Date: Tue, 20 May 2014 19:18:40 GMT From: Jesse <jessefrgsmith@yahoo.ca> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/190034: port update: security/denyhosts Message-ID: <201405201918.s4KJIePL050046@cgiserv.freebsd.org> Resent-Message-ID: <201405201920.s4KJK0q9025948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 190034
>Category: ports
>Synopsis: port update: security/denyhosts
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Tue May 20 19:20:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Jesse
>Release: FreeBSD-10.0
>Organization:
RM
>Environment:
>Description:
Attached is a patch which brings the DenyHosts port up to date with the upstream project. DenyHosts has been worked after upstream was no longer being maintained. The new fork, DenyHost, offers an updated, drop-in replacement for the package. This updated fork includes security patches from Debian, Ubuntu and FreeBSD.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
diff -ruN /usr/ports/security/denyhosts/Makefile denyhosts/Makefile
--- /usr/ports/security/denyhosts/Makefile 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/Makefile 2014-05-20 15:40:52.381269794 -0300
@@ -1,15 +1,15 @@
# Created by: Janos Mohacsi <janos.mohacsi@bsd.hu>
-# $FreeBSD$
+# $FreeBSD: head/security/denyhosts/Makefile 327769 2013-09-20 22:55:24Z bapt $
PORTNAME= denyhosts
-PORTVERSION= 2.6
-PORTREVISION= 4
+PORTVERSION= 2.7
+PORTREVISION= 1
CATEGORIES= security
-MASTER_SITES= SF
-DISTNAME= DenyHosts-${PORTVERSION}
+MASTER_SITES= SF/denyhost/denyhost-${PORTVERSION}
+DISTNAME= denyhosts-${PORTVERSION}
MAINTAINER= jmohacsi@bsd.hu
-COMMENT= Script to thwart ssh attacks
+COMMENT= Pythom script to thwart ssh attacks
USE_PYTHON= yes
USE_PYDISTUTILS= yes
@@ -22,17 +22,15 @@
PORTDOCS= CHANGELOG.txt LICENSE.txt README.txt
NO_STAGE= yes
+WRKSRC=${WRKDIR}/DenyHosts-${PORTVERSION}
post-patch:
@${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' \
${WRKSRC}/daemon-control-dist \
- ${WRKSRC}/denyhosts.cfg-dist \
+ ${WRKSRC}/denyhosts.conf \
${WRKSRC}/setup.py
- @${RM} ${WRKSRC}/scripts/restricted_from_passwd.py.orig
post-install:
- ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf-dist
- [ -f ${PREFIX}/etc/denyhosts.conf ] || \
- ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf
+ ${INSTALL_DATA} ${WRKSRC}/denyhosts.conf ${PREFIX}/etc/denyhosts.conf
.if !defined(NOPORTDOCS)
@${MKDIR} ${DOCSDIR}
. for f in ${PORTDOCS}
diff -ruN /usr/ports/security/denyhosts/distinfo denyhosts/distinfo
--- /usr/ports/security/denyhosts/distinfo 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/distinfo 1969-12-31 20:00:00.000000000 -0400
@@ -1,2 +0,0 @@
-SHA256 (DenyHosts-2.6.tar.gz) = 5190ead13a7238e3ccf328cb3b71b16716e1c73939909a4f3fa6904ba58ddf7d
-SIZE (DenyHosts-2.6.tar.gz) = 42667
diff -ruN /usr/ports/security/denyhosts/files/denyhosts.in denyhosts/files/denyhosts.in
--- /usr/ports/security/denyhosts/files/denyhosts.in 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/files/denyhosts.in 2014-05-20 15:40:52.467268912 -0300
@@ -1,6 +1,6 @@
#!/bin/sh
#
-# $FreeBSD$
+# $FreeBSD: head/security/denyhosts/files/denyhosts.in 340872 2014-01-24 00:14:07Z mat $
#
# PROVIDE: denyhosts
# REQUIRE: DAEMON
diff -ruN /usr/ports/security/denyhosts/files/patch-DenyHosts_regex.py denyhosts/files/patch-DenyHosts_regex.py
--- /usr/ports/security/denyhosts/files/patch-DenyHosts_regex.py 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/files/patch-DenyHosts_regex.py 1969-12-31 20:00:00.000000000 -0400
