[v2] package/sshguard: new package
diff mbox series

Message ID 1563307012-3724-1-git-send-email-angelo@amarulasolutions.com
State Accepted
Commit d335e44d91a18be877f1036802f1bb9bd5bb256d
Headers show
Series
  • [v2] package/sshguard: new package
Related show

Commit Message

Angelo Compagnucci July 16, 2019, 7:56 p.m. UTC
sshguard protects hosts from brute-force attacks against SSH and other
services.

Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
---
CHANGELOG:
v1->v2:
* Fixed license (suggested by Thomas)
* Fixed sysv script (suggested by Thomas)
* Moved from using git to use tarball

 DEVELOPERS                     |  1 +
 package/Config.in              |  1 +
 package/sshguard/Config.in     | 10 +++++++++
 package/sshguard/S39sshguard   | 50 ++++++++++++++++++++++++++++++++++++++++++
 package/sshguard/sshguard.hash |  3 +++
 package/sshguard/sshguard.mk   | 34 ++++++++++++++++++++++++++++
 6 files changed, 99 insertions(+)
 create mode 100644 package/sshguard/Config.in
 create mode 100644 package/sshguard/S39sshguard
 create mode 100644 package/sshguard/sshguard.hash
 create mode 100644 package/sshguard/sshguard.mk

Comments

Peter Korsgaard Aug. 3, 2019, 9:06 a.m. UTC | #1
>>>>> "Angelo" == Angelo Compagnucci <angelo@amarulasolutions.com> writes:

 > sshguard protects hosts from brute-force attacks against SSH and other
 > services.

 > Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
 > ---
 > CHANGELOG:
 > v1-> v2:
 > * Fixed license (suggested by Thomas)
 > * Fixed sysv script (suggested by Thomas)
 > * Moved from using git to use tarball

 >  DEVELOPERS                     |  1 +
 >  package/Config.in              |  1 +
 >  package/sshguard/Config.in     | 10 +++++++++
 >  package/sshguard/S39sshguard   | 50 ++++++++++++++++++++++++++++++++++++++++++
 >  package/sshguard/sshguard.hash |  3 +++
 >  package/sshguard/sshguard.mk   | 34 ++++++++++++++++++++++++++++
 >  6 files changed, 99 insertions(+)

This had a number of check-package warnings, please consider running
check-package before submitting in the future, thanks.

> diff --git a/package/sshguard/Config.in b/package/sshguard/Config.in
 > new file mode 100644
 > index 0000000..6bf1800
 > --- /dev/null
 > +++ b/package/sshguard/Config.in
 > @@ -0,0 +1,10 @@
 > +config BR2_PACKAGE_SSHGUARD
 > +	bool "sshguard"
 > +	depends on BR2_PACKAGE_IPTABLES

Iptables doesn't have a lot of strange dependencies, so I think it makes
more sense to use a select here. We also normally add a # runtime
comment to explain why we don't need to add it to _DEPENDENCIES.


 > +++ b/package/sshguard/S39sshguard
 > @@ -0,0 +1,50 @@
 > +#!/bin/sh
 > +
 > +DAEMON="sshguard"
 > +PIDFILE="/var/run/$DAEMON.pid"
 > +
 > +start() {
 > +	printf 'Starting %s: ' "$DAEMON"
 > +	iptables -L sshguard > /dev/null 2>&1 || \
 > +	(iptables -N sshguard && \
> +	iptables -A INPUT -j sshguard)

Indentation / wrapping looks a bit odd here.

 > +++ b/package/sshguard/sshguard.mk
 > @@ -0,0 +1,34 @@
 > +################################################################################
 > +#
 > +# sshguard
 > +#
 > +################################################################################
 > +
 > +SSHGUARD_VERSION = 2.4.0
 > +SSHGUARD_SOURCE = sshguard-$(SSHGUARD_VERSION).tar.gz

It is the default, so can be dropped.

> +SSHGUARD_SITE = https://sourceforge.net/projects/sshguard/files/sshguard/$(SSHGUARD_VERSION)
 > +SSHGUARD_LICENSE = MIT, X11, GPL-2.0+, Public Domain, ISC

That is quite creative ;) The main license seems to be ISC, with the
hash functions public domain and the SimCList code BSD-3-Clause. I do
not see MIT or X11 code anywhere (except for the oneliner reference in
install-sh, but that isn't used on the target). The only GPL reference I
see is in the parser generated by bison, but that has an exception
saying:

As a special exception, you may create a larger work that contains
part or all of the Bison parser skeleton and distribute that work
under terms of your choice

So I simply made this:

SSHGUARD_LICENSE = ISC, Public Domain (fnv hash), BSD-3-Clause (SimCList)

 > +define SSHGUARD_INSTALL_CONFIG
 > +	$(INSTALL) -D -m 0644 $(@D)/examples/sshguard.conf.sample \
 > +		$(TARGET_DIR)/etc/sshguard.conf
 > +	$(SED) '/^#BACKEND/c\BACKEND="/usr/libexec/sshg-fw-iptables"' $(TARGET_DIR)/etc/sshguard.conf
 > +	$(SED) '/^#FILES/c\FILES="/var/log/messages"' $(TARGET_DIR)/etc/sshguard.conf

NIT: This could be done in a single sed invocationm which would also
shorten the very long line.

