diff options
author | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 13:49:04 -0700 |
---|---|---|
committer | Robin H. Johnson <robbat2@gentoo.org> | 2015-08-08 17:38:18 -0700 |
commit | 56bd759df1d0c750a065b8c845e93d5dfa6b549d (patch) | |
tree | 3f91093cdb475e565ae857f1c5a7fd339e2d781e /app-admin/denyhosts | |
download | gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.gz gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.tar.bz2 gentoo-56bd759df1d0c750a065b8c845e93d5dfa6b549d.zip |
proj/gentoo: Initial commit
This commit represents a new era for Gentoo:
Storing the gentoo-x86 tree in Git, as converted from CVS.
This commit is the start of the NEW history.
Any historical data is intended to be grafted onto this point.
Creation process:
1. Take final CVS checkout snapshot
2. Remove ALL ChangeLog* files
3. Transform all Manifests to thin
4. Remove empty Manifests
5. Convert all stale $Header$/$Id$ CVS keywords to non-expanded Git $Id$
5.1. Do not touch files with -kb/-ko keyword flags.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
X-Thanks: Alec Warner <antarus@gentoo.org> - did the GSoC 2006 migration tests
X-Thanks: Robin H. Johnson <robbat2@gentoo.org> - infra guy, herding this project
X-Thanks: Nguyen Thai Ngoc Duy <pclouds@gentoo.org> - Former Gentoo developer, wrote Git features for the migration
X-Thanks: Brian Harring <ferringb@gentoo.org> - wrote much python to improve cvs2svn
X-Thanks: Rich Freeman <rich0@gentoo.org> - validation scripts
X-Thanks: Patrick Lauer <patrick@gentoo.org> - Gentoo dev, running new 2014 work in migration
X-Thanks: Michał Górny <mgorny@gentoo.org> - scripts, QA, nagging
X-Thanks: All of other Gentoo developers - many ideas and lots of paint on the bikeshed
Diffstat (limited to 'app-admin/denyhosts')
19 files changed, 749 insertions, 0 deletions
diff --git a/app-admin/denyhosts/Manifest b/app-admin/denyhosts/Manifest new file mode 100644 index 000000000000..7750d7bef32a --- /dev/null +++ b/app-admin/denyhosts/Manifest @@ -0,0 +1,3 @@ +DIST DenyHosts-2.6.tar.gz 42667 SHA256 5190ead13a7238e3ccf328cb3b71b16716e1c73939909a4f3fa6904ba58ddf7d SHA512 331144348d4930e2fa7a057a779bb7504dfa8ec348660e1a73fcd6a9195258408abb7c77de2bcc96724dfc42afbee918320eebfbc3b380d6ac4ff2d275e89600 WHIRLPOOL a414cd3013508876e63253ffc9c46d12179cca76249ee00cbf66c04c7b88a8578c79bea4d098149081aa83dca115947b10214f3aa8b82bdd78d764032849e27a +DIST denyhosts-2.9.tar.gz 49472 SHA256 751ce6f11c91d1f29c2e726e829c8fe5ddc417bfbb2f229829f5ec820c236716 SHA512 f41e2985e84f0eeaa493def6b8609de934889d02b124962b0bfd02ebe5e41d0670822124eb50ed84eb1c3b8a2a96775fbe09386cef48a3c3e04949fd6b1452c1 WHIRLPOOL 6930899d84a50200c869298cf1061d51a0cebab27edea58252a66c97c81792b13898a726a6bbcba35510cc6041b66d175557d2ddfb5c21c2ae5b62bd4e43fe5d +DIST denyhosts-3.0.tar.gz 56283 SHA256 581cd3b782d7b702f41873ae52d39472d27c90ebd1b2178802cdd623e8e94240 SHA512 8a1c796c259049ffab2c88cef780b175ec75c94216841421f831dfbf45f4ba0cdbcfbb0e3dab7200aa79eeb2416db5234ad5016d5770d8ab2f28ef4c9754e70d WHIRLPOOL 6b8db8e88a5f1693d4a72ea54009b5d185b035040c9407585f829b0f8f918bcbfa38623b0ecb08157256da045427b8b5111f7dc8f520505c56aefdaf1a02a154 diff --git a/app-admin/denyhosts/denyhosts-2.6-r10.ebuild b/app-admin/denyhosts/denyhosts-2.6-r10.ebuild new file mode 100644 index 000000000000..ad3022a9dfb6 --- /dev/null +++ b/app-admin/denyhosts/denyhosts-2.6-r10.ebuild @@ -0,0 +1,92 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 eutils readme.gentoo systemd + +MY_PN="DenyHosts" +MY_P="${MY_PN}-${PV}" + +DESCRIPTION="DenyHosts is a utility to help sys admins thwart ssh hackers" +HOMEPAGE="http://www.denyhosts.net" +SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ppc sparc