@@ -1,11 +0,0 @@
---- DenyHosts/regex.py.orig Sat Jun 23 14:32:34 2007
-+++ DenyHosts/regex.py Sat Jun 23 14:32:58 2007
-@@ -17,7 +17,7 @@
-
- FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""")
-
--FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""")
-+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""")
-
- FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""")
-
diff -ruN /usr/ports/security/denyhosts/files/patch-daemon-control-dist denyhosts/files/patch-daemon-control-dist
--- /usr/ports/security/denyhosts/files/patch-daemon-control-dist 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/files/patch-daemon-control-dist 2014-05-20 16:11:13.908240851 -0300
@@ -1,18 +1,15 @@
-
-$FreeBSD$
-
---- daemon-control-dist.orig
-+++ daemon-control-dist
+--- ./daemon-control-dist.orig 2014-05-16 21:23:56.000000000 -0300
++++ ./daemon-control-dist 2014-05-20 16:10:29.066444772 -0300
@@ -11,9 +11,9 @@
#### Edit these to suit your configuration ####
###############################################
--DENYHOSTS_BIN = "/usr/bin/denyhosts.py"
--DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts"
--DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg"
-+DENYHOSTS_BIN = "%%PREFIX%%/bin/denyhosts.py"
-+DENYHOSTS_LOCK = "/var/run/denyhosts"
-+DENYHOSTS_CFG = "%%PREFIX%%/share/denyhosts/denyhosts.cfg"
+-DENYHOSTS_BIN = "/usr/sbin/denyhosts"
+-DENYHOSTS_LOCK = "/run/denyhosts.pid"
+-DENYHOSTS_CFG = "/etc/denyhosts.conf"
++DENYHOSTS_BIN = "/usr/local/bin/denyhosts"
++DENYHOSTS_LOCK = "/var/run/denyhostS"
++DENYHOSTS_CFG = "/usr/local/etc/denyhosts.conf"
+ PYTHON_BIN = "/usr/bin/env python"
- ###############################################
diff -ruN /usr/ports/security/denyhosts/files/patch-denyhosts.cfg-dist denyhosts/files/patch-denyhosts.cfg-dist
--- /usr/ports/security/denyhosts/files/patch-denyhosts.cfg-dist 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/files/patch-denyhosts.cfg-dist 1969-12-31 20:00:00.000000000 -0400
@@ -1,79 +0,0 @@
-
-$FreeBSD$
-
---- denyhosts.cfg-dist.orig
-+++ denyhosts.cfg-dist
-@@ -9,10 +9,10 @@
- # argument
- #
- # Redhat or Fedora Core:
--SECURE_LOG = /var/log/secure
-+#SECURE_LOG = /var/log/secure
- #
- # Mandrake, FreeBSD or OpenBSD:
--#SECURE_LOG = /var/log/auth.log
-+SECURE_LOG = /var/log/auth.log
- #
- # SuSE:
- #SECURE_LOG = /var/log/messages
-@@ -31,7 +31,7 @@
- # HOSTS_DENY: the file which contains restricted host access information
- #
- # Most operating systems:
--HOSTS_DENY = /etc/hosts.deny
-+HOSTS_DENY = /etc/hosts.deniedssh
- #
- # Some BSD (FreeBSD) Unixes:
- #HOSTS_DENY = /etc/hosts.allow
-@@ -90,7 +90,7 @@
- # To block all services for the offending host:
- #BLOCK_SERVICE = ALL
- # To block only sshd:
--BLOCK_SERVICE = sshd
-+#BLOCK_SERVICE = sshd
- # To only record the offending host and nothing else (if using
- # an auxilary file to list the hosts). Refer to:
- # http://denyhosts.sourceforge.net/faq.html#aux
-@@ -150,7 +150,7 @@
- # Note: it is recommended that you use an absolute pathname
- # for this value (eg. /home/foo/denyhosts/data)
- #
--WORK_DIR = /usr/share/denyhosts/data
-+WORK_DIR = %%PREFIX%%/share/denyhosts/data
- #
- #######################################################################
-
-@@ -176,7 +176,7 @@
- # the corresponding hostname will be looked up and reported as well
- # (if available).
- #
--HOSTNAME_LOOKUP=YES
-+HOSTNAME_LOOKUP=NO
- #
- ######################################################################
-
-@@ -192,10 +192,10 @@
- # running at a time.
