Date: Sat, 5 Apr 2014 19:44:15 +0000 (UTC) From: Olli Hauer <ohauer@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r350260 - in head/security/denyhosts: . files Message-ID: <201404051944.s35JiFk5053000@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ohauer Date: Sat Apr 5 19:44:15 2014 New Revision: 350260 URL: http://svnweb.freebsd.org/changeset/ports/350260 QAT: https://qat.redports.org/buildarchive/r350260/ Log: - add stage support - use PYDISTUTILS_AUTOPLIST - rename patch files to reflect `make makepatch' naming - fix possible DOS reported on: http://seclists.org/oss-sec/2013/q4/535 PR: ports/185141 Submitted by: ohauer Approved by: maintainer timeout Added: head/security/denyhosts/files/patch-DenyHosts__regex.py - copied, changed from r350242, head/security/denyhosts/files/patch-DenyHosts_regex.py head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py - copied, changed from r350242, head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py Deleted: head/security/denyhosts/files/patch-DenyHosts_regex.py head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py Modified: head/security/denyhosts/Makefile head/security/denyhosts/pkg-descr head/security/denyhosts/pkg-plist Modified: head/security/denyhosts/Makefile ============================================================================== --- head/security/denyhosts/Makefile Sat Apr 5 19:16:48 2014 (r350259) +++ head/security/denyhosts/Makefile Sat Apr 5 19:44:15 2014 (r350260) @@ -3,7 +3,7 @@ PORTNAME= denyhosts PORTVERSION= 2.6 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MASTER_SITES= SF DISTNAME= DenyHosts-${PORTVERSION} @@ -11,9 +11,19 @@ DISTNAME= DenyHosts-${PORTVERSION} MAINTAINER= jmohacsi@bsd.hu COMMENT= Script to thwart ssh attacks +LICENSE= GPLv2 + USE_PYTHON= yes USE_PYDISTUTILS= yes -PYDISTUTILS_PKGNAME= DenyHosts +PYDISTUTILS_AUTOPLIST= yes + +USES= shebangfix +env_OLD_CMD= /bin/env +env_CMD= ${SETENV} +SHEBANG_LANG= python env +SHEBANG_FILES= plugins/test_deny.py \ + scripts/restricted_from_invalid.py \ + scripts/restricted_from_passwd.py USE_RC_SUBR= denyhosts SUB_LIST+= PYTHON=${PYTHON_CMD} @@ -21,24 +31,20 @@ SUB_FILES= pkg-message PORTDOCS= CHANGELOG.txt LICENSE.txt README.txt -NO_STAGE= yes post-patch: @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' \ ${WRKSRC}/daemon-control-dist \ ${WRKSRC}/denyhosts.cfg-dist \ ${WRKSRC}/setup.py - @${RM} ${WRKSRC}/scripts/restricted_from_passwd.py.orig + +pre-install: + @${FIND} ${WRKSRC} -type f \( -name \*.bak -o -name \*.orig \) -delete post-install: - ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf-dist - [ -f ${PREFIX}/etc/denyhosts.conf ] || \ - ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf -.if !defined(NOPORTDOCS) - @${MKDIR} ${DOCSDIR} -. for f in ${PORTDOCS} - ${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR} -. endfor -.endif - @${CAT} ${PKGMESSAGE} + ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist \ + ${STAGEDIR}${PREFIX}/etc/denyhosts.conf-dist + + @${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR} .include <bsd.port.mk> Copied and modified: head/security/denyhosts/files/patch-DenyHosts__regex.py (from r350242, head/security/denyhosts/files/patch-DenyHosts_regex.py) ============================================================================== --- head/security/denyhosts/files/patch-DenyHosts_regex.py Sat Apr 5 16:08:16 2014 (r350242, copy source) +++ head/security/denyhosts/files/patch-DenyHosts__regex.py Sat Apr 5 19:44:15 2014 (r350260) @@ -1,11 +1,44 @@ ---- DenyHosts/regex.py.orig Sat Jun 23 14:32:34 2007 -+++ DenyHosts/regex.py Sat Jun 23 14:32:58 2007 -@@ -17,7 +17,7 @@ +# Patch shaped from http://seclists.org/oss-sec/2013/q4/535 +=================================================================== +--- ./DenyHosts/regex.py.orig 2006-12-07 20:47:04.000000000 +0100 ++++ ./DenyHosts/regex.py 2013-12-23 17:17:42.000000000 +0100 +@@ -6,22 +6,22 @@ - FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") + #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""") + +-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""") ++SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""") + #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""") + +-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX3 = None + +-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") ++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""") -FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""") -+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""") + +-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") ++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""") + + + # these are reserved for future versions +@@ -42,7 +42,7 @@ + FAILED_ENTRY_REGEX_MAP[i] = rx + + +-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""") Copied and modified: head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py (from r350242, head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py) ============================================================================== --- head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py Sat Apr 5 16:08:16 2014 (r350242, copy source) +++ head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py Sat Apr 5 19:44:15 2014 (r350260) @@ -1,11 +1,10 @@ ---- scripts/restricted_from_passwd.py.orig 2008-11-26 12:06:31.231726279 -0500 -+++ scripts/restricted_from_passwd.py 2008-11-26 12:06:36.696728675 -0500 -@@ -11,7 +11,7 @@ - # +--- ./scripts/restricted_from_passwd.py.orig 2013-12-28 18:51:41.000000000 +0100 ++++ ./scripts/restricted_from_passwd.py 2013-12-28 18:51:41.000000000 +0100 +@@ -12,6 +12,7 @@ ############################################################################ --RESTRICTED_SHELLS = ("/sbin/nologin", -+RESTRICTED_SHELLS = ("/usr/sbin/nologin", + RESTRICTED_SHELLS = ("/sbin/nologin", ++ "/usr/sbin/nologin", "/sbin/shutdown", "/sbin/halt") Modified: head/security/denyhosts/pkg-descr ============================================================================== --- head/security/denyhosts/pkg-descr Sat Apr 5 19:16:48 2014 (r350259) +++ head/security/denyhosts/pkg-descr Sat Apr 5 19:44:15 2014 (r350260) @@ -18,4 +18,4 @@ Denyhosts helps you: - Optionally sends an email of newly banned hosts and suspicious logins. - Resolves IP addresses to hostnames, if you want -WWW: http://denyhosts.sourceforge.net/ +WWW: http://denyhosts.sourceforge.net/ Modified: head/security/denyhosts/pkg-plist ============================================================================== --- head/security/denyhosts/pkg-plist Sat Apr 5 19:16:48 2014 (r350259) +++ head/security/denyhosts/pkg-plist Sat Apr 5 19:44:15 2014 (r350260) @@ -1,80 +1,3 @@ -bin/denyhosts.py @unexec if cmp -s %D/etc/denyhosts.conf %D/etc/denyhosts.conf-dist; then rm -f %D/etc/denyhosts.conf; fi etc/denyhosts.conf-dist @exec [ -f %B/denyhosts.conf ] || cp -f %B/%f %B/denyhosts.conf -%%DATADIR%%/daemon-control-dist -%%DATADIR%%/denyhosts.cfg-dist -%%DATADIR%%/setup.py -%%DATADIR%%/scripts/restricted_from_invalid.py -%%DATADIR%%/scripts/restricted_from_passwd.py -%%DATADIR%%/plugins/README.contrib -%%DATADIR%%/plugins/shorewall_allow.sh -%%DATADIR%%/plugins/shorewall_deny.sh -%%DATADIR%%/plugins/test_deny.py -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.py -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/version.py -%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.py -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/util.py -%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.py -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.py -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/report.py -%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.py -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.py -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.py -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo -@dirrm %%PYTHON_SITELIBDIR%%/DenyHosts -@dirrm %%DATADIR%%/scripts -@dirrm %%DATADIR%%/plugins -@dirrm %%DATADIR%%
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404051944.s35JiFk5053000>