x86" +IUSE="" + +DEPEND="" +RDEPEND="" + +S="${WORKDIR}/${MY_P}" + +DISABLE_AUTOFORMATTING="yes" +DOC_CONTENTS=" +You can configure DenyHosts to run as a daemon by running: +# rc-update add denyhosts default +or: +# systemctl enable denyhosts.service +(if you use systemd) + +To run DenyHosts as a cronjob instead of a daemon add the following +to /etc/crontab +# run DenyHosts every 10 minutes +*/10 * * * * root /usr/bin/denyhosts.py -c /etc/denyhosts.conf + +More information can be found at http://denyhosts.sourceforge.net/faq.html" + +src_prepare() { + # changes default file installations + epatch "${FILESDIR}"/${P}-gentoo.patch + epatch "${FILESDIR}"/${P}-log-injection-regex.patch + + # Multiple patches from Fedora and Debian + epatch "${FILESDIR}"/${P}-daemon-control.patch + epatch "${FILESDIR}"/${P}-defconffile.patch + epatch "${FILESDIR}"/${P}-foreground_mode.patch + epatch "${FILESDIR}"/${P}-hostname.patch + epatch "${FILESDIR}"/${P}-plugin_deny.patch + epatch "${FILESDIR}"/${P}-single_config_switch.patch + + epatch "${FILESDIR}"/${P}-cve-2013-6890.patch + + sed -i -e 's:DENY_THRESHOLD_VALID = 10:DENY_THRESHOLD_VALID = 5:' \ + denyhosts.cfg-dist || die "sed failed" + + distutils-r1_src_prepare +} + +src_install() { + readme.gentoo_create_doc + + dodoc CHANGELOG.txt README.txt PKG-INFO + distutils-r1_src_install + + insinto /etc + insopts -m0640 + newins denyhosts.cfg-dist denyhosts.conf + + dodir /etc/logrotate.d + insinto /etc/logrotate.d + newins "${FILESDIR}"/${PN}.logrotate-r2 ${PN} + + newinitd "${FILESDIR}"/denyhosts.init-r2 denyhosts + systemd_dounit "${FILESDIR}"/${PN}.service + + # build system installs docs that we installed above + rm -f "${D}"/usr/share/denyhosts/*.txt + + keepdir /var/lib/denyhosts +} + +pkg_postinst() { + if [[ ! -f "${ROOT}etc/hosts.deny" ]]; then + touch "${ROOT}etc/hosts.deny" + fi + + readme.gentoo_print_elog +} diff --git a/app-admin/denyhosts/denyhosts-2.6-r9.ebuild b/app-admin/denyhosts/denyhosts-2.6-r9.ebuild new file mode 100644 index 000000000000..349e25ad8d0e --- /dev/null +++ b/app-admin/denyhosts/denyhosts-2.6-r9.ebuild @@ -0,0 +1,92 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 eutils readme.gentoo systemd + +MY_PN="DenyHosts" +MY_P="${MY_PN}-${PV}" + +DESCRIPTION="DenyHosts is a utility to help sys admins thwart ssh hackers" +HOMEPAGE="http://www.denyhosts.net" +SRC_URI="mirror://sourceforge/${PN}/${MY_P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ppc sparc x86" +IUSE="" + +DEPEND="" +RDEPEND="" + +S="${WORKDIR}/${MY_P}" + +DISABLE_AUTOFORMATTING="yes" +DOC_CONTENTS=" +You can configure DenyHosts to run as a daemon by running: +# rc-update add denyhosts default +or: +# systemctl enable denyhosts.service +(if you use systemd) + +To run DenyHosts as a cronjob instead of a daemon add the following +to /etc/crontab +# run DenyHosts every 10 minutes +*/10 * * * * root /usr/bin/denyhosts.py -c /etc/denyhosts.conf + +More information can be found at http://denyhosts.sourceforge.net/faq.html" + +src_prepare() { + # changes default file installations + epatch "${FILESDIR}"/${P}-gentoo.patch + epatch "${FILESDIR}"/${P}-log-injection-regex.patch + + # Multiple patches from Fedora and Debian + epatch "${FILESDIR}"/${P}-daemon-control.patch + epatch "${FILESDIR}"/${P}-defconffile.patch + epatch "${FILESDIR}"/${P}-foreground_mode.patch + epatch "${FILESDIR}"/${P}-hostname.patch + epatch "${FILESDIR}"/${P}-plugin_deny.patch + epatch "${FILESDIR}"/${P}-single_config_switch.patch + + epatch "${FILESDIR}"/${P}-cve-2013-6890.patch + + sed -i -e 's:DENY_THRESHOLD_VALID = 10:DENY_THRESHOLD_VALID = 5:' \ + denyhosts.cfg-dist || die "sed failed" + + distutils-r1_src_prepare +} + +src_install() { + readme.gentoo_create_doc + + dodoc CHANGELOG.txt README.txt