 > +endef
 > +SSHGUARD_POST_INSTALL_TARGET_HOOKS += SSHGUARD_INSTALL_CONFIG
 > +
 > +define SSHGUARD_INSTALL_INIT_SYSV
 > +	$(INSTALL) -D -m 755 package/sshguard/S39sshguard \
 > +		$(TARGET_DIR)/etc/init.d/S39sshguard
 > +endef

I don't see why this should be S39 when we only bring up the network in
S40 and start ssh servers at S50, so I've changed this to S49.

Committed with these fixes, thanks.

Patch
diff mbox series

diff --git a/DEVELOPERS b/DEVELOPERS
index 4ab4e36..61e11b5 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -175,6 +175,7 @@  F:	package/python-can/
 F:	package/python-pillow/
 F:	package/python-pydal/
 F:	package/python-web2py/
+F:	package/sshguard/
 F:	package/sysdig/
 
 N:	Anisse Astier <anisse@astier.eu>
diff --git a/package/Config.in b/package/Config.in
index 90dddfd..03b86f6 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2052,6 +2052,7 @@  endif
 	source "package/spice/Config.in"
 	source "package/spice-protocol/Config.in"
 	source "package/squid/Config.in"
+	source "package/sshguard/Config.in"
 	source "package/sshpass/Config.in"
 	source "package/sslh/Config.in"
 	source "package/strongswan/Config.in"
diff --git a/package/sshguard/Config.in b/package/sshguard/Config.in
new file mode 100644
index 0000000..6bf1800
--- /dev/null
+++ b/package/sshguard/Config.in
@@ -0,0 +1,10 @@ 
+config BR2_PACKAGE_SSHGUARD
+	bool "sshguard"
+	depends on BR2_PACKAGE_IPTABLES
+	help
+	  sshguard protects hosts from brute-force attacks against SSH and
+	  other services. It aggregates system logs and blocks repeat offenders
+	  using one of several firewall backends, including iptables, ipfw,
+	  and pf.
+
+	  https://www.sshguard.net
diff --git a/package/sshguard/S39sshguard b/package/sshguard/S39sshguard
new file mode 100644
index 0000000..d277b9a
--- /dev/null
+++ b/package/sshguard/S39sshguard
@@ -0,0 +1,50 @@ 
+#!/bin/sh
+
+DAEMON="sshguard"
+PIDFILE="/var/run/$DAEMON.pid"
+
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	iptables -L sshguard > /dev/null 2>&1 || \
+	(iptables -N sshguard && \
+	iptables -A INPUT -j sshguard)
+	start-stop-daemon -S -q -b -p /run/sshguard.pid \
+		-x /usr/sbin/sshguard -- -i /run/sshguard.pid
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	start-stop-daemon -K -q -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		rm -f "$PIDFILE"
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+case "$1" in
+	start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac
diff --git a/package/sshguard/sshguard.hash b/package/sshguard/sshguard.hash
new file mode 100644
index 0000000..5b9a0f0
--- /dev/null
+++ b/package/sshguard/sshguard.hash
@@ -0,0 +1,3 @@ 
+# sha256 from https://sourceforge.net/projects/sshguard/files/sshguard/2.4.0/sshguard-2.4.0.sha256
+sha256  065ca4091b3a96802714b560dbbc3d9f0e67574e99e2b6e8857aa1027d17d6c0  sshguard-2.4.0.tar.gz
+sha256  c3ae64f12153a1bc55bc234d09f40a08ab0e0149fffc972c0b7f02d5a12c1a5c  COPYING
diff --git a/package/sshguard/sshguard.mk b/package/sshguard/sshguard.mk
new file mode 100644
index 0000000..1ec137e
--- /dev/null
+++ b/package/sshguard/sshguard.mk
@@ -0,0 +1,34 @@ 
+################################################################################
+#
+# sshguard
+#
+################################################################################
+
+SSHGUARD_VERSION = 2.4.0
+SSHGUARD_SOURCE = sshguard-$(SSHGUARD_VERSION).tar.gz
+SSHGUARD_SITE = https://sourceforge.net/projects/sshguard/files/sshguard/$(SSHGUARD_VERSION)
+SSHGUARD_LICENSE = MIT, X11, GPL-2.0+, Public Domain, ISC
+SSHGUARD_LICENSE_FILES = COPYING
+
+define SSHGUARD_INSTALL_CONFIG
+	$(INSTALL) -D -m 0644 $(@D)/examples/sshguard.conf.sample \
+		$(TARGET_DIR)/etc/sshguard.conf
+	$(SED) '/^#BACKEND/c\BACKEND="/usr/libexec/sshg-fw-iptables"' $(TARGET_DIR)/etc/sshguard.conf
+	$(SED) '/^#FILES/c\FILES="/var/log/messages"' $(TARGET_DIR)/etc/sshguard.conf
+endef
+SSHGUARD_POST_INSTALL_TARGET_HOOKS += SSHGUARD_INSTALL_CONFIG
+
+define SSHGUARD_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 755 package/sshguard/S39sshguard \
+		$(TARGET_DIR)/etc/init.d/S39sshguard
+endef
+
+define SSHGUARD_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 0644 $(@D)/examples/sshguard.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/sshguard.service
+	mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
+	ln -fs ../../../../usr/lib/systemd/system/sshguard.service \
+		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/sshguard.service
+endef
+
+$(eval $(autotools-package))