|
|
a1c0026 |
%{?el6:%global use_sysvinit 1}
|
|
|
a1c0026 |
%if "0%{?rhel}" >= "8" || 0%{?fedora}
|
|
|
a1c0026 |
%global use_subpackages 1
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
Name: sshguard
|
|
|
a1c0026 |
Version: 2.4.0
|
|
|
a1c0026 |
Release: 11%{?dist}
|
|
|
a1c0026 |
# The entire source code is BSD
|
|
|
a1c0026 |
# except src/parser/* which is GPLv2+
|
|
|
a1c0026 |
# except src/blocker/hash_32a.c & src/blocker/fnv.h which are Public Domain
|
|
|
a1c0026 |
# the latter two get compiled in, the license is thus superseded
|
|
|
a1c0026 |
# src/parser/* is compiled into its own binary %%{_libexecdir}/%%{name}/sshg_parser
|
|
|
a1c0026 |
License: BSD and GPLv2+
|
|
|
a1c0026 |
Summary: Protects hosts from brute-force attacks against SSH and other services
|
|
|
a1c0026 |
Url: http://www.sshguard.net
|
|
|
a1c0026 |
Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz
|
|
|
a1c0026 |
Source1: %{name}.conf.in
|
|
|
a1c0026 |
Source2: %{name}.whitelist
|
|
|
a1c0026 |
Source3: %{name}.init
|
|
|
a1c0026 |
Source4: %{name}.logrotate
|
|
|
3fa78db |
Patch0: 00-wl-localhost.patch
|
|
|
a1c0026 |
|
|
|
a1c0026 |
# fnv is a very small implementation of the fnv hash algorithm not worth splitting
|
|
|
a1c0026 |
# into its own package. It has not seen updates since 2012, and upstream does not
|
|
|
a1c0026 |
# distribute it as a stand-alone library
|
|
|
a1c0026 |
Provides: bundled(fnv) = 5.0.2
|
|
|
a1c0026 |
# simclist is a small library not worth splitting into its own package, and has not
|
|
|
a1c0026 |
# seen updates since 2011
|
|
|
a1c0026 |
Provides: bundled(simclist) = 1.4.4
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%if 0%{?use_subpackages}
|
|
|
a1c0026 |
# Autoinstall appropriate firewall backends
|
|
|
a1c0026 |
Recommends: (%{name}-firewalld if firewalld)
|
|
|
a1c0026 |
Recommends: (%{name}-iptables if iptables-services)
|
|
|
a1c0026 |
Recommends: (%{name}-nftables if nftables)
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
BuildRequires: gcc
|
|
|
a1c0026 |
BuildRequires: flex
|
|
|
a1c0026 |
BuildRequires: byacc
|
|
|
a1c0026 |
Requires: coreutils
|
|
|
a1c0026 |
Requires: grep
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%if 0%{?use_sysvinit}
|
|
|
a1c0026 |
# for logging to file
|
|
|
a1c0026 |
Requires: logrotate
|
|
|
a1c0026 |
# for SysVinit service configuration
|
|
|
a1c0026 |
Requires(post): chkconfig
|
|
|
a1c0026 |
Requires(preun): chkconfig
|
|
|
a1c0026 |
# for /sbin/service
|
|
|
a1c0026 |
Requires(preun): initscripts
|
|
|
a1c0026 |
Requires(postun): initscripts
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
Requires: systemd
|
|
|
a1c0026 |
# for systemd service installation support
|
|
|
a1c0026 |
%if 0%{?fedora} > 29
|
|
|
a1c0026 |
BuildRequires: systemd-rpm-macros
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
BuildRequires: systemd
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%description
|
|
|
a1c0026 |
Sshguard protects hosts from brute-force attacks against SSH and other
|
|
|
a1c0026 |
services. It aggregates system logs and blocks repeat offenders using one of
|
|
|
a1c0026 |
several firewall backends.
|
|
|
a1c0026 |
|
|
|
a1c0026 |
Sshguard can read log messages from standard input or monitor one or more log
|
|
|
a1c0026 |
files. Log messages are parsed, line-by-line, for recognized patterns. If an
|
|
|
a1c0026 |
attack, such as several login failures within a few seconds, is detected, the
|
|
|
a1c0026 |
offending IP is blocked. Offenders are unblocked after a set interval, but can
|
|
|
a1c0026 |
be semi-permanently banned using the blacklist option.