PKG-INFO + distutils-r1_src_install + + insinto /etc + insopts -m0640 + newins denyhosts.cfg-dist denyhosts.conf + + dodir /etc/logrotate.d + insinto /etc/logrotate.d + newins "${FILESDIR}"/${PN}.logrotate ${PN} + + newinitd "${FILESDIR}"/denyhosts.init-r2 denyhosts + systemd_dounit "${FILESDIR}"/${PN}.service + + # build system installs docs that we installed above + rm -f "${D}"/usr/share/denyhosts/*.txt + + keepdir /var/lib/denyhosts +} + +pkg_postinst() { + if [[ ! -f "${ROOT}etc/hosts.deny" ]]; then + touch "${ROOT}etc/hosts.deny" + fi + + readme.gentoo_print_elog +} diff --git a/app-admin/denyhosts/denyhosts-2.9.ebuild b/app-admin/denyhosts/denyhosts-2.9.ebuild new file mode 100644 index 000000000000..4e4c52a3983d --- /dev/null +++ b/app-admin/denyhosts/denyhosts-2.9.ebuild @@ -0,0 +1,73 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 eutils readme.gentoo systemd + +DESCRIPTION="DenyHosts is a utility to help sys admins thwart ssh hackers" +HOMEPAGE="http://denyhost.sourceforge.net/" +SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 arm ~hppa ~ppc ~sparc x86" +IUSE="" + +DEPEND="" +RDEPEND="" + +DISABLE_AUTOFORMATTING="yes" +DOC_CONTENTS=" +>=net-misc/openssh-6.7p1 dropped support for sys-apps/tcp-wrappers +(see bug#531156) that means you either have patch openssh or use +denyhosts' iptables feature to get any protection. + +You can configure DenyHosts to run as a daemon by running: +# rc-update add denyhosts default +or: +# systemctl enable denyhosts.service +(if you use systemd) + +To run DenyHosts as a cronjob instead of a daemon add the following +to /etc/crontab +# run DenyHosts every 10 minutes +*/10 * * * * root /usr/bin/denyhosts.py -c /etc/denyhosts.conf + +More information can be found at ${HOMEPAGE}faq.html" + +src_prepare() { + #systemd needs HOSTNAME + epatch "${FILESDIR}"/${PN}-2.6-hostname.patch + + sed -e '/^DENY_THRESHOLD_VALID =/s/=.*/= 5/' \ + -e '/^SECURE_LOG/s/^/#/' \ + -e '\@#SECURE_LOG.*/var/log/messages@s/^#//' \ + -i denyhosts.conf || die "sed failed" + + distutils-r1_src_prepare +} + +src_install() { + readme.gentoo_create_doc + + dodoc CHANGELOG.txt README.txt PKG-INFO + distutils-r1_src_install + + dodir /etc/logrotate.d + insinto /etc/logrotate.d + newins "${FILESDIR}"/${PN}.logrotate-r2 ${PN} + + newinitd "${FILESDIR}"/denyhosts.init-r2 denyhosts + systemd_dounit "${FILESDIR}"/${PN}.service + + keepdir /var/lib/denyhosts +} + +pkg_postinst() { + [[ -f "${EROOT}etc/hosts.deny" ]] || touch "${EROOT}etc/hosts.deny" + + readme.gentoo_print_elog +} diff --git a/app-admin/denyhosts/denyhosts-3.0.ebuild b/app-admin/denyhosts/denyhosts-3.0.ebuild new file mode 100644 index 000000000000..fef100da9c14 --- /dev/null +++ b/app-admin/denyhosts/denyhosts-3.0.ebuild @@ -0,0 +1,64 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 +PYTHON_COMPAT=( python2_7 ) + +inherit distutils-r1 eutils readme.gentoo systemd + +DESCRIPTION="DenyHosts is a utility to help sys admins thwart ssh hackers" +HOMEPAGE="https://github.com/denyhosts/denyhosts" +SRC_URI="https://github.com/${PN}/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ppc ~sparc ~x86" +IUSE="" + +DEPEND="" +RDEPEND="" + +DISABLE_AUTOFORMATTING="yes" +DOC_CONTENTS=" +>=net-misc/openssh-6.7p1 dropped support for sys-apps/tcp-wrappers +(see bug#531156) that means you either have patch openssh or use +denyhosts' iptables feature to get any protection. + +You can configure DenyHosts to run as a daemon by running: +# rc-update add denyhosts default +or: +# systemctl enable denyhosts.service +(if you use systemd) + +To run DenyHosts as a cronjob instead of a daemon add the following +to /etc/crontab +# run DenyHosts every 10 minutes +*/10 * * * * root /usr/bin/denyhosts.py -c /etc/denyhosts.conf + +More information can be found at ${HOMEPAGE}faq.html" + +src_prepare() { + sed -e '/^DENY_THRESHOLD_VALID =/s/=.