https://bugzilla.redhat.com/show_bug.cgi?id=1260845
Bug ID: 1260845 Summary: Review Request: sshguard - Protect hosts from brute-force attacks Product: Fedora Version: rawhide Component: Package Review Severity: medium Priority: medium Assignee: nobody@fedoraproject.org Reporter: konrad@tylerc.org QA Contact: extras-qa@fedoraproject.org CC: package-review@lists.fedoraproject.org
Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.5-1.fc22.src.rpm
Description: sshguard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using iptables.
sshguard can read log messages from standard input (suitable for piping from syslog) or monitor one or more log files. Log messages are parsed, line-by-line, for recognized patterns. If an attack, such as several login failures within a few seconds, is detected, the offending IP is blocked. Offenders are unblocked after a set interval, but can be semi-permanently banned using the blacklist option.
Fedora Account System Username: konradm
N.B.: Sshguard monitors /var/log/secure and depends on rsyslog because it was not obvious how to get plaintext out of systemd-journald in a single path; with a small patch to sshguard we could drop the rsyslog dependency.
N.B. 2: I've chosen to integrate sshguard with firewalld via IN_public_deny rather than trying to have it work standalone and with firewalld. The only downside here is that server users may grumble about having to run firewalld.
N.B. 3: Not a lot of configuration available / relevant for this service! There are a few knobs specified as command line options we *could* expose to admins, but the defaults are pretty reasonable.
Rpmlint is clean, modulo mistaken spelling errors on 'syslog' and 'systemd'.
This is my first systemd .unit file, any feedback is appreciated.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
Christopher Meng i@cicku.me changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |i@cicku.me
--- Comment #1 from Christopher Meng i@cicku.me --- I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban.
BUT, why not use 1.6.1 just release a month ago?
http://sourceforge.net/p/sshguard/mailman/message/34336780/
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #2 from Conrad Meyer konrad@tylerc.org --- (In reply to Christopher Meng from comment #1)
I'm not sure if Fedora still needs it, we already have denyhosts, fail2ban.
Another doesn't hurt. :)
BUT, why not use 1.6.1 just release a month ago?
Sorry. 1.5 was the latest I found on the website. I'll go ahead and update it to 1.6.1.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #3 from Conrad Meyer konrad@tylerc.org --- Updated to 1.6.1. Rpmlint is still clean. Seems ok on my system.
Spec URL: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM URL: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-1.fc22.src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
William Moreno williamjmorenor@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |williamjmorenor@gmail.com Assignee|nobody@fedoraproject.org |williamjmorenor@gmail.com Flags| |fedora-review?
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #4 from Upstream Release Monitoring upstream-release-monitoring@fedoraproject.org --- williamjmorenor's scratch build of sshguard-1.6.1-1.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12186641
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #5 from William Moreno williamjmorenor@gmail.com --- This spec is not building in Rawhide, please check for missinb buildrequires and update the spec and src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #6 from Conrad Meyer konrad@tylerc.org --- It's missing the addrinfo header include:
sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'
Odd that it built locally.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
rdvn@me.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rdvn@me.com
--- Comment #7 from rdvn@me.com --- Created attachment 1109179 --> https://bugzilla.redhat.com/attachment.cgi?id=1109179&action=edit rawhide build fix
Addrinfo is unconditionally available in the 2001 spec. Patch attached, builds fine with mock on armhfp.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #8 from Conrad Meyer konrad@tylerc.org --- Added rdvn@'s patch to compiled with POSIX_C_SOURCE:
Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-2.fc22.src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #9 from Upstream Release Monitoring upstream-release-monitoring@fedoraproject.org --- williamjmorenor's scratch build of sshguard-1.6.1-2.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335109
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #10 from Conrad Meyer konrad@tylerc.org --- Same issue: sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo' for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) {
^
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #11 from Conrad Meyer konrad@tylerc.org --- Added V=1 so compilation flags are logged. Noticed that POSIX_C_SOURCE wasn't getting applied on the only files it mattered on; dropped the patch from -2 and instead append the define to CFLAGS before `configure.' Verified the define is being applied to the important files, e.g., sshguard_whitelist.c.