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%if 0%{?use_subpackages}
|
|
|
a1c0026 |
%package iptables
|
|
|
a1c0026 |
Requires: iptables-services %{name}
|
|
|
a1c0026 |
Conflicts: %{name}-firewalld %{name}-nftables
|
|
|
a1c0026 |
Summary: Configuration for iptables backend of SSHGuard
|
|
|
a1c0026 |
RemovePathPostfixes: .iptables
|
|
|
a1c0026 |
%description iptables
|
|
|
a1c0026 |
Sshguard-iptables provides a configuration file for SSHGuard to use iptables
|
|
|
a1c0026 |
as the firewall backend.
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%package firewalld
|
|
|
ba32cd6 |
Requires: firewalld ipset %{name}
|
|
|
a1c0026 |
Conflicts: %{name}-iptables %{name}-nftables
|
|
|
a1c0026 |
Summary: Configuration for firewalld backend of SSHGuard
|
|
|
a1c0026 |
RemovePathPostfixes: .firewalld
|
|
|
a1c0026 |
%description firewalld
|
|
|
a1c0026 |
Sshguard-firewalld provides a configuration file for SSHGuard to use firewalld
|
|
|
a1c0026 |
as the firewall backend.
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%package nftables
|
|
|
a1c0026 |
Requires: nftables %{name}
|
|
|
a1c0026 |
Conflicts: %{name}-firewalld %{name}-iptables
|
|
|
a1c0026 |
Summary: Configuration for nftables backend of SSHGuard
|
|
|
a1c0026 |
RemovePathPostfixes: .nftables
|
|
|
a1c0026 |
%description nftables
|
|
|
a1c0026 |
Sshguard-nftables provides a configuration file for SSHGuard to use nftables
|
|
|
a1c0026 |
as the firewall backend.
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
#-- PREP, BUILD & INSTALL -----------------------------------------------------#
|
|
|
a1c0026 |
%prep
|
|
|
a1c0026 |
%autosetup -p1
|
|
|
a1c0026 |
|
|
|
a1c0026 |
sed -i -e "s|%%{_bindir}|%{_bindir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_sbindir}|%{_sbindir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_libexecdir}|%{_libexecdir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_sysconfdir}|%{_sysconfdir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_initddir}|%{_initddir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_localstatedir}|%{_localstatedir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_sharedstatedir}|%{_sharedstatedir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_rundir}|%{_rundir}|g" \
|
|
|
a1c0026 |
-e "s|%%{_pkgdocdir}|%{_pkgdocdir}|g" \
|
|
|
a1c0026 |
-e "s|%%{name}|%{name}|g" \
|
|
|
a1c0026 |
%{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4}
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%build
|
|
|
a1c0026 |
%{configure} --prefix=%{_prefix} --sysconfdir=%{_sysconfdir} --sbindir=%{_sbindir} --libexecdir=%{_libexecdir}/%{name}
|
|
|
a1c0026 |
%{make_build}
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%install
|
|
|
a1c0026 |
%{make_install}
|
|
|
a1c0026 |
install -p -d -m 0755 %{buildroot}/%{_pkgdocdir}/
|
|
|
a1c0026 |
install -p -d -m 0755 %{buildroot}/%{_sysconfdir}/
|
|
|
a1c0026 |
install -p -d -m 0755 %{buildroot}/%{_sharedstatedir}/%{name}/
|
|
|
a1c0026 |
%if 0%{?use_subpackages}
|
|
|
a1c0026 |
sed -e "s|__BACKEND__|sshg-fw-firewalld|g" %{SOURCE1} > %{buildroot}/%{_sysconfdir}/%{name}.conf.firewalld
|
|
|
a1c0026 |
sed -e "s|__BACKEND__|sshg-fw-nft-sets|g" %{SOURCE1} > %{buildroot}/%{_sysconfdir}/%{name}.conf.nftables
|
|
|
a1c0026 |
sed -e "s|__BACKEND__|sshg-fw-iptables|g" %{SOURCE1} > %{buildroot}/%{_sysconfdir}/%{name}.conf.iptables
|
|
|
a1c0026 |
chmod 0644 %{buildroot}/%{_sysconfdir}/%{name}.conf.*
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
install -p -m 0644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/%{name}.whitelist
|
|
|
a1c0026 |
%if 0%{?use_sysvinit}
|
|
|
a1c0026 |
install -p -d -m 0755 %{buildroot}/%{_initddir}
|
|
|
a1c0026 |
install -p -m 0755 %{SOURCE3} %{buildroot}/%{_initddir}/%{name}
|
|
|
a1c0026 |
install -p -d -m 0755 %{buildroot}/%{_sysconfdir}/logrotate.d
|
|
|
a1c0026 |
install -p -m 0644 %{SOURCE4} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
install -p -d -m 0755 %{buildroot}/%{_unitdir}
|
|
|
a1c0026 |
sed -i -e "/ExecStartPre=/d" examples/%{name}.service
|
|
|
a1c0026 |
sed -i -e "s|ExecStart=/usr/local/sbin/sshguard|ExecStart=%{_sbindir}/%{name}|g" examples/%{name}.service
|
|
|
a1c0026 |
install -p -m 0644 examples/%{name}.service %{buildroot}/%{_unitdir}/
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
# cleanup
|
|
|
a1c0026 |