*/= 5/' \ + -e '/^SECURE_LOG/s/^/#/' \ + -e '\@#SECURE_LOG.*/var/log/messages@s/^#//' \ + -i denyhosts.conf || die "sed failed" + + distutils-r1_src_prepare +} + +src_install() { + readme.gentoo_create_doc + + dodoc CHANGELOG.txt README.md + distutils-r1_src_install + + dodir /etc/logrotate.d + insinto /etc/logrotate.d + newins "${FILESDIR}"/${PN}.logrotate-r2 ${PN} + + newinitd "${FILESDIR}"/denyhosts.init-r2 denyhosts + systemd_dounit "${FILESDIR}"/${PN}.service + + keepdir /var/lib/denyhosts +} diff --git a/app-admin/denyhosts/files/denyhosts-2.6-cve-2013-6890.patch b/app-admin/denyhosts/files/denyhosts-2.6-cve-2013-6890.patch new file mode 100644 index 000000000000..3065d5e98424 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-cve-2013-6890.patch @@ -0,0 +1,60 @@ +Subject: address remote denial of service CVE-2013-6890 +From: Helmut Grohne <helmut () subdivi de> + +ssh -l 'Invalid user root from 123.123.123.123' 21.21.21.21 + +results in a log lines + +sshd[123]: Invalid user Invalid user root from 123.123.123.123 from 21.21.21.21 +sshd[123]: input_userauth_request: invalid user Invalid user root from 123.123.123.123 [preauth] +sshd[123]: Connection closed by 21.21.21.21 [preauth] + +and causes denyhosts to block both ips 21.21.21.21 and 123.123.123.123. + +This patch tightens the regular expressions used to avoid these and similar +injections. + +Index: denyhosts-2.6/DenyHosts/regex.py +=================================================================== +--- denyhosts-2.6.orig/DenyHosts/regex.py 2013-12-22 11:54:42.000000000 +0100 ++++ denyhosts-2.6/DenyHosts/regex.py 2013-12-22 11:55:05.000000000 +0100 +@@ -6,22 +6,22 @@ + + #DATE_FORMAT_REGEX = re.compile(r"""(?P<month>[A-z]{3,3})\s*(?P<day>\d+)""") + +-SSHD_FORMAT_REGEX = re.compile(r""".* (sshd.*:|\[sshd\]) (?P<message>.*)""") ++SSHD_FORMAT_REGEX = re.compile(r""".*? (sshd.*?:|\[sshd\]) (?P<message>.*)""") + #SSHD_FORMAT_REGEX = re.compile(r""".* sshd.*: (?P<message>.*)""") + +-FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>.*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX = re.compile(r"""Failed (?P<method>\S*) for (?P<invalid>invalid user |illegal user )?(?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*?) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX2 = re.compile(r"""(?P<invalid>(Illegal|Invalid)) user (?P<user>.*) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX3 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX3 = None + +-FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") ++FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) from (::ffff:)?(?P<host>\S+)$""") + +-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because none of user's groups are listed in AllowGroups$""") + +-FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + +-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") ++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) from (::ffff:)?(?P<host>\S+) not allowed because not listed in AllowUsers$""") + + + # these are reserved for future versions +@@ -42,7 +42,7 @@ + FAILED_ENTRY_REGEX_MAP[i] = rx + + +-SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>.*) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") ++SUCCESSFUL_ENTRY_REGEX = re.compile(r"""Accepted (?P<method>\S+) for (?P<user>.