Red Hat Bugzilla – Bug 1260845
Review Request: sshguard - Protect hosts from brute-force attacks
Last modified: 2017-03-08 07:05:16 EST
Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.5-1.fc22.src.rpm Description: sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using iptables. sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option. Fedora Account System Username: konradm N.B.: Sshguard monitors /var/log/secure and depends on rsyslog because it was not obvious how to get plaintext out of systemd-journald in a single path; with a small patch to sshguard we could drop the rsyslog dependency. N.B. 2: I've chosen to integrate sshguard with firewalld via IN_public_deny rather than trying to have it work standalone and with firewalld. The only downside here is that server users may grumble about having to run firewalld. N.B. 3: Not a lot of configuration available / relevant for this service! There are a few knobs specified as command line options we *could* expose to admins, but the defaults are pretty reasonable. Rpmlint is clean, modulo mistaken spelling errors on 'syslog' and 'systemd'. This is my first systemd .unit file, any feedback is appreciated.
I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban. BUT, why not use 1.6.1 just release a month ago? http://sourceforge.net/p/sshguard/mailman/message/34336780/
(In reply to Christopher Meng from comment #1) > I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban. Another doesn't hurt. :) > BUT, why not use 1.6.1 just release a month ago? > > http://sourceforge.net/p/sshguard/mailman/message/34336780/ Sorry. 1.5 was the latest I found on the website. I'll go ahead and update it to 1.6.1.
Updated to 1.6.1. Rpmlint is still clean. Seems ok on my system. Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-1.fc22.src.rpm
williamjmorenor's scratch build of sshguard-1.6.1-1.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12186641
This spec is not building in Rawhide, please check for missinb buildrequires and update the spec and src.rpm
It's missing the addrinfo header include: sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo' Odd that it built locally.
Created attachment 1109179 [details] rawhide build fix Addrinfo is unconditionally available in the 2001 spec. Patch attached, builds fine with mock on armhfp.
Added rdvn@'s patch to compiled with POSIX_C_SOURCE: Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-2.fc22.src.rpm
williamjmorenor's scratch build of sshguard-1.6.1-2.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335109
Same issue: sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo' for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) { ^
Added V=1 so compilation flags are logged. Noticed that POSIX_C_SOURCE wasn't getting applied on the only files it mattered on; dropped the patch from -2 and instead append the define to CFLAGS before `configure.' Verified the define is being applied to the important files, e.g., sshguard_whitelist.c. Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-3.fc22.src.rpm
Scratch build kicked off here: http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400
konradm's scratch build of sshguard-1.6.1-3.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400
Now it builds (at least, where -m64 isn't required), but it isn't quite right -- the system CFLAGS are dropped on the floor.
I am sorry but my builds are still falingin: https://copr.fedorainfracloud.org/coprs/williamjmorenor/fedora-review-test/build/173473/ The epel7 build pass but f24 and f25 fails
I’d really like to see this included in Fedora as currently Fail2Ban lacks IPv6 support, and sshguard has excellent IPv6 support and a smaller memory footprint. Some comments on the spec file: * Should require `iptables` rather than `firewalld` * Should not require rsyslog; pipe output from journalctl into sshguard in the service file instead (reference [how arch does it](https://git.archlinux.org/svntogit/community.git/tree/trunk/sshguard-journalctl?h=packages/sshguard))
This package is still failing to build: https://copr.fedorainfracloud.org/coprs/williamjmorenor/fedora-review-test/build/341237/ checking for gawk... (cached) gawk checking for x86_64-redhat-linux-gnu-gcc... no checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... configure: error: in `/builddir/build/BUILD/sshguard-1.6.1': configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details error: Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build) Child return code was: 1 EXCEPTION: [Error()] Traceback (most recent call last): File "/usr/lib/python3.4/site-packages/mockbuild/trace_decorator.py", line 88, in trace result = func(*args, **kw) File "/usr/lib/python3.4/site-packages/mockbuild/util.py", line 551, in do raise exception.Error("Command failed. See logs for output.\n # %s" % (command,), child.returncode) mockbuild.exception.Error: Command failed. See logs for output. # bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/sshguard.spec
ping
For build to succeed, -fPIC has to be added to flags. Specs changes for latest version: --- a/sshguard.spec 2015-12-28 23:50:15.000000000 +0100 +++ b/sshguard.spec 2016-10-27 10:38:21.778660447 +0200 @@ -1,11 +1,10 @@ Name: sshguard -Version: 1.6.1 -Release: 3%{?dist} +Version: 1.7.1 +Release: 1%{?dist} Summary: Protect hosts from brute-force attacks License: ISC and BSD and Public Domain URL: http://www.sshguard.net/ Source0: http://downloads.sourceforge.net/project/sshguard/sshguard/%{version}/sshguard-%{version}.tar.xz -Source1: sshguard.service BuildRequires: systemd Requires: firewalld @@ -29,12 +28,11 @@ %prep %setup -q find src \( -name '*.h' -o -name '*.c' \) -exec chmod -x {} + -cp -a %{SOURCE1} . %build # glibc headers need POSIX_C_SOURCE: -export CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112L" +export CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112L -fPIC" %configure --with-firewall=iptables make %{?_smp_mflags} V=1 @@ -44,7 +42,7 @@ %make_install mkdir -p $RPM_BUILD_ROOT%{_unitdir}/ -install -m 644 sshguard.service $RPM_BUILD_ROOT%{_unitdir}/ +install -m 644 examples/sshguard.service $RPM_BUILD_ROOT%{_unitdir}/ %post @@ -60,13 +58,17 @@ %files -%doc README.rst COPYING examples +%doc README.rst examples +%license COPYING +%{_libexecdir}/sshg-* %{_mandir}/man8/sshguard.8* %{_sbindir}/sshguard %{_unitdir}/sshguard.service
SSHGuard 2.0.0 has been released. https://www.sshguard.net/litenewz/feeds/14 SSHGuard 2 introduced a new configuration scheme (changed from piped commands and runtime flags in the init script to a configuration file) and a FirewallD backend that should be of interest to Fedora. I wrote up a tutorial for users showing how to install and configure SSHGuard on Fedora that might help the packaging effort. https://ctrl.blog/entry/how-to-sshguard-firewalld I’m not all that familiar with RPM packages or Fedora’s packaging infrastructure, but please let me know if I can help in any way getting SSHGuard packaged for Fedora.