# *.plist is only relevant for MacOS systems
|
|
|
a1c0026 |
rm examples/net.sshguard.plist
|
|
|
a1c0026 |
# we already ship a service file
|
|
|
a1c0026 |
rm examples/sshguard.service
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%check
|
|
|
a1c0026 |
make check
|
|
|
a1c0026 |
|
|
|
a1c0026 |
#-- SCRIPTLETS -----------------------------------------------------------------#
|
|
|
a1c0026 |
%post
|
|
|
a1c0026 |
%if 0%{?use_sysvinit}
|
|
|
a1c0026 |
# This adds the proper /etc/rc*.d links for the script
|
|
|
a1c0026 |
/sbin/chkconfig --add %{_initddir}/%{name}
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
%systemd_post %{name}.service
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%if 0%{?use_subpackages}
|
|
|
a1c0026 |
# with iptables backend, sshguard does not auto-create its tables, so we do that here
|
|
|
a1c0026 |
%post iptables
|
|
|
a1c0026 |
if [[ $1 -eq 1 ]]; then
|
|
|
a1c0026 |
iptables -N sshguard
|
|
|
a1c0026 |
iptables -A INPUT -j sshguard
|
|
|
a1c0026 |
iptables-save > /etc/sysconfig/iptables
|
|
|
a1c0026 |
ip6tables -N sshguard
|
|
|
a1c0026 |
ip6tables -A INPUT -j sshguard
|
|
|
a1c0026 |
ip6tables-save > /etc/sysconfig/ip6tables
|
|
|
a1c0026 |
fi
|
|
|
a1c0026 |
exit 0
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%preun
|
|
|
a1c0026 |
%if 0%{?use_sysvinit}
|
|
|
a1c0026 |
if [[ $1 -eq 0 ]]; then
|
|
|
a1c0026 |
/sbin/service %{name} stop >/dev/null 2>&1
|
|
|
a1c0026 |
/sbin/chkconfig --del %{name}
|
|
|
a1c0026 |
fi
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
%systemd_preun %{name}.service
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%postun
|
|
|
a1c0026 |
%if 0%{?use_sysvinit}
|
|
|
a1c0026 |
if [ $1 -ge 1 ] ; then
|
|
|
a1c0026 |
/sbin/service %{name} condrestart >/dev/null 2>&1 || :
|
|
|
a1c0026 |
fi
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
%systemd_postun_with_restart %{name}.service
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
#-- FILES ---------------------------------------------------------------------#
|
|
|
a1c0026 |
%files
|
|
|
a1c0026 |
%doc examples
|
|
|
a1c0026 |
%doc README.rst
|
|
|
a1c0026 |
%doc CONTRIBUTING.rst
|
|
|
a1c0026 |
%license COPYING
|
|
|
a1c0026 |
%{_sbindir}/%{name}
|
|
|
a1c0026 |
%{_mandir}/man8/%{name}*
|
|
|
a1c0026 |
%{_mandir}/man7/%{name}*
|
|
|
a1c0026 |
%dir %{_sharedstatedir}/%{name}/
|
|
|
a1c0026 |
%dir %{_libexecdir}/%{name}/
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-logtail
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-parser
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-blocker
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-firewalld
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-hosts
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-ipfilter
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-ipfw
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-ipset
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-iptables
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-null
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-pf
|
|
|
a1c0026 |
%{_libexecdir}/%{name}/sshg-fw-nft-sets
|
|
|
a1c0026 |
%if 0%{?use_sysvinit}
|
|
|
a1c0026 |
%{_initddir}/%{name}
|
|
|
a1c0026 |
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
|
|
|
a1c0026 |
%else
|
|
|
a1c0026 |
%{_unitdir}/%{name}.service
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
%config(noreplace) %{_sysconfdir}/%{name}.whitelist
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%if 0%{?use_subpackages}
|
|
|
a1c0026 |
%files iptables
|
|
|
a1c0026 |
%config(noreplace) %{_sysconfdir}/%{name}.conf.iptables
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%files firewalld
|
|
|
a1c0026 |
%config(noreplace) %{_sysconfdir}/%{name}.conf.firewalld
|
|
|
a1c0026 |
|
|
|
a1c0026 |
%files nftables
|
|
|
a1c0026 |
%config(noreplace) %{_sysconfdir}/%{name}.conf.nftables
|
|
|
a1c0026 |
%endif
|
|
|
a1c0026 |
|
|
|
a1c0026 |
#-- CHANGELOG -----------------------------------------------------------------#
|
|
|
a1c0026 |
%changelog
|
|
|
a1c0026 |
* Mon Oct 21 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-11
|
|
|
a1c0026 |
- replace systemd with systemd-rpm-macros in f30+ BuildRequires
|
|
|
a1c0026 |
- remove %%systemd_requires macro
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Fri Oct 04 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-10