*?) from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$""") + + TIME_SPEC_REGEX = re.compile(r"""(?P<units>\d*)\s*(?P<period>[smhdwy])?""") + diff --git a/app-admin/denyhosts/files/denyhosts-2.6-daemon-control.patch b/app-admin/denyhosts/files/denyhosts-2.6-daemon-control.patch new file mode 100644 index 000000000000..1a733e41280e --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-daemon-control.patch @@ -0,0 +1,12 @@ +diff -up ./daemon-control-dist.orig ./daemon-control-dist +--- ./daemon-control-dist.orig 2006-04-21 18:04:43.000000000 -0500 ++++ ./daemon-control-dist 2008-08-28 11:05:01.000000000 -0500 +@@ -13,7 +13,7 @@ + + DENYHOSTS_BIN = "/usr/bin/denyhosts.py" + DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts" +-DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg" ++DENYHOSTS_CFG = "/etc/denyhosts.conf" + + PYTHON_BIN = "/usr/bin/env python" + diff --git a/app-admin/denyhosts/files/denyhosts-2.6-defconffile.patch b/app-admin/denyhosts/files/denyhosts-2.6-defconffile.patch new file mode 100644 index 000000000000..c384367d0031 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-defconffile.patch @@ -0,0 +1,12 @@ +diff -up ./DenyHosts/constants.py.defconffile ./DenyHosts/constants.py +--- ./DenyHosts/constants.py.defconffile 2008-07-01 18:12:34.000000000 -0500 ++++ ./DenyHosts/constants.py 2008-07-01 18:12:43.000000000 -0500 +@@ -36,7 +36,7 @@ PURGE_HISTORY = "purge-history" + # Miscellaneous constants # + ################################################################################# + +-CONFIG_FILE = "denyhosts.cfg" # default can be overridden on cmd line ++CONFIG_FILE = "/etc/denyhosts.conf" # default can be overridden on cmd line + + DENY_DELIMITER = "# DenyHosts:" + ENTRY_DELIMITER = " | " diff --git a/app-admin/denyhosts/files/denyhosts-2.6-foreground_mode.patch b/app-admin/denyhosts/files/denyhosts-2.6-foreground_mode.patch new file mode 100644 index 000000000000..9f10707f9be8 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-foreground_mode.patch @@ -0,0 +1,137 @@ +From: Marco Bertorello <marco@bertorello.ns0.it> +Date: Thu, 14 Apr 2011 00:11:35 +0200 +Subject: 08_foreground_mode + +Add a useful switch to denyhost for run in foreground/debugging mode +--- + DenyHosts/deny_hosts.py | 9 +++++++-- + denyhosts.py | 20 +++++++++++++------- + 2 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/DenyHosts/deny_hosts.py b/DenyHosts/deny_hosts.py +index 7a985e6..f308264 100644 +--- a/DenyHosts/deny_hosts.py ++++ b/DenyHosts/deny_hosts.py +@@ -41,7 +41,7 @@ error = logging.getLogger("denyhosts").error + class DenyHosts: + def __init__(self, logfile, prefs, lock_file, + ignore_offset=0, first_time=0, +- noemail=0, daemon=0): ++ noemail=0, daemon=0, foreground=0): + self.__denied_hosts = {} + self.__prefs = prefs + self.__lock_file = lock_file +@@ -49,6 +49,7 @@ class DenyHosts: + self.__noemail = noemail + self.__report = Report(prefs.get("HOSTNAME_LOOKUP"), is_true(prefs['SYSLOG_REPORT'])) + self.__daemon = daemon ++ self.__foreground = foreground + self.__sync_server = prefs.get('SYNC_SERVER') + self.__sync_upload = is_true(prefs.get("SYNC_UPLOAD")) + self.__sync_download = is_true(prefs.get("SYNC_DOWNLOAD")) +@@ -87,7 +88,7 @@ class DenyHosts: + info("Log file size has not changed. Nothing to do.") + + +- if daemon: ++ if daemon and not foreground: + info("launching DenyHosts daemon (version %s)..." % VERSION) + #logging.getLogger().setLevel(logging.WARN) + +@@ -101,6 +102,10 @@ class DenyHosts: + self.runDaemon(logfile, last_offset) + else: + die("Error creating daemon: %s (%d)" % (retCode[1], retCode[0])) ++ elif foreground: ++ info("launching DenyHosts (version %s)..." % VERSION) ++ self.__lock_file.remove() ++ self.runDaemon(logfile, last_offset) + + + def killDaemon(self, signum, frame): +diff --git a/denyhosts.py b/denyhosts.py +index 48bd837..727e565 100755 +--- a/denyhosts.py ++++ b/denyhosts.py +@@ -34,6 +34,7 @@ def usage(): + print " --migrate: migrate your HOSTS_DENY file so that it is suitable for --purge" + print " --purge: expire entries older than your PURGE_DENY setting" + print " --daemon: run DenyHosts in daemon mode" ++ print " --foreground: run DenyHosts in foreground mode" + print " --sync: run DenyHosts synchronization mode" + print " --version: Prints the version of DenyHosts and exits" + +@@ -63,6 +64,7 @@ if __name__ == '__main__': + purge = 0 + sync_mode = 0 + daemon = 0 ++ foreground = 0 + enable_debug = 0 + upgrade099 = 0 + args = sys.argv[1:] +@@ -70,8 +72,8 @@ if __name__ == '__main__': + (opts, getopts) = getopt.getopt(args, 'f:c:dinuvps?hV', + ["file=", "ignore", "verbose", "debug", + "help", "noemail", "config=", "version", +- "migrate", "purge", "daemon", "sync", +- "upgrade099"]) ++ "migrate", "purge", "daemon", "foreground", ++ "sync", "upgrade099"]) + except: + print "\nInvalid command line option detected." + usage() +@@ -101,6 +103,8 @@ if __name__ == '__main__': + sync_mode = 1 + if opt == '--daemon': + daemon = 1 ++ if opt == '--foreground': ++ foreground = 1 + if opt == '--upgrade099': + upgrade099 = 1 + if opt == '--version': +@@ -131,21 +135,21 @@ if __name__ == '__main__': + + lock_file.create() + +- if upgrade099 and not daemon: ++ if upgrade099 and not (daemon or foreground): + if not prefs.get('PURGE_DENY'): + lock_file.remove() + die("You have supplied the --upgrade099 flag, however you have not set PURGE_DENY in your configuration file") + else: + u = UpgradeTo099(prefs.get("HOSTS_DENY")) + +- if migrate and not daemon: ++ if migrate and not (daemon or foreground): + if not prefs.get('PURGE_DENY'): + lock_file.remove() + die("You have supplied the --migrate flag however you have not set PURGE_DENY in your configuration file.") + else: + m = Migrate(prefs.get("HOSTS_DENY")) + +- if purge and not daemon: ++ if purge and not (daemon or foreground): + purge_time = prefs.get('PURGE_DENY') + if not purge_time: + lock_file.remove() +@@ -162,7 +166,9 @@ if __name__ == '__main__': + try: + for f in logfiles: + dh = DenyHosts(f, prefs, lock_file, ignore_offset, +- first_time, noemail, daemon) ++ first_time, noemail, daemon, foreground) ++ except KeyboardInterrupt: ++ pass + except SystemExit, e: + pass + except Exception, e: +@@ -170,7 +176,7 @@ if __name__ == '__main__': + print "\nDenyHosts exited abnormally" + + +- if sync_mode and not daemon: ++ if sync_mode and not (daemon or foreground): + if not prefs.get('SYNC_SERVER'): + lock_file.remove() + die("You have provided the --sync flag however your configuration file is missing a value for SYNC_SERVER.") +-- diff --git a/app-admin/denyhosts/files/denyhosts-2.6-gentoo.patch b/app-admin/denyhosts/files/denyhosts-2.6-gentoo.patch new file mode 100644 index 000000000000..157b201aa26a --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-gentoo.patch @@ -0,0 +1,42 @@ +--- denyhosts.cfg-dist 2006-08-20 14:09:57.000000000 +0000 ++++ denyhosts.cfg-new 2006-12-09 15:41:20.000000000 +0000 +@@ -9,13 +9,13 @@ + # argument + # + # Redhat or Fedora Core: +-SECURE_LOG = /var/log/secure ++#SECURE_LOG = /var/log/secure + # + # Mandrake, FreeBSD or OpenBSD: + #SECURE_LOG = /var/log/auth.log + # +-# SuSE: +-#SECURE_LOG = /var/log/messages ++# Gentoo/SuSE: ++SECURE_LOG = /var/log/messages + # + # Mac OS X (v10.4 or greater - + # also refer to: http://www.denyhosts.net/faq.html#macos +@@ -150,7 +150,7 @@ + # Note: it is recommended that you use an absolute pathname + # for this value (eg. /home/foo/denyhosts/data) + # +-WORK_DIR = /usr/share/denyhosts/data ++WORK_DIR = /var/lib/denyhosts + # + ####################################################################### + +@@ -192,10 +192,10 @@ + # running at a time. + # + # Redhat/Fedora: +-LOCK_FILE = /var/lock/subsys/denyhosts ++#LOCK_FILE = /var/lock/subsys/denyhosts + # +-# Debian +-#LOCK_FILE = /var/run/denyhosts.pid ++# Gentoo/Debian ++LOCK_FILE = /var/run/denyhosts.pid + # + # Misc + #LOCK_FILE = /tmp/denyhosts.lock diff --git a/app-admin/denyhosts/files/denyhosts-2.6-hostname.patch b/app-admin/denyhosts/files/denyhosts-2.6-hostname.patch new file mode 100644 index 000000000000..56d881319c5f --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-hostname.patch @@ -0,0 +1,21 @@ +diff -up ./denyhosts.py.orig ./denyhosts.py +--- ./denyhosts.py.orig 2012-01-30 13:14:41.146715839 -0600 ++++ ./denyhosts.py 2012-01-30 14:45:14.372539341 -0600 +@@ -1,5 +1,6 @@ + #!/usr/bin/env python + import os ++import platform + import sys + + import DenyHosts.python_version +@@ -107,6 +108,10 @@ if __name__ == '__main__': + print "DenyHosts version:", VERSION + sys.exit(0) + ++ # This is generally expected to be in the environment, but there's no ++ # non-hackish way to get systemd to set it, so just hack it in here. ++ os.environ['HOSTNAME'] = platform.node() ++ + prefs = Prefs(config_file) + + first_time = 0 diff --git a/app-admin/denyhosts/files/denyhosts-2.6-log-injection-regex.patch b/app-admin/denyhosts/files/denyhosts-2.6-log-injection-regex.patch new file mode 100644 index 000000000000..c6fc20541019 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-log-injection-regex.patch @@ -0,0 +1,21 @@ +Address Log injection reported at + +http://bugs.gentoo.org/show_bug.cgi?id=181213 + +diff -ur a/DenyHosts/regex.py b/DenyHosts/regex.py +--- a/DenyHosts/regex.py 2006-12-07 13:47:04.000000000 -0600 ++++ b/DenyHosts/regex.py 2007-06-19 18:51:54.000000000 -0500 +@@ -17,11 +17,11 @@ + + FAILED_ENTRY_REGEX4 = re.compile(r"""Authentication failure for (?P<user>.*) .*from (?P<host>.*)""") + +-FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups""") ++FAILED_ENTRY_REGEX5 = re.compile(r"""User (?P<user>.*) .*from (?P<host>.*) not allowed because none of user's groups are listed in AllowGroups$""") + + FAILED_ENTRY_REGEX6 = re.compile(r"""Did not receive identification string .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})""") + +-FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) not allowed because not listed in AllowUsers""") ++FAILED_ENTRY_REGEX7 = re.compile(r"""User (?P<user>.*) .*from (::ffff:)?(?P<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) not allowed because not listed in AllowUsers""") + + + # these are reserved for future versions diff --git a/app-admin/denyhosts/files/denyhosts-2.6-plugin_deny.patch b/app-admin/denyhosts/files/denyhosts-2.6-plugin_deny.patch new file mode 100644 index 000000000000..74868e79678c --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-plugin_deny.patch @@ -0,0 +1,23 @@ +From: Marco Bertorello <marco@bertorello.ns0.it> +Date: Thu, 14 Apr 2011 00:11:35 +0200 +Subject: 09_plugin_deny + +Correct the upstream bug http://sourceforge.net/tracker/index.php?func=detail&aid=1734736&group_id=131204&atid=720419 +--- + DenyHosts/deny_hosts.py | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/DenyHosts/deny_hosts.py b/DenyHosts/deny_hosts.py +index f308264..0f5f48d 100644 +--- a/DenyHosts/deny_hosts.py ++++ b/DenyHosts/deny_hosts.py +@@ -443,7 +443,7 @@ allowed based on your %s file""" % (self.__prefs.get("HOSTS_DENY"), + self.__report.add_section(msg, new_denied_hosts) + if self.__sync_server: self.sync_add_hosts(new_denied_hosts) + plugin_deny = self.