshguard/files/patch-src_sshguard__logsuck.c
Modified:
head/security/sshguard/Makefile
head/security/sshguard/distinfo
head/security/sshguard/files/pkg-message.in
head/security/sshguard/files/sshguard.in
Modified: head/security/sshguard/Makefile
==============================================================================
--- head/security/sshguard/Makefile Mon May 2 16:14:46 2016 (r414460)
+++ head/security/sshguard/Makefile Mon May 2 16:26:04 2016 (r414461)
@@ -2,8 +2,8 @@
# $FreeBSD$
PORTNAME= sshguard
-PORTVERSION= 1.6.3
-PORTREVISION= 1
+PORTVERSION= 1.6.4
+PORTREVISION= 0
CATEGORIES= security
MASTER_SITES= SF/sshguard/sshguard/${PORTVERSION}
Modified: head/security/sshguard/distinfo
==============================================================================
--- head/security/sshguard/distinfo Mon May 2 16:14:46 2016 (r414460)
+++ head/security/sshguard/distinfo Mon May 2 16:26:04 2016 (r414461)
@@ -1,2 +1,2 @@
-SHA256 (sshguard-1.6.3.tar.gz) = 6c4d3be2acf6349b4ac5d6fff4bbcd8fa988c82876d848cbbd0c7c99bc0438c7
-SIZE (sshguard-1.6.3.tar.gz) = 540130
+SHA256 (sshguard-1.6.4.tar.gz) = 654d5412ed010e500e2715ddeebfda57ab23c47a2bd30dfdc1e68c4f04c912a9
+SIZE (sshguard-1.6.4.tar.gz) = 546934
Added: head/security/sshguard/files/patch-man_sshguard.8
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/sshguard/files/patch-man_sshguard.8 Mon May 2 16:26:04 2016 (r414461)
@@ -0,0 +1,20 @@
+--- man/sshguard.8.orig 2016-05-02 15:44:01 UTC
++++ man/sshguard.8
+@@ -84,7 +84,7 @@ at \fI\%http://www.sshguard.net/\fP\&.
+ .SH OPTIONS
+ .INDENT 0.0
+ .TP
+-.B \fB\-a\fP \fIthresh\fP (default 40)
++.B \fB\-a\fP \fIthresh\fP (default 30)
+ Block an attacker when its dangerousness exceeds \fIthresh\fP\&. Each attack
+ pattern that is matched contributes a fixed dangerousness of 10.
+ .TP
+@@ -112,7 +112,7 @@ monitor instead. \fBsshguard\fP transpar
+ using this option, standard input is ignored, but can be re\-added by
+ giving \(aq\fB\-l\fP \-\(aq.
+ .TP
+-.B \fB\-p\fP \fIinterval\fP (default 420 secs, or 7 minutes)
++.B \fB\-p\fP \fIinterval\fP (default 120 secs, or 2 minutes)
+ Wait at least \fIinterval\fP seconds before releasing a blocked address.
+ Repeat attackers are blocked for 1.5 times longer after each attack.
+ Because \fBsshguard\fP unblocks attackers only at infrequent intervals,
Modified: head/security/sshguard/files/pkg-message.in
==============================================================================
--- head/security/sshguard/files/pkg-message.in Mon May 2 16:14:46 2016 (r414460)
+++ head/security/sshguard/files/pkg-message.in Mon May 2 16:26:04 2016 (r414461)
@@ -7,4 +7,11 @@
rc.d script installed at %%PREFIX%%/etc/rc.d/sshguard .
See sshguard(8) and http://www.sshguard.net/docs/setup for additional info.
+
+ Please note that a few rc script parameters have been renamed to
+ better reflect the documentation:
+
+ sshguard_safety_thresh -> sshguard_danger_thresh
+ sshguard_pardon_min_interval -> sshguard_release_interval
+ sshguard_prescribe_interval -> sshguard_reset_interval
##########################################################################
Modified: head/security/sshguard/files/sshguard.in
==============================================================================
--- head/security/sshguard/files/sshguard.in Mon May 2 16:14:46 2016 (r414460)
+++ head/security/sshguard/files/sshguard.in Mon May 2 16:26:04 2016 (r414461)
@@ -37,21 +37,24 @@
# Add the following lines to /etc/rc.conf to enable sshguard:
# sshguard_enable (bool): Set to "NO" by default.
# Set it to "YES" to enable sshguard
+# sshguard_pidfile (str): Path to PID file.
+# Set to "/var/run/sshguard.pid" by default
# sshguard_watch_logs (str): Colon splitted list of logs to watch.
# Set to "/var/log/auth.log:/var/log/maillog"
# by default.
# The following options directly maps to their command line options,
# please read manual page sshguard(8) for detailed information:
# sshguard_blacklist (str): [thr:]/path/to/blacklist.
-# Set to "40:/var/db/sshguard/blacklist.db"
+# Set to "30:/var/db/sshguard/blacklist.db"
# by default.
-# sshguard_safety_thresh (int): Safety threshold. Set to "40" by default.
-# sshguard_pardon_min_interval (int):
-# Minimum pardon interval. Set to "420"
-# by default.
-# sshguard_prescribe_interval (int):
-# Prescribe interval. Set to "1200" by
-# default.
+# sshguard_danger_thresh (int): Danger threshold. Set to "30" by default.
+# sshguard_release_interval (int):
+# Minimum interval an address remains
+# blocked. Set to "120" by default.
+# sshguard_reset_interval (int):
+# Interval before a suspected attack is
+# forgotten and danger is reset to 0.
+# Set to "1200" by default.
# sshguard_whitelistfile (str): Path to the whitelist.
# Set to "%%PREFIX%%/etc/sshguard.whitelist"
# by default.
@@ -67,18 +70,20 @@ rcvar=sshguard_enable
load_rc_config sshguard
: ${sshguard_enable:=NO}
-: ${sshguard_blacklist=40:/var/db/sshguard/blacklist.db}
-: ${sshguard_safety_thresh=40}
-: ${sshguard_pardon_min_interval=420}
-: ${sshguard_prescribe_interval=1200}
+: ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
+: ${sshguard_danger_thresh=30}
+: ${sshguard_release_interval=120}
+: ${sshguard_reset_interval=1200}
: ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"}
: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}
+pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
+
command=/usr/sbin/daemon
actual_command="%%PREFIX%%/sbin/sshguard"
procname="${actual_command}"
start_precmd=sshguard_prestart
-command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_safety_thresh} -p ${sshguard_pardon_min_interval} -s ${sshguard_prescribe_interval} -w ${sshguard_whitelistfile}"
+command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
sshguard_prestart()
{
More information about the svn-ports-head
mailing list