From owner-svn-ports-all@freebsd.org Mon May 2 16:26:06 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A9D7AEECFA; Mon, 2 May 2016 16:26:06 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BAB11344; Mon, 2 May 2016 16:26:06 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u42GQ5du055720; Mon, 2 May 2016 16:26:05 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u42GQ4ES055715; Mon, 2 May 2016 16:26:04 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201605021626.u42GQ4ES055715@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Mon, 2 May 2016 16:26:04 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r414461 - in head/security/sshguard: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2016 16:26:06 -0000 Author: feld Date: Mon May 2 16:26:04 2016 New Revision: 414461 URL: https://svnweb.freebsd.org/changeset/ports/414461 Log: security/sshguard: Update to 1.6.4 - Add PID file support back to rc script - Rename some rc script parameters to better align with sshguard(8) sshguard_safety_thresh -> sshguard_danger_thresh sshguard_pardon_min_interval -> sshguard_release_interval sshguard_prescribe_interval -> sshguard_reset_interval Release notes: This release brings updated signatures, usability improvements, and bug fixes. Highlights in this release include: - Match Postfix pre-authentication disconnects - Fix bashisms in iptables backend - Fix size argument in inet_ntop() call - Remove excessive logging when polling from files - Keep looking for unreadable files while polling - Update Dovecot signature for POP3 - Match "Connection reset" message for SSH - Resurrect PID file option by popular demand - Adjust default abuse threshold Most notably, some default options have changed. The abuse threshold has been reduced to 30 (3 attacks) and the initial block time has been lowered to 2 minutes (from 7). These settings can be overridden from the command line. Package maintainers should check their scripts. The PID file option (-p) has been resurrected. Added: head/security/sshguard/files/patch-man_sshguard.8 (contents, props changed) Deleted: head/security/sshguard/files/patch-src_sshguard__logsuck.c Modified: head/security/sshguard/Makefile head/security/sshguard/distinfo head/security/sshguard/files/pkg-message.in head/security/sshguard/files/sshguard.in Modified: head/security/sshguard/Makefile ============================================================================== --- head/security/sshguard/Makefile Mon May 2 16:14:46 2016 (r414460) +++ head/security/sshguard/Makefile Mon May 2 16:26:04 2016 (r414461) @@ -2,8 +2,8 @@ # $FreeBSD$ PORTNAME= sshguard -PORTVERSION= 1.6.3 -PORTREVISION= 1 +PORTVERSION= 1.6.4 +PORTREVISION= 0 CATEGORIES= security MASTER_SITES= SF/sshguard/sshguard/${PORTVERSION} Modified: head/security/sshguard/distinfo ============================================================================== --- head/security/sshguard/distinfo Mon May 2 16:14:46 2016 (r414460) +++ head/security/sshguard/distinfo Mon May 2 16:26:04 2016 (r414461) @@ -1,2 +1,2 @@ -SHA256 (sshguard-1.6.3.tar.gz) = 6c4d3be2acf6349b4ac5d6fff4bbcd8fa988c82876d848cbbd0c7c99bc0438c7 -SIZE (sshguard-1.6.3.tar.gz) = 540130 +SHA256 (sshguard-1.6.4.tar.gz) = 654d5412ed010e500e2715ddeebfda57ab23c47a2bd30dfdc1e68c4f04c912a9 +SIZE (sshguard-1.6.4.tar.gz) = 546934 Added: head/security/sshguard/files/patch-man_sshguard.8 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/sshguard/files/patch-man_sshguard.8 Mon May 2 16:26:04 2016 (r414461) @@ -0,0 +1,20 @@ +--- man/sshguard.8.orig 2016-05-02 15:44:01 UTC ++++ man/sshguard.8 +@@ -84,7 +84,7 @@ at \fI\%http://www.sshguard.net/\fP\&. + .SH OPTIONS + .INDENT 0.0 + .TP +-.B \fB\-a\fP \fIthresh\fP (default 40) ++.B \fB\-a\fP \fIthresh\fP (default 30) + Block an attacker when its dangerousness exceeds \fIthresh\fP\&. Each attack + pattern that is matched contributes a fixed dangerousness of 10. + .TP +@@ -112,7 +112,7 @@ monitor