__prefs.get('PLUGIN_DENY') +- if plugin_deny: plugin.execute(plugin_deny, deny_hosts) ++ if plugin_deny: plugin.execute(plugin_deny, new_denied_hosts) + + new_suspicious_logins = login_attempt.get_new_suspicious_logins() + if new_suspicious_logins: +-- diff --git a/app-admin/denyhosts/files/denyhosts-2.6-single_config_switch.patch b/app-admin/denyhosts/files/denyhosts-2.6-single_config_switch.patch new file mode 100644 index 000000000000..cb39df977be6 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts-2.6-single_config_switch.patch @@ -0,0 +1,24 @@ +From: Marco Bertorello <marco@bertorello.ns0.it> +Date: Thu, 14 Apr 2011 00:11:35 +0200 +Subject: 11_single_config_switch + +A patch to prevent denyhosts running with a double --config switch +--- + daemon-control-dist | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/daemon-control-dist b/daemon-control-dist +index 9f42b60..14d0f70 100755 +--- a/daemon-control-dist ++++ b/daemon-control-dist +@@ -144,7 +144,8 @@ if __name__ == '__main__': + + try: + if option in ('start', 'restart', 'condrestart'): +- if '--config' not in args and '-c' not in args: ++ anystartswith = lambda prefix, xs: any(map(lambda x: x.startswith(prefix), xs)) ++ if not anystartswith('--config', args) and '-c' not in args: + args.append("--config=%s" % DENYHOSTS_CFG) + + cmd = cases[option] +-- diff --git a/app-admin/denyhosts/files/denyhosts.init-r2 b/app-admin/denyhosts/files/denyhosts.init-r2 new file mode 100644 index 000000000000..092c9c4a88bc --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts.init-r2 @@ -0,0 +1,28 @@ +#!/sbin/runscript +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +extra_stopped_commands="purge" + +purge() { + ebegin "Purging hosts.deny" + start-stop-daemon --start --exec /usr/bin/denyhosts.py --pidfile /var/run/denyhosts.pid -- --purge + eend $? +} + +depend() { + use logger sshd +} + +start() { + ebegin "Starting DenyHosts daemon" + start-stop-daemon --start --exec /usr/bin/denyhosts.py --pidfile /var/run/denyhosts.pid -- --daemon -c /etc/denyhosts.conf + eend $? +} + +stop() { + ebegin "Stopping DenyHosts daemon" + start-stop-daemon --quiet --stop --pidfile /var/run/denyhosts.pid + eend $? +} diff --git a/app-admin/denyhosts/files/denyhosts.logrotate b/app-admin/denyhosts/files/denyhosts.logrotate new file mode 100644 index 000000000000..19a478870757 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts.logrotate @@ -0,0 +1,12 @@ +/var/log/denyhosts { + missingok + notifempty + create 0640 root root + sharedscripts + prerotate + /etc/init.d/denyhosts stop -q + endscript + postrotate + /etc/init.d/denyhosts start -q + endscript +} diff --git a/app-admin/denyhosts/files/denyhosts.logrotate-r2 b/app-admin/denyhosts/files/denyhosts.logrotate-r2 new file mode 100644 index 000000000000..582e72f7a365 --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts.logrotate-r2 @@ -0,0 +1,10 @@ +/var/log/denyhosts { + missingok + notifempty + create 0640 root root + sharedscripts + postrotate + test -e /run/openrc/softlevel && /etc/init.d/denyhosts restart 1>/dev/null || true + test -e /run/systemd/system && systemctl restart denyhosts >/dev/null || true + endscript +} diff --git a/app-admin/denyhosts/files/denyhosts.service b/app-admin/denyhosts/files/denyhosts.service new file mode 100644 index 000000000000..05a59dd27bfc --- /dev/null +++ b/app-admin/denyhosts/files/denyhosts.service @@ -0,0 +1,12 @@ +[Unit] +Description=SSH log watcher +Before=sshd.service + +[Service] +Type=forking +ExecStartPre=/bin/rm -f /var/run/denyhosts.pid +ExecStart=/usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf +PIDFile=/var/run/denyhosts.pid + +[Install] +WantedBy=multi-user.target diff --git a/app-admin/denyhosts/metadata.xml b/app-admin/denyhosts/metadata.xml new file mode 100644 index 000000000000..0b1d27f8d6f3 --- /dev/null +++ b/app-admin/denyhosts/metadata.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer> + <email>ottxor@gentoo.org</email> + <name>Christoph Junghans</name> + </maintainer> + <upstream> + <remote-id type="github">denyhosts/denyhosts</remote-id> + </upstream> +</pkgmetadata> |