- #
- # Redhat/Fedora:
--LOCK_FILE = /var/lock/subsys/denyhosts
-+#LOCK_FILE = /var/lock/subsys/denyhosts
- #
--# Debian
--#LOCK_FILE = /var/run/denyhosts.pid
-+# Debian (and FreeBSD)
-+LOCK_FILE = /var/run/denyhosts.pid
- #
- # Misc
- #LOCK_FILE = /tmp/denyhosts.lock
-@@ -414,7 +414,9 @@
- # See this faq entry for more details:
- # http://denyhosts.sf.net/faq.html#userdef_regex
- #
--#USERDEF_FAILED_ENTRY_REGEX=
-+USERDEF_FAILED_ENTRY_REGEX=[a|A]uthentication error for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
-+USERDEF_FAILED_ENTRY_REGEX=[a|A]uthentication error for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from (?P<host>.*)
-+# sorry no entries for IPv6 address yet :(
- #
- #
- ######################################################################
diff -ruN /usr/ports/security/denyhosts/files/patch-denyhosts.conf denyhosts/files/patch-denyhosts.conf
--- /usr/ports/security/denyhosts/files/patch-denyhosts.conf 1969-12-31 20:00:00.000000000 -0400
+++ denyhosts/files/patch-denyhosts.conf 2014-05-20 16:11:13.929231518 -0300
@@ -0,0 +1,67 @@
+--- ./denyhosts.conf.orig 2014-05-17 16:04:14.000000000 -0300
++++ ./denyhosts.conf 2014-05-20 16:11:04.932200769 -0300
+@@ -12,7 +12,7 @@
+ #SECURE_LOG = /var/log/secure
+ #
+ # Mandrake, FreeBSD or OpenBSD:
+-#SECURE_LOG = /var/log/auth.log
++SECURE_LOG = /var/log/auth.log
+ #
+ # SuSE:
+ #SECURE_LOG = /var/log/messages
+@@ -25,7 +25,7 @@
+ #SECURE_LOG=/private/var/log/system.log
+ #
+ # Debian and Ubuntu
+-SECURE_LOG = /var/log/auth.log
++#SECURE_LOG = /var/log/auth.log
+ ########################################################################
+
+ ########################################################################
+@@ -33,7 +33,7 @@
+ # HOSTS_DENY: the file which contains restricted host access information
+ #
+ # Most operating systems:
+-HOSTS_DENY = /etc/hosts.deny
++HOSTS_DENY = /etc/hosts.deniedssh
+ #
+ # Some BSD (FreeBSD) Unixes:
+ #HOSTS_DENY = /etc/hosts.allow
+@@ -152,7 +152,7 @@
+ # Note: it is recommended that you use an absolute pathname
+ # for this value (eg. /home/foo/denyhosts/data)
+ #
+-WORK_DIR = /var/lib/denyhosts
++WORK_DIR = /usr/local/share/denyhosts/data
+ #
+ #######################################################################
+
+@@ -164,7 +164,7 @@
+ # Note: it is recommended that you use an absolute pathname
+ # for this value (eg. /etc or /usr/local/etc)
+ #
+-ETC_DIR = /etc
++ETC_DIR = /usr/local/etc
+ #
+ #######################################################################
+
+@@ -210,7 +210,7 @@
+ # Redhat/Fedora:
+ #LOCK_FILE = /var/lock/subsys/denyhosts
+ #
+-# Debian
++# Debian and FreeBSD
+ LOCK_FILE = /var/run/denyhosts.pid
+ #
+ # Misc
+@@ -430,7 +430,9 @@
+ # See this faq entry for more details:
+ # http://denyhosts.sf.net/faq.html#userdef_regex
+ #
+-#USERDEF_FAILED_ENTRY_REGEX=
++USERDEF_FAILED_ENTRY_REGEX=[a|A]uthentication error for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
++USERDEF_FAILED_ENTRY_REGEX=[a|A]uthentication error for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) from (?P<host>.*)
++
+ #
+ #
+ ######################################################################
diff -ruN /usr/ports/security/denyhosts/files/patch-scripts_restrited-from-passwd.py denyhosts/files/patch-scripts_restrited-from-passwd.py