|
|
|
a1c0026 |
- add missing dependencies
|
|
|
a1c0026 |
- move examples to (docdir)/examples subfolder
|
|
|
a1c0026 |
- prefix directories with %%dir in %%files
|
|
|
a1c0026 |
- use complete & commented config files
|
|
|
a1c0026 |
- add white/blacklisting
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Mon Sep 30 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-9
|
|
|
a1c0026 |
- add bundled provides for fnv and simclist
|
|
|
a1c0026 |
- add systemd dependency
|
|
|
a1c0026 |
- fix changelog formatting
|
|
|
a1c0026 |
- patch & use upstream service file
|
|
|
a1c0026 |
- revert 05037d7b - disallow building on rhel < 6
|
|
|
a1c0026 |
- make package own /usr/libexec/sshguard
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Sep 24 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-8
|
|
|
a1c0026 |
- Allow building on rhel < 6
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Thu Aug 29 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-7
|
|
|
a1c0026 |
- add explicit dependency on logrotate for epel6
|
|
|
a1c0026 |
- fixed iptables install scriptlet
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Sun Aug 25 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-6
|
|
|
a1c0026 |
- fixes to initscript for CentOS/RHEL6
|
|
|
a1c0026 |
- added logrotate config for sysvinit systems
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Wed Aug 21 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-5
|
|
|
a1c0026 |
- fixed rpm macros not being replaced in service/init file
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Aug 20 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-4
|
|
|
a1c0026 |
- Create iptables chains for sshguard on install
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Fri Jul 19 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-3
|
|
|
a1c0026 |
- use own service file instead of example
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Jul 16 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-2
|
|
|
a1c0026 |
- changed SysV initscript handling to match EPEL guidelines
|
|
|
a1c0026 |
- enable subpackages for RHEL8
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Jul 16 2019 Christopher Engelhard <ce@lcts.de> 2.4.0-1
|
|
|
a1c0026 |
- updated for 2.4.0
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Jan 08 2019 Christopher Engelhard <ce@lcts.de> 2.3.1-1
|
|
|
a1c0026 |
- remove upgrade notice for upgrade from v2.2.0-5,
|
|
|
a1c0026 |
people should have noticed by now
|
|
|
a1c0026 |
- update to v2.3.1
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Sun Dec 16 2018 Christopher Engelhard <ce@lcts.de> 2.3.0-1
|
|
|
a1c0026 |
- update to 2.3.0
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Oct 23 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-8
|
|
|
a1c0026 |
- allow building for EPEL
|
|
|
a1c0026 |
- use RPM path macros in config/init files
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Mon Oct 22 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-7
|
|
|
a1c0026 |
- Change subpackages to weak dependencies
|
|
|
a1c0026 |
- Make sshguard-iptables depend on iptables-services
|
|
|
a1c0026 |
instead of iptables
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Mon Oct 22 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-6
|
|
|
a1c0026 |
- split off configuration into subpackages, allows autoconfig
|
|
|
a1c0026 |
of multiple firewall backends
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Sat Sep 29 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-5
|
|
|
a1c0026 |
- include upstream patches for issues #100 and #101 instead of my own
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Tue Sep 25 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-4
|
|
|
a1c0026 |
- add patch to fix upstream Issue #100, firewalld errors
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Sun Sep 23 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-3
|
|
|
a1c0026 |
- disabled LFS in repo, incompatible with COPR (ce@lcts.de)
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Sun Sep 23 2018 Christopher Engelhard <ce@lcts.de> 2.2.0-2
|
|
|
a1c0026 |
- new package built with tito
|
|
|
a1c0026 |
|
|
|
a1c0026 |
* Thu Sep 13 2018 Christopher Engelhard <ce@lcts.de> - 2.2.0-1
|
|
|
a1c0026 |
- first release of this package
|
|
|
a1c0026 |
|