Spec: https://konradm.fedorapeople.org/fedora/SPECS/sshguard.spec SRPM: https://konradm.fedorapeople.org/fedora/SRPMS/sshguard-1.6.1-3.fc22.src.rpm
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #12 from Conrad Meyer konrad@tylerc.org --- Scratch build kicked off here: http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #13 from Upstream Release Monitoring upstream-release-monitoring@fedoraproject.org --- konradm's scratch build of sshguard-1.6.1-3.fc22.src.rpm for rawhide failed http://koji.fedoraproject.org/koji/taskinfo?taskID=12335400
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #14 from Conrad Meyer konrad@tylerc.org --- Now it builds (at least, where -m64 isn't required), but it isn't quite right -- the system CFLAGS are dropped on the floor.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #15 from William Moreno williamjmorenor@gmail.com --- I am sorry but my builds are still falingin:
https://copr.fedorainfracloud.org/coprs/williamjmorenor/fedora-review-test/b...
The epel7 build pass but f24 and f25 fails
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
Daniel code@daniel.priv.no changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |code@daniel.priv.no
--- Comment #16 from Daniel code@daniel.priv.no --- I’d really like to see this included in Fedora as currently Fail2Ban lacks IPv6 support, and sshguard has excellent IPv6 support and a smaller memory footprint.
Some comments on the spec file:
* Should require `iptables` rather than `firewalld` * Should not require rsyslog; pipe output from journalctl into sshguard in the service file instead (reference [how arch does it](https://git.archlinux.org/svntogit/community.git/tree/trunk/sshguard-journal...))
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #17 from William Moreno williamjmorenor@gmail.com --- This package is still failing to build:
https://copr.fedorainfracloud.org/coprs/williamjmorenor/fedora-review-test/b...
checking for gawk... (cached) gawk checking for x86_64-redhat-linux-gnu-gcc... no checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... configure: error: in `/builddir/build/BUILD/sshguard-1.6.1': configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details error: Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build) RPM build errors: Bad exit status from /var/tmp/rpm-tmp.z7oE7A (%build) Child return code was: 1 EXCEPTION: [Error()] Traceback (most recent call last): File "/usr/lib/python3.4/site-packages/mockbuild/trace_decorator.py", line 88, in trace result = func(*args, **kw) File "/usr/lib/python3.4/site-packages/mockbuild/util.py", line 551, in do raise exception.Error("Command failed. See logs for output.\n # %s" % (command,), child.returncode) mockbuild.exception.Error: Command failed. See logs for output. # bash --login -c /usr/bin/rpmbuild -bb --target x86_64 --nodeps /builddir/build/SPECS/sshguard.spec
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
William Moreno williamjmorenor@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |konrad@tylerc.org Flags| |needinfo?(konrad@tylerc.org | |)
--- Comment #18 from William Moreno williamjmorenor@gmail.com --- ping
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
William Moreno williamjmorenor@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|williamjmorenor@gmail.com | Assignee|williamjmorenor@gmail.com |nobody@fedoraproject.org Flags|fedora-review? | |needinfo?(konrad@tylerc.org | |) |
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #19 from Tomasz Torcz tomek@pipebreaker.pl --- For build to succeed, -fPIC has to be added to flags. Specs changes for latest version:
--- a/sshguard.spec 2015-12-28 23:50:15.000000000 +0100 +++ b/sshguard.spec 2016-10-27 10:38:21.778660447 +0200 @@ -1,11 +1,10 @@ Name: sshguard -Version: 1.6.1 -Release: 3%{?dist} +Version: 1.7.1 +Release: 1%{?dist} Summary: Protect hosts from brute-force attacks License: ISC and BSD and Public Domain URL: http://www.sshguard.net/ Source0: http://downloads.sourceforge.net/project/sshguard/sshguard/%%7Bversion%7D/ss... -Source1: sshguard.service
BuildRequires: systemd Requires: firewalld @@ -29,12 +28,11 @@ %prep %setup -q find src ( -name '*.h' -o -name '*.c' ) -exec chmod -x {} + -cp -a %{SOURCE1} .
%build # glibc headers need POSIX_C_SOURCE: -export CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112L" +export CFLAGS="$CFLAGS -D_POSIX_C_SOURCE=200112L -fPIC" %configure --with-firewall=iptables