--- /usr/ports/security/denyhosts/files/patch-scripts_restrited-from-passwd.py 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/files/patch-scripts_restrited-from-passwd.py 1969-12-31 20:00:00.000000000 -0400
@@ -1,11 +0,0 @@
---- scripts/restricted_from_passwd.py.orig 2008-11-26 12:06:31.231726279 -0500
-+++ scripts/restricted_from_passwd.py 2008-11-26 12:06:36.696728675 -0500
-@@ -11,7 +11,7 @@
- #
- ############################################################################
-
--RESTRICTED_SHELLS = ("/sbin/nologin",
-+RESTRICTED_SHELLS = ("/usr/sbin/nologin",
- "/sbin/shutdown",
- "/sbin/halt")
-
diff -ruN /usr/ports/security/denyhosts/files/patch-setup.py denyhosts/files/patch-setup.py
--- /usr/ports/security/denyhosts/files/patch-setup.py 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/files/patch-setup.py 1969-12-31 20:00:00.000000000 -0400
@@ -1,27 +0,0 @@
-
-$FreeBSD$
-
---- setup.py.orig
-+++ setup.py
-@@ -8,7 +8,7 @@
- from glob import glob
-
-
--libpath = "/usr/share/denyhosts"
-+libpath = "%%PREFIX%%/share/denyhosts"
- scriptspath = "%s/scripts" % libpath
- pluginspath = "%s/plugins" % libpath
-
-@@ -26,11 +26,8 @@
- data_files=[(libpath, glob("denyhosts.cfg-dist")),
- (libpath, glob("setup.py")),
- (libpath, glob("daemon-control-dist")),
-- (libpath, glob("CHANGELOG.txt")),
-- (libpath, glob("README.txt")),
- (scriptspath, glob("scripts/*")),
-- (pluginspath, glob("plugins/*")),
-- (libpath, glob("LICENSE.txt"))],
-+ (pluginspath, glob("plugins/*"))],
- license="GPL v2",
- ##extra_path='denyhosts',
- long_description="""
diff -ruN /usr/ports/security/denyhosts/pkg-descr denyhosts/pkg-descr
--- /usr/ports/security/denyhosts/pkg-descr 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/pkg-descr 2014-05-20 15:40:52.490263817 -0300
@@ -14,8 +14,8 @@
- Keeps track of suspicious logins
- Keeps track of the file offset, so that you can reparse the same file
- When the log file is rotated, the script will detect it
-- Appends /etc/hosts.allow
+- Appends /etc/hosts.deny
- Optionally sends an email of newly banned hosts and suspicious logins.
- Resolves IP addresses to hostnames, if you want
-WWW: http://denyhosts.sourceforge.net/
+WWW: http://denyhost.sourceforge.net/
diff -ruN /usr/ports/security/denyhosts/pkg-plist denyhosts/pkg-plist
--- /usr/ports/security/denyhosts/pkg-plist 2014-03-13 08:38:39.000000000 -0300
+++ denyhosts/pkg-plist 2014-05-20 16:08:11.632233690 -0300
@@ -1,16 +1,5 @@
bin/denyhosts.py
-@unexec if cmp -s %D/etc/denyhosts.conf %D/etc/denyhosts.conf-dist; then rm -f %D/etc/denyhosts.conf; fi
-etc/denyhosts.conf-dist
-@exec [ -f %B/denyhosts.conf ] || cp -f %B/%f %B/denyhosts.conf
-%%DATADIR%%/daemon-control-dist
-%%DATADIR%%/denyhosts.cfg-dist
-%%DATADIR%%/setup.py
-%%DATADIR%%/scripts/restricted_from_invalid.py
-%%DATADIR%%/scripts/restricted_from_passwd.py
-%%DATADIR%%/plugins/README.contrib
-%%DATADIR%%/plugins/shorewall_allow.sh
-%%DATADIR%%/plugins/shorewall_deny.sh
-%%DATADIR%%/plugins/test_deny.py
+etc/denyhosts.conf
%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.py
%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyo
@@ -75,6 +64,3 @@
%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc
%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo
@dirrm %%PYTHON_SITELIBDIR%%/DenyHosts
-@dirrm %%DATADIR%%/scripts
-@dirrm %%DATADIR%%/plugins
-@dirrm %%DATADIR%%
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405201918.s4KJIePL050046>