Bug 1260845 - Review Request: sshguard - Protect hosts from brute-force attacks
Review Request: sshguard - Protect hosts from brute-force attacks
Status: NEW
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nobody's working on this, feel free to take it
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-09-07 23:32 EDT by Conrad Meyer
Modified: 2017-03-08 07:05 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
rawhide build fix (1.29 KB, patch)
2015-12-24 05:44 EST, rdvn
no flags Details | Diff

  None (edit)
Description Conrad Meyer 2015-09-07 23:32:07 EDT
Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.5-1.fc22.src.rpm

sshguard protects hosts from brute-force attacks against SSH and other
services.  It aggregates system logs and blocks repeat offenders using

sshguard can read log messages from standard input (suitable for piping from
syslog) or monitor one or more log files.  Log messages are parsed,
line-by-line, for recognized patterns.  If an attack, such as several login
failures within a few seconds, is detected, the offending IP is blocked.
Offenders are unblocked after a set interval, but can be semi-permanently
banned using the blacklist option.

Fedora Account System Username: konradm

N.B.: Sshguard monitors /var/log/secure and depends on rsyslog because it was not obvious how to get plaintext out of systemd-journald in a single path; with a small patch to sshguard we could drop the rsyslog dependency.

N.B. 2: I've chosen to integrate sshguard with firewalld via IN_public_deny rather than trying to have it work standalone and with firewalld.  The only downside here is that server users may grumble about having to run firewalld.

N.B. 3: Not a lot of configuration available / relevant for this service!  There are a few knobs specified as command line options we *could* expose to admins, but the defaults are pretty reasonable.

Rpmlint is clean, modulo mistaken spelling errors on 'syslog' and 'systemd'.

This is my first systemd .unit file, any feedback is appreciated.
Comment 1 Christopher Meng 2015-09-08 00:12:25 EDT
I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban.

BUT, why not use 1.6.1 just release a month ago?

Comment 2 Conrad Meyer 2015-09-08 10:29:51 EDT
(In reply to Christopher Meng from comment #1)
> I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban.

Another doesn't hurt. :)
> BUT, why not use 1.6.1 just release a month ago?
> http://sourceforge.net/p/sshguard/mailman/message/34336780/

Sorry.  1.5 was the latest I found on the website.  I'll go ahead and update it to 1.6.1.
Comment 3 Conrad Meyer 2015-09-08 10:50:13 EDT
Updated to 1.6.1.  Rpmlint is still clean.  Seems ok on my system.

Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-1.fc22.src.rpm
Comment 4 Upstream Release Monitoring 2015-12-14 11:03:23 EST
williamjmorenor's scratch build of sshguard-1.6.1-1.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12186641
Comment 5 William Moreno 2015-12-14 11:16:33 EST
This spec is not building in Rawhide, please check for missinb buildrequires and update the spec and src.rpm
Comment 6 Conrad Meyer 2015-12-14 11:24:26 EST
It's missing the addrinfo header include:

sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'

Odd that it built locally.
Comment 7 rdvn 2015-12-24 05:44 EST
Created attachment 1109179 [details]
rawhide build fix

Addrinfo is unconditionally available in the 2001 spec. Patch attached, builds fine with mock on armhfp.
Comment 8 Conrad Meyer 2015-12-26 14:09:32 EST
Added rdvn@'s patch to compiled with POSIX_C_SOURCE:

Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-2.fc22.src.rpm
Comment 9 Upstream Release Monitoring 2015-12-28 17:18:39 EST
williamjmorenor's scratch build of sshguard-1.6.1-2.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335109
Comment 10 Conrad Meyer 2015-12-28 17:30:33 EST
Same issue:
sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'
     for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) {
Comment 11 Conrad Meyer 2015-12-28 17:52:36 EST
Added V=1 so compilation flags are logged.  Noticed that POSIX_C_SOURCE wasn't getting applied on the only files it mattered on; dropped the patch from -2 and instead append the define to CFLAGS before `configure.'  Verified the define is being applied to the important files, e.g., sshguard_whitelist.c.

Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec
SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-3.fc22.src.rpm
Comment 12 Conrad Meyer 2015-12-28 17:54:58 EST
Scratch build kicked off here: http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400
Comment 13 Upstream Release Monitoring 2015-12-28 17:57:05 EST
konradm's scratch build of sshguard-1.6.1-3.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400
Comment 14 Conrad Meyer 2015-12-28 17:59:52 EST
Now it builds (at least, where -m64 isn't required), but it isn't quite right -- the system CFLAGS are dropped on the floor.
Comment 15 William Moreno 2016-04-05 10:46:25 EDT
I am sorry but my builds are still falingin:


The epel7 build pass but f24 and f25 fails
Comment 16 Daniel 2016-04-30 14:43:58 EDT
I’d really like to see this included in Fedora as currently Fail2Ban lacks IPv6 support, and sshguard has excellent IPv6 support and a smaller memory footprint.

Some comments on the spec file:

* Should require `iptables` rather than `firewalld`
* Should not require rsyslog; pipe output from journalctl into sshguard in the service file instead (reference [how arch does it](https://git.archlinux.org/svntogit/community.git/tree/trunk/sshguard-journalctl?h=packages/sshguard))
Comment 17 William Moreno 2016-06-13 15:41:14 EDT
This package is still failing to build:


checking for gawk... (cached) gawk
checking for x86_64-redhat-linux-gnu-gcc... no
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... configure: error: in `/builddir/build/BUILD/sshguard-1.6.1':
configure: error: cannot run C compiled programs.
If you meant to cross compile, use `--host'.
See `config.log' for more details
error: Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build)
RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build)
Child return code was: 1
EXCEPTION: [Error()]
Traceback (most recent call last):
  File "/usr/lib/python3.4/site-packages/mockbuild/trace_decorator.py", line 88, in trace
    result = func(*args, **kw)
  File "/usr/lib/python3.4/site-packages/mockbuild/util.py", line 551, in do
    raise exception.Error("Command failed. See logs for output.\n # %s" % (command,), child.returncode)
mockbuild.exception.Error: Command failed. See logs for output.
 # bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/sshguard.spec
Comment 18 William Moreno 2016-06-15 17:22:02 EDT
Comment 19 Tomasz Torcz 2016-10-27 04:40:35 EDT
For build to succeed, -fPIC has to be added to flags.
Specs changes for latest version:

--- a/sshguard.spec     2015-12-28 23:50:15.000000000 +0100
+++ b/sshguard.spec     2016-10-27 10:38:21.778660447 +0200
@@ -1,11 +1,10 @@
 Name:           sshguard
-Version:        1.6.1
-Release:        3%{?dist}
+Version:        1.7.1
+Release:        1%{?dist}
 Summary:        Protect hosts from brute-force attacks
 License:        ISC and BSD and Public Domain
 URL:            http://www.sshguard.net/
 Source0:        http://downloads.sourceforge.net/project/sshguard/sshguard/%{version}/sshguard-%{version}.tar.xz
-Source1:        sshguard.service
 BuildRequires:  systemd
 Requires:       firewalld
@@ -29,12 +28,11 @@
 %setup -q
 find src \( -name '*.h' -o -name '*.c' \) -exec chmod -x {} +
-cp -a %{SOURCE1} .
 # glibc headers need POSIX_C_SOURCE:
 %configure --with-firewall=iptables
 make %{?_smp_mflags} V=1
@@ -44,7 +42,7 @@
 mkdir -p $RPM_BUILD_ROOT%{_unitdir}/
-install -m 644 sshguard.service $RPM_BUILD_ROOT%{_unitdir}/
+install -m 644 examples/sshguard.service $RPM_BUILD_ROOT%{_unitdir}/
@@ -60,13 +58,17 @@
-%doc README.rst COPYING examples
+%doc README.rst examples
+%license COPYING
Comment 20 Daniel 2017-03-08 07:05:16 EST
SSHGuard 2.0.0 has been released.

SSHGuard 2 introduced a new configuration scheme (changed from piped commands and runtime flags in the init script to a configuration file) and a FirewallD backend that should be of interest to Fedora.

I wrote up a tutorial for users showing how to install and configure SSHGuard on Fedora that might help the packaging effort.

I’m not all that familiar with RPM packages or Fedora’s packaging infrastructure, but please let me know if I can help in any way getting SSHGuard packaged for Fedora.

Note You need to log in before you can comment on or make changes to this bug.