Bug 1260845 - Review Request: sshguard - Protect hosts from brute-force attacks
Summary: Review Request: sshguard - Protect hosts from brute-force attacks
Status: CLOSED DUPLICATE of bug 1756582
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-09-08 03:32 UTC by Conrad Meyer
Modified: 2019-09-30 14:15 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2019-09-30 14:15:37 UTC
Type: ---

Attachments (Terms of Use)
rawhide build fix (1.29 KB, patch)
2015-12-24 10:44 UTC, rdvn
no flags Details | Diff

Description Conrad Meyer 2015-09-08 03:32:07 UTC
Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.5-1.fc22.src.rpm

sshguard protects hosts from brute-force attacks against SSH and other
services.  It aggregates system logs and blocks repeat offenders using

sshguard can read log messages from standard input (suitable for piping from
syslog) or monitor one or more log files.  Log messages are parsed,
line-by-line, for recognized patterns.  If an attack, such as several login
failures within a few seconds, is detected, the offending IP is blocked.
Offenders are unblocked after a set interval, but can be semi-permanently
banned using the blacklist option.

Fedora Account System Username: konradm

N.B.: Sshguard monitors /var/log/secure and depends on rsyslog because it was not obvious how to get plaintext out of systemd-journald in a single path; with a small patch to sshguard we could drop the rsyslog dependency.

N.B. 2: I've chosen to integrate sshguard with firewalld via IN_public_deny rather than trying to have it work standalone and with firewalld.  The only downside here is that server users may grumble about having to run firewalld.

N.B. 3: Not a lot of configuration available / relevant for this service!  There are a few knobs specified as command line options we *could* expose to admins, but the defaults are pretty reasonable.

Rpmlint is clean, modulo mistaken spelling errors on 'syslog' and 'systemd'.

This is my first systemd .unit file, any feedback is appreciated.

Comment 1 Christopher Meng 2015-09-08 04:12:25 UTC
I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban.

BUT, why not use 1.6.1 just release a month ago?


Comment 2 Conrad Meyer 2015-09-08 14:29:51 UTC
(In reply to Christopher Meng from comment #1)
> I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban.

Another doesn't hurt. :)
> BUT, why not use 1.6.1 just release a month ago?
> http://sourceforge.net/p/sshguard/mailman/message/34336780/

Sorry.  1.5 was the latest I found on the website.  I'll go ahead and update it to 1.6.1.

Comment 3 Conrad Meyer 2015-09-08 14:50:13 UTC
Updated to 1.6.1.  Rpmlint is still clean.  Seems ok on my system.

Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-1.fc22.src.rpm

Comment 4 Upstream Release Monitoring 2015-12-14 16:03:23 UTC
williamjmorenor's scratch build of sshguard-1.6.1-1.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12186641

Comment 5 William Moreno 2015-12-14 16:16:33 UTC
This spec is not building in Rawhide, please check for missinb buildrequires and update the spec and src.rpm

Comment 6 Conrad Meyer 2015-12-14 16:24:26 UTC
It's missing the addrinfo header include:

sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'

Odd that it built locally.

Comment 7 rdvn 2015-12-24 10:44:25 UTC
Created attachment 1109179 [details]
rawhide build fix

Addrinfo is unconditionally available in the 2001 spec. Patch attached, builds fine with mock on armhfp.

Comment 8 Conrad Meyer 2015-12-26 19:09:32 UTC
Added rdvn@'s patch to compiled with POSIX_C_SOURCE:

Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-2.fc22.src.rpm

Comment 9 Upstream Release Monitoring 2015-12-28 22:18:39 UTC
williamjmorenor's scratch build of sshguard-1.6.1-2.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335109

Comment 10 Conrad Meyer 2015-12-28 22:30:33 UTC
Same issue:
sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'
     for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) {

Comment 11 Conrad Meyer 2015-12-28 22:52:36 UTC
Added V=1 so compilation flags are logged.  Noticed that POSIX_C_SOURCE wasn't getting applied on the only files it mattered on; dropped the patch from -2 and instead append the define to CFLAGS before `configure.'  Verified the define is being applied to the important files, e.g., sshguard_whitelist.c.

Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-3.fc22.src.rpm

Comment 12 Conrad Meyer 2015-12-28 22:54:58 UTC
Scratch build kicked off here: http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400

Comment 13 Upstream Release Monitoring 2015-12-28 22:57:05 UTC
konradm's scratch build of sshguard-1.6.1-3.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400

Comment 14 Conrad Meyer 2015-12-28 22:59:52 UTC
Now it builds (at least, where -m64 isn't required), but it isn't quite right -- the system CFLAGS are dropped on the floor.

Comment 15 William Moreno 2016-04-05 14:46:25 UTC
I am sorry but my builds are still falingin:


The epel7 build pass but f24 and f25 fails

Comment 16 Daniel 2016-04-30 18:43:58 UTC
I’d really like to see this included in Fedora as currently Fail2Ban lacks IPv6 support, and sshguard has excellent IPv6 support and a smaller memory footprint.