instead. \fBsshguard\fP transpar + using this option, standard input is ignored, but can be re\-added by + giving \(aq\fB\-l\fP \-\(aq. + .TP +-.B \fB\-p\fP \fIinterval\fP (default 420 secs, or 7 minutes) ++.B \fB\-p\fP \fIinterval\fP (default 120 secs, or 2 minutes) + Wait at least \fIinterval\fP seconds before releasing a blocked address. + Repeat attackers are blocked for 1.5 times longer after each attack. + Because \fBsshguard\fP unblocks attackers only at infrequent intervals, Modified: head/security/sshguard/files/pkg-message.in ============================================================================== --- head/security/sshguard/files/pkg-message.in Mon May 2 16:14:46 2016 (r414460) +++ head/security/sshguard/files/pkg-message.in Mon May 2 16:26:04 2016 (r414461) @@ -7,4 +7,11 @@ rc.d script installed at %%PREFIX%%/etc/rc.d/sshguard . See sshguard(8) and http://www.sshguard.net/docs/setup for additional info. + + Please note that a few rc script parameters have been renamed to + better reflect the documentation: + + sshguard_safety_thresh -> sshguard_danger_thresh + sshguard_pardon_min_interval -> sshguard_release_interval + sshguard_prescribe_interval -> sshguard_reset_interval ########################################################################## Modified: head/security/sshguard/files/sshguard.in ============================================================================== --- head/security/sshguard/files/sshguard.in Mon May 2 16:14:46 2016 (r414460) +++ head/security/sshguard/files/sshguard.in Mon May 2 16:26:04 2016 (r414461) @@ -37,21 +37,24 @@ # Add the following lines to /etc/rc.conf to enable sshguard: # sshguard_enable (bool): Set to "NO" by default. # Set it to "YES" to enable sshguard +# sshguard_pidfile (str): Path to PID file. +# Set to "/var/run/sshguard.pid" by default # sshguard_watch_logs (str): Colon splitted list of logs to watch. # Set to "/var/log/auth.log:/var/log/maillog" # by default. # The following options directly maps to their command line options, # please read manual page sshguard(8) for detailed information: # sshguard_blacklist (str): [thr:]/path/to/blacklist. -# Set to "40:/var/db/sshguard/blacklist.db" +# Set to "30:/var/db/sshguard/blacklist.db" # by default. -# sshguard_safety_thresh (int): Safety threshold. Set to "40" by default. -# sshguard_pardon_min_interval (int): -# Minimum pardon interval. Set to "420" -# by default. -# sshguard_prescribe_interval (int): -# Prescribe interval. Set to "1200" by -# default. +# sshguard_danger_thresh (int): Danger threshold. Set to "30" by default. +# sshguard_release_interval (int): +# Minimum interval an address remains +# blocked. Set to "120" by default. +# sshguard_reset_interval (int): +# Interval before a suspected attack is +# forgotten and danger is reset to 0. +# Set to "1200" by default. # sshguard_whitelistfile (str): Path to the whitelist. # Set to "%%PREFIX%%/etc/sshguard.whitelist" # by default. @@ -67,18 +70,20 @@ rcvar=sshguard_enable load_rc_config sshguard : ${sshguard_enable:=NO} -: ${sshguard_blacklist=40:/var/db/sshguard/blacklist.db} -: ${sshguard_safety_thresh=40} -: ${sshguard_pardon_min_interval=420} -: ${sshguard_prescribe_interval=1200} +: ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db} +: ${sshguard_danger_thresh=30} +: ${sshguard_release_interval=120} +: ${sshguard_reset_interval=1200} : ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"} : ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog} +pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"} + command=/usr/sbin/daemon actual_command="%%PREFIX%%/sbin/sshguard" procname="${actual_command}" start_precmd=sshguard_prestart -command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_safety_thresh} -p ${sshguard_pardon_min_interval} -s ${sshguard_prescribe_interval} -w ${sshguard_whitelistfile}" +command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}" sshguard_prestart() {