Tuesday, December 04, 2018

sshguard-2.2.0 (still problems with startup) Re: UPDATE: security/sshguard, 1.5-->2.1.0 (2nd try)

Index: Makefile
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/Makefile,v
retrieving revision 1.13
diff -u -p -r1.13 Makefile
--- Makefile 4 Sep 2018 12:46:21 -0000 1.13
+++ Makefile 4 Dec 2018 23:12:47 -0000
@@ -2,22 +2,31 @@

COMMENT= protect against brute force attacks on sshd and others

-DISTNAME= sshguard-1.5
-REVISION= 6
+DISTNAME= sshguard-2.2.0
CATEGORIES= security

+HOMEPAGE= https://www.sshguard.net/
+
+MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
+
# BSD
PERMIT_PACKAGE_CDROM= Yes

WANTLIB+= c pthread

-HOMEPAGE= https://www.sshguard.net/
-MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=sshguard/}
-EXTRACT_SUFX= .tar.bz2
-
-CONFIGURE_STYLE=gnu
-CONFIGURE_ARGS= --with-firewall=pf
+CONFIGURE_STYLE=simple
+CONFIGURE_ARGS= --sysconfdir="${SYSCONFDIR}" \
+ --mandir="${TRUEPREFIX}/man"

NO_TEST= Yes
+
+post-patch:
+ ${SUBST_CMD} ${WRKSRC}/doc/sshguard.8 \
+ ${WRKSRC}/examples/sshguard.conf.sample
+
+post-install:
+ ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/sshguard
+ ${INSTALL_DATA} ${WRKSRC}/examples/*.{example,sample} \
+ ${PREFIX}/share/examples/sshguard

.include <bsd.port.mk>
Index: distinfo
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/distinfo,v
retrieving revision 1.3
diff -u -p -r1.3 distinfo
--- distinfo 27 Jan 2014 15:49:15 -0000 1.3
+++ distinfo 4 Dec 2018 10:29:38 -0000
@@ -1,2 +1,2 @@
-SHA256 (sshguard-1.5.tar.bz2) = tTf4dlRV/fhCT4fUvWleW2dbiOXRZIZUUhN5Rwk+fhk=
-SIZE (sshguard-1.5.tar.bz2) = 303767
+SHA256 (sshguard-2.2.0.tar.gz) = Kv8H/ubsM+T/1UEZFrdRiZd68dd7htrF84NN06o2VsI=
+SIZE (sshguard-2.2.0.tar.gz) = 737612
Index: patches/patch-configure
===================================================================
RCS file: patches/patch-configure
diff -N patches/patch-configure
--- patches/patch-configure 24 Jun 2018 10:54:19 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,13 +0,0 @@
-$OpenBSD: patch-configure,v 1.1 2018/06/24 10:54:19 kn Exp $
-
-Index: configure
---- configure.orig
-+++ configure
-@@ -5949,7 +5949,6 @@ then
- STD99_CFLAGS="-xc99"
- else
- # other compiler (assume gcc-compatibile :( )
-- OPTIMIZER_CFLAGS="-O2"
- WARNING_CFLAGS="-Wall"
- STD99_CFLAGS="-std=c99"
- fi
Index: patches/patch-src_fwalls_command_c
===================================================================
RCS file: patches/patch-src_fwalls_command_c
diff -N patches/patch-src_fwalls_command_c
--- patches/patch-src_fwalls_command_c 9 Sep 2011 20:13:28 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_fwalls_command_c,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/fwalls/command.c.orig Fri Sep 9 22:07:56 2011
-+++ src/fwalls/command.c Fri Sep 9 22:08:12 2011
-@@ -59,7 +59,7 @@ int fw_block(const char *restrict addr, int addrkind,
- return (run_command(COMMAND_BLOCK, addr, addrkind, service) == 0 ? FWALL_OK : FWALL_ERR);
- }
-
--int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]) {
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]) {
- /* block each address individually */
- int i;
-
Index: patches/patch-src_sshguard_fw_h
===================================================================
RCS file: patches/patch-src_sshguard_fw_h
diff -N patches/patch-src_sshguard_fw_h
--- patches/patch-src_sshguard_fw_h 9 Sep 2011 20:13:28 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-src_sshguard_fw_h,v 1.1 2011/09/09 20:13:28 naddy Exp $
-
-Allow building with gcc3.
-
---- src/sshguard_fw.h.orig Fri Sep 9 22:07:03 2011
-+++ src/sshguard_fw.h Fri Sep 9 22:07:20 2011
-@@ -85,7 +85,7 @@ int fw_block(const char *restrict addr, int addrkind,
- *
- * @return FWALL_OK or FWALL_ERR
- */
--int fw_block_list(const char *restrict addresses[], int addrkind, const int service_codes[]);
-+int fw_block_list(const char *restrict *addresses, int addrkind, const int service_codes[]);
-
-
- /**
Index: patches/patch-src_sshguard_logsuck_c
===================================================================
RCS file: patches/patch-src_sshguard_logsuck_c
diff -N patches/patch-src_sshguard_logsuck_c
--- patches/patch-src_sshguard_logsuck_c 7 Mar 2011 17:44:16 -0000 1.2
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_logsuck_c,v 1.2 2011/03/07 17:44:16 rpointel Exp $
---- src/sshguard_logsuck.c.orig Wed Feb 9 13:01:47 2011
-+++ src/sshguard_logsuck.c Sat Mar 5 19:27:53 2011
-@@ -242,7 +242,7 @@ int logsuck_getline(char *restrict buf, size_t buflen,
- if (ret > 0) {
- if (kevs[0].filter == EVFILT_READ) {
- /* got data on this one. Read from it */
-- sshguard_log(LOG_DEBUG, "Searching for fd %lu in list.", kevs[0].ident);
-+ sshguard_log(LOG_DEBUG, "Searching for fd %u in list.", kevs[0].ident);
- readentry = list_seek(& sources_list, & kevs[0].ident);
- assert(readentry != NULL);
- assert(readentry->active);
Index: patches/patch-src_sshguard_procauth_c
===================================================================
RCS file: patches/patch-src_sshguard_procauth_c
diff -N patches/patch-src_sshguard_procauth_c
--- patches/patch-src_sshguard_procauth_c 7 Sep 2010 12:23:43 -0000 1.1.1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,12 +0,0 @@
-$OpenBSD: patch-src_sshguard_procauth_c,v 1.1.1.1 2010/09/07 12:23:43 millert Exp $
---- src/sshguard_procauth.c.orig Mon Aug 9 02:44:15 2010
-+++ src/sshguard_procauth.c Mon Aug 30 13:05:40 2010
-@@ -192,7 +192,7 @@ static int procauth_ischildof(pid_t child, pid_t paren
- dup2(ps2me[1], 1);
-
- sshguard_log(LOG_DEBUG, "Running 'ps axo pid,ppid'.");
-- execlp("ps", "ps", "axo", "pid,ppid", NULL);
-+ execlp("ps", "ps", "axo", "pid,ppid", (char *)0);
-
- sshguard_log(LOG_ERR, "Unable to run 'ps axo pid,ppid': %s.", strerror(errno));
- exit(-1);
Index: pkg/PLIST
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/pkg/PLIST,v
retrieving revision 1.5
diff -u -p -r1.5 PLIST
--- pkg/PLIST 4 Sep 2018 12:46:21 -0000 1.5
+++ pkg/PLIST 4 Dec 2018 16:05:24 -0000
@@ -1,6 +1,22 @@
@comment $OpenBSD: PLIST,v 1.5 2018/09/04 12:46:21 espie Exp $
@pkgpath security/sshguard,tcpd
+@rcscript ${RCDIR}/sshguard
+@bin libexec/sshg-blocker
+libexec/sshg-fw-firewalld
+@bin libexec/sshg-fw-hosts
+libexec/sshg-fw-ipfilter
+libexec/sshg-fw-ipfw
+libexec/sshg-fw-ipset
+libexec/sshg-fw-iptables
+libexec/sshg-fw-nft-sets
+libexec/sshg-fw-null
+libexec/sshg-fw-pf
+libexec/sshg-logtail
+@bin libexec/sshg-parser
+@man man/man7/sshguard-setup.7
@man man/man8/sshguard.8
-@bin sbin/sshguard
+sbin/sshguard
share/doc/pkg-readmes/${PKGSTEM}
-@rcscript ${RCDIR}/sshguard
+share/examples/sshguard/
+share/examples/sshguard/sshguard.conf.sample
+share/examples/sshguard/whitelistfile.example
Index: pkg/README
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/pkg/README,v
retrieving revision 1.3
diff -u -p -r1.3 README
--- pkg/README 4 Sep 2018 12:46:21 -0000 1.3
+++ pkg/README 4 Dec 2018 21:10:55 -0000
@@ -4,7 +4,13 @@ $OpenBSD: README,v 1.3 2018/09/04 12:46:
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

-To use sshguard with pf(4), add the following to /etc/pf.conf:
+Copy the example configuration file:
+
+ cp ${PREFIX}/share/examples/sshguard/sshguard.conf.sample \
+ ${SYSCONFDIR}/sshguard.conf
+
+To use ${PKGSTEM} with pf(4), add something similar to the following to
+${SYSCONFDIR}/pf.conf:

table <sshguard> persist

Index: pkg/sshguard.rc
===================================================================
RCS file: /extra/cvs/ports/security/sshguard/pkg/sshguard.rc,v
retrieving revision 1.4
diff -u -p -r1.4 sshguard.rc
--- pkg/sshguard.rc 11 Jan 2018 19:27:09 -0000 1.4
+++ pkg/sshguard.rc 4 Dec 2018 21:09:13 -0000
@@ -3,9 +3,17 @@
# $OpenBSD: sshguard.rc,v 1.4 2018/01/11 19:27:09 rpe Exp $

daemon="${TRUEPREFIX}/sbin/sshguard"
-daemon_flags="-l /var/log/authlog"

. /etc/rc.d/rc.subr
+
+pexp="/bin/sh $pexp"
+
+rc_stop () {
+ # Need to send TERM to all processes in the process group not just
+ # to the ones matching "$pexp". The main sshguard shell script does
+ # set up a trap for doing this, but it relies on running under bash.
+ kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx "${pexp}" )" )"
+}

rc_bg=YES
rc_reload=NO
On Fri, Nov 23, 2018 at 03:36:09PM +0000, Stuart Henderson wrote:
> On 2018/11/22 21:05, Andreas Kusalananda Kähäri wrote:
> > On Thu, Nov 22, 2018 at 02:39:54PM +0000, Stuart Henderson wrote:
> > > > On Sun, 22 Apr 2018 at 16:03:23 +0200, Andreas Kusalananda Kähäri wrote:
> > > > > I posted about this update in late March when I had issues getting the
> > > > > sshguard service to properly shut down, but that issue has since been
> > > > > resolved (rc_stop() needs to send it the HUP signal).
> > >
> > > HUP to shutdown?! is there some analysis on this, that's really weird.

This has now been resolved.
(but startup remains an issue, see end)

> >
> > Looking at
> >
> > https://bitbucket.org/sshguard/sshguard/src/ff8b525254a6c6e01e0f484cc3feba93e28a326e/src/sshguard.in?at=master&fileviewer=file-view-default
> >
> >
> > The main sshguard utility is a shell script that starts a log "tail"
> > reader, a log parser, a "blocker" (which I presume decides whether a
> > behaviour warrants blocking or not) and a firewall-specific backend that
> > actually does the blocking. These are started in a shell pipeline:
> >
> > eval $tailcmd | $libexec/sshg-parser | \
> > $libexec/sshg-blocker $flags | ($BACKEND; kill -PIPE $$)
> >
> > (the unquoted variable expansions..., I won't comment more on them)
> >
> > The bulk of the main shell script is just setting up the values of the
> > variables used in this pipeline.
> >
> > At the start of the script, there's
> >
> > trap "trap - TERM && kill 0" INT TERM EXIT
> >
> > ... which does my head in a bit. It's *really* easy to start sshguard
> > and have one of the components of this pipeline not work correctly (it's
> > usually one and the same, but I forget which one now). This usually
> > happens when it's started from pkg_scripts at boot (but not when started
> > manually later for some reason). Sending the main script a HUP was
> > about the *only* way I could reliably get all components of the pipeline
> > to exit cleanly.
> >
> > I'm assuming that it expects /bin/sh to be bash, and this could be one
> > of the reasons why it misbehaves under our /bin/sh (I haven't tested
> > with bash).
> >
> > I have only ever looked at the shell script portion of sshguard 2.1.0
> > and the BitBucket Git thing I linked to and quoted above may well be
> > newer than that. I gave up when I couldn't get it to start/shut down
> > reliably.
> >
> > When it *ran*, it worked flawlessly.
> >
> > I've been meaning to get back to this to sort it out for OpenBSD, but
> > have forgotten and have had other things getting in the way.
>
> Thanks - no objection to the update then, but would appreciate a link to
> the list archive for this (https://marc.info/?l=openbsd-ports&m=154291717732337&w=2)
> in commit log for the benefit of people looking later :)

Attached is a port of sshguard-2.2.0 which appears to work, sort of. It
does not start at boot when started from pkg_scripts. It *does* start
reliably when started manually with "rcctl start sshguard" and it shuts
down reliably both at system shutdown and manually (and in-between, it
runs well).

Any help with possible diagnoses of the startup problem would be
helpful. I haven't found any other port that starts a shell script as a
daemon, but I have only looked for "/bin/sh" in the rc scripts for that.

The "stop" action in the rc script is a bit unorthodox:

kill -- "-$( ps -o pgid= -p "$( pgrep -o -T "${daemon_rtable}" -fx "${pexp}" )" )"

... and that's to send a TERM signal to all the processes in the
relevant process group (sshguard consists of a total of seven separate
processes). The main script does do something similar to this ("kill 0"
in a trap), but this may require bash to work (and even then it doesn't
seem to work reliably).

I have attached a diff for the port as well as a tar archive of it.


Regards,

--
Andreas Kusalananda Kähäri,
National Bioinformatics Infrastructure Sweden (NBIS),
Uppsala University, Sweden.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)