Some comments on the spec file:

* Should require `iptables` rather than `firewalld`
* Should not require rsyslog; pipe output from journalctl into sshguard in the service file instead (reference [how arch does it](https://git.archlinux.org/svntogit/community.git/tree/trunk/sshguard-journalctl?h=packages/sshguard))

Comment 17 William Moreno 2016-06-13 19:41:14 UTC
This package is still failing to build:


checking for gawk... (cached) gawk
checking for x86_64-redhat-linux-gnu-gcc... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... configure: error: in `/builddir/build/BUILD/sshguard-1.6.1':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details
error: Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build)
RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build)
Child return code was: 1
EXCEPTION: [Error()]
Traceback (most recent call last):
  File "/usr/lib/python3.4/site-packages/mockbuild/trace_decorator.py", line 88, in trace
    result = func(*args, **kw)
  File "/usr/lib/python3.4/site-packages/mockbuild/util.py", line 551, in do
    raise exception.Error("Command failed. See logs for output.\n # %s" % (command,), child.returncode)
mockbuild.exception.Error: Command failed. See logs for output.
 # bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/sshguard.spec

Comment 18 William Moreno 2016-06-15 21:22:02 UTC

Comment 19 Tomasz Torcz 2016-10-27 08:40:35 UTC
For build to succeed, -fPIC has to be added to flags.
Specs changes for latest version:

--- a/sshguard.spec     2015-12-28 23:50:15.000000000 +0100
+++ b/sshguard.spec     2016-10-27 10:38:21.778660447 +0200
@@ -1,11 +1,10 @@
 Name:           sshguard
-Version:        1.6.1
-Release:        3%{?dist}
+Version:        1.7.1
+Release:        1%{?dist}
 Summary:        Protect hosts from brute-force attacks
 License:        ISC and BSD and Public Domain
 URL:            http://www.sshguard.net/
 Source0:        http://downloads.sourceforge.net/project/sshguard/sshguard/%{version}/sshguard-%{version}.tar.xz
-Source1:        sshguard.service
 BuildRequires:  systemd
 Requires:       firewalld
@@ -29,12 +28,11 @@
 %setup -q
 find src \( -name '*.h' -o -name '*.c' \) -exec chmod -x {} +
-cp -a %{SOURCE1} .
 # glibc headers need POSIX_C_SOURCE:
 %configure --with-firewall=iptables
 make %{?_smp_mflags} V=1
@@ -44,7 +42,7 @@
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}/
-install -m 644 sshguard.service $RPM_BUILD_ROOT%{_unitdir}/
+install -m 644 examples/sshguard.service $RPM_BUILD_ROOT%{_unitdir}/
@@ -60,13 +58,17 @@
-%doc README.rst COPYING examples
+%doc README.rst examples
+%license COPYING

Comment 20 Daniel 2017-03-08 12:05:16 UTC
SSHGuard 2.0.0 has been released.

SSHGuard 2 introduced a new configuration scheme (changed from piped commands and runtime flags in the init script to a configuration file) and a FirewallD backend that should be of interest to Fedora.

I wrote up a tutorial for users showing how to install and configure SSHGuard on Fedora that might help the packaging effort.

I’m not all that familiar with RPM packages or Fedora’s packaging infrastructure, but please let me know if I can help in any way getting SSHGuard packaged for Fedora.

Comment 21 Andrew Elwell 2018-09-18 01:31:36 UTC
I've just noticed this is languishing (as I've got a requirement to use sshguard on some systems). If the original proposed maintainers aren't interested in the 2.0 tree, I'll work the spec and get this rolling again.


Comment 22 Conrad Meyer 2018-09-18 01:59:21 UTC
I'm happy to hand it off to you, Andrew.

Comment 23 Andrew Elwell 2018-09-18 02:33:36 UTC
OK - don't run away as I may need it reviewing :-)

Comment 24 Christopher Engelhard 2018-09-23 20:36:08 UTC
I have recently created a RPM of this as well (Gitlab: https://gitlab.com/lcts/sshguard-rpm - COPR: https://copr.fedorainfracloud.org/coprs/lcts/sshguard ), feel free to fork that. Currently builds on everything except epel6 (no systemd).


Comment 25 Christopher Engelhard 2019-08-21 08:00:08 UTC
I've continued maintaining sshguard on COPR [1] since September and I'd be happy to do so in the main repo. If Andrew doesn't object, I'd submit that package for review.

Comment 26 Christopher Engelhard 2019-09-27 11:39:07 UTC
Package: sshguard 2.4.0-8
spec: https://copr-be.cloud.fedoraproject.org/results/lcts/sshguard/fedora-rawhide-x86_64/01039802-sshguard/sshguard.spec
srpm: https://copr-be.cloud.fedoraproject.org/results/lcts/sshguard/fedora-rawhide-x86_64/01039802-sshguard/sshguard-2.4.0-8.fc32.src.rpm

rpmlint (f30, x64_86): no errors, some warnings I consider false positives

In addition to having this package accepted, I'm also looking for a sponsor.

Comment 27 Robert-André Mauchin 🐧 2019-09-27 14:42:17 UTC
(In reply to Christopher Engelhard from comment #26)
> Package: sshguard 2.4.0-8
> spec:
> https://copr-be.cloud.fedoraproject.org/results/lcts/sshguard/fedora-rawhide-
> x86_64/01039802-sshguard/sshguard.spec
> srpm:
> https://copr-be.cloud.fedoraproject.org/results/lcts/sshguard/fedora-rawhide-
> x86_64/01039802-sshguard/sshguard-2.4.0-8.fc32.src.rpm
> rpmlint (f30, x64_86): no errors, some warnings I consider false positives
> In addition to having this package accepted, I'm also looking for a sponsor.

Can you post a new review request for it and mark this one as a duplicate and block FE-DEADREVIEW?

Comment 28 Christopher Engelhard 2019-09-28 07:58:30 UTC
Duplicate of Bug 1756582

Comment 29 Robert-André Mauchin 🐧 2019-09-30 14:15:37 UTC

*** This bug has been marked as a duplicate of bug 1756582 ***

Note You need to log in before you can comment on or make changes to this bug.