From owner-svn-ports-all@FreeBSD.ORG Sat Apr 5 19:44:16 2014 Return-Path: Delivered-To: svn-ports-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C60B94C; Sat, 5 Apr 2014 19:44:16 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 876DA755; Sat, 5 Apr 2014 19:44:16 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s35JiGBS053005; Sat, 5 Apr 2014 19:44:16 GMT (envelope-from ohauer@svn.freebsd.org) Received: (from ohauer@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s35JiFk5053000; Sat, 5 Apr 2014 19:44:15 GMT (envelope-from ohauer@svn.freebsd.org) Message-Id: <201404051944.s35JiFk5053000@svn.freebsd.org> From: Olli Hauer Date: Sat, 5 Apr 2014 19:44:15 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r350260 - in head/security/denyhosts: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 05 Apr 2014 19:44:16 -0000 Author: ohauer Date: Sat Apr 5 19:44:15 2014 New Revision: 350260 URL: http://svnweb.freebsd.org/changeset/ports/350260 QAT: https://qat.redports.org/buildarchive/r350260/ Log: - add stage support - use PYDISTUTILS_AUTOPLIST - rename patch files to reflect `make makepatch' naming - fix possible DOS reported on: http://seclists.org/oss-sec/2013/q4/535 PR: ports/185141 Submitted by: ohauer Approved by: maintainer timeout Added: head/security/denyhosts/files/patch-DenyHosts__regex.py - copied, changed from r350242, head/security/denyhosts/files/patch-DenyHosts_regex.py head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py - copied, changed from r350242, head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py Deleted: head/security/denyhosts/files/patch-DenyHosts_regex.py head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py Modified: head/security/denyhosts/Makefile head/security/denyhosts/pkg-descr head/security/denyhosts/pkg-plist Modified: head/security/denyhosts/Makefile ============================================================================== --- head/security/denyhosts/Makefile Sat Apr 5 19:16:48 2014 (r350259) +++ head/security/denyhosts/Makefile Sat Apr 5 19:44:15 2014 (r350260) @@ -3,7 +3,7 @@ PORTNAME= denyhosts PORTVERSION= 2.6 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= security MASTER_SITES= SF DISTNAME= DenyHosts-${PORTVERSION} @@ -11,9 +11,19 @@ DISTNAME= DenyHosts-${PORTVERSION} MAINTAINER= jmohacsi@bsd.hu COMMENT= Script to thwart ssh attacks +LICENSE= GPLv2 + USE_PYTHON= yes USE_PYDISTUTILS= yes -PYDISTUTILS_PKGNAME= DenyHosts +PYDISTUTILS_AUTOPLIST= yes + +USES= shebangfix +env_OLD_CMD= /bin/env +env_CMD= ${SETENV} +SHEBANG_LANG= python env +SHEBANG_FILES= plugins/test_deny.py \ + scripts/restricted_from_invalid.py \ + scripts/restricted_from_passwd.py USE_RC_SUBR= denyhosts SUB_LIST+= PYTHON=${PYTHON_CMD} @@ -21,24 +31,20 @@ SUB_FILES= pkg-message PORTDOCS= CHANGELOG.txt LICENSE.txt README.txt -NO_STAGE= yes post-patch: @${REINPLACE_CMD} -e 's,%%PREFIX%%,${PREFIX},' \ ${WRKSRC}/daemon-control-dist \ ${WRKSRC}/denyhosts.cfg-dist \ ${WRKSRC}/setup.py - @${RM} ${WRKSRC}/scripts/restricted_from_passwd.py.orig + +pre-install: + @${FIND} ${WRKSRC} -type f \( -name \*.bak -o -name \*.orig \) -delete post-install: - ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf-dist - [ -f ${PREFIX}/etc/denyhosts.conf ] || \ - ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist ${PREFIX}/etc/denyhosts.conf -.if !defined(NOPORTDOCS) - @${MKDIR} ${DOCSDIR} -. for f in ${PORTDOCS} - ${INSTALL_DATA} ${WRKSRC}/${f} ${DOCSDIR} -. endfor -.endif - @${CAT} ${PKGMESSAGE} + ${INSTALL_DATA} ${WRKSRC}/denyhosts.cfg-dist \ + ${STAGEDIR}${PREFIX}/etc/denyhosts.conf-dist + + @${MKDIR} ${STAGEDIR}${DOCSDIR} + ${INSTALL_DATA} ${PORTDOCS:S|^|${WRKSRC}/|} ${STAGEDIR}${DOCSDIR} .include Copied and modified: head/security/denyhosts/files/patch-DenyHosts__regex.py (from r350242, head/security/denyhosts/files/patch-DenyHosts_regex.py) ============================================================================== --- head/security/denyhosts/files/patch-DenyHosts_regex.py Sat Apr 5 16:08:16 2014 (r350242, copy source) +++ head/security/denyhosts/files/patch-DenyHosts__regex.py Sat Apr 5 19:44:15 2014 (r350260) @@ -1,11 +1,44 @@ ---- DenyHosts/regex.py.orig Sat Jun 23 14:32:34 2007 -+++ DenyHosts/regex.py Sat Jun 23 14:32:58 2007 -@@ -17,7 +17,7 @@ +# Patch shaped from http://seclists.org/oss-sec/2013/q4/535 +=================================================================== +--- ./DenyHosts/regex.py.orig 2006-12-07 20:47:04.000000000 +0100 ++++ ./DenyHosts/regex.py 2013-12-23 17:17:42.000000000 +0100 +@@ -6,22 +6,22 @@ - FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P.*) .*from (?P.*)""") + #DATE_FORMAT_REGEX = re.compile(r"""(?P[A-z]{3,3})\s*(?P\d+)""") + +-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P.*)""") ++SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P.*)""") + #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P.*)""") + +-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P.*) for (?Pinvalid user |illegal user )?(?P.*?) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P\S*) for (?Pinvalid user |illegal user )?(?P.*) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P(Illegal|Invalid)) user (?P.*?) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P(Illegal|Invalid)) user (?P.*) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P.*) .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX3 = None + +-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P.*) .*from (?P.*)""") ++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P.*) from (::ffff:)?(?P\S+)$""") -FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups""") -+FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) .*from (?P.*) not allowed because none of user's groups are listed in AllowGroups$""") ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P.*) from (::ffff:)?(?P\S+) not allowed because none of user's groups are listed in AllowGroups$""") + +-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P.*) not allowed because not listed in AllowUsers""") ++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P.*) from (::ffff:)?(?P\S+) not allowed because not listed in AllowUsers$""") + + + # these are reserved for future versions +@@ -42,7 +42,7 @@ + FAILED_ENTRY_REGEX_MAP[i] = rx + + +-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P.*) for (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P\S+) for (?P.*?) from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") - FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + TIME_SPEC_REGEX = re.compile(r"""(?P\d*)\s*(?P[smhdwy])?""") Copied and modified: head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py (from r350242, head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py) ============================================================================== --- head/security/denyhosts/files/patch-scripts_restrited-from-passwd.py Sat Apr 5 16:08:16 2014 (r350242, copy source) +++ head/security/denyhosts/files/patch-scripts__restricted_from_passwd.py Sat Apr 5 19:44:15 2014 (r350260) @@ -1,11 +1,10 @@ ---- scripts/restricted_from_passwd.py.orig 2008-11-26 12:06:31.231726279 -0500 -+++ scripts/restricted_from_passwd.py 2008-11-26 12:06:36.696728675 -0500 -@@ -11,7 +11,7 @@ - # +--- ./scripts/restricted_from_passwd.py.orig 2013-12-28 18:51:41.000000000 +0100 ++++ ./scripts/restricted_from_passwd.py 2013-12-28 18:51:41.000000000 +0100 +@@ -12,6 +12,7 @@ ############################################################################ --RESTRICTED_SHELLS = ("/sbin/nologin", -+RESTRICTED_SHELLS = ("/usr/sbin/nologin", + RESTRICTED_SHELLS = ("/sbin/nologin", ++ "/usr/sbin/nologin", "/sbin/shutdown", "/sbin/halt") Modified: head/security/denyhosts/pkg-descr ============================================================================== --- head/security/denyhosts/pkg-descr Sat Apr 5 19:16:48 2014 (r350259) +++ head/security/denyhosts/pkg-descr Sat Apr 5 19:44:15 2014 (r350260) @@ -18,4 +18,4 @@ Denyhosts helps you: - Optionally sends an email of newly banned hosts and suspicious logins. - Resolves IP addresses to hostnames, if you want -WWW: http://denyhosts.sourceforge.net/ +WWW: http://denyhosts.sourceforge.net/ Modified: head/security/denyhosts/pkg-plist ============================================================================== --- head/security/denyhosts/pkg-plist Sat Apr 5 19:16:48 2014 (r350259) +++ head/security/denyhosts/pkg-plist Sat Apr 5 19:44:15 2014 (r350260) @@ -1,80 +1,3 @@ -bin/denyhosts.py @unexec if cmp -s %D/etc/denyhosts.conf %D/etc/denyhosts.conf-dist; then rm -f %D/etc/denyhosts.conf; fi etc/denyhosts.conf-dist @exec [ -f %B/denyhosts.conf ] || cp -f %B/%f %B/denyhosts.conf -%%DATADIR%%/daemon-control-dist -%%DATADIR%%/denyhosts.cfg-dist -%%DATADIR%%/setup.py -%%DATADIR%%/scripts/restricted_from_invalid.py -%%DATADIR%%/scripts/restricted_from_passwd.py -%%DATADIR%%/plugins/README.contrib -%%DATADIR%%/plugins/shorewall_allow.sh -%%DATADIR%%/plugins/shorewall_deny.sh -%%DATADIR%%/plugins/test_deny.py -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.py -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/loginattempt.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/version.py -%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/version.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.py -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/lockfile.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.py -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/old-daemon.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/util.py -%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/util.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.py -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/deny_hosts.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.py -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/plugin.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.py -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/purgecounter.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.py -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/constants.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.py -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/daemon.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.py -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/allowedhosts.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/report.py -%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/report.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.py -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/__init__.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.py -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/python_version.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.py -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/filetracker.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.py -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/counter.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.py -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/denyfileutil.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.py -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/prefs.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.py -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/regex.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.py -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/sync.pyo -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.py -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyc -%%PYTHON_SITELIBDIR%%/DenyHosts/restricted.pyo -@dirrm %%PYTHON_SITELIBDIR%%/DenyHosts -@dirrm %%DATADIR%%/scripts -@dirrm %%DATADIR%%/plugins -@dirrm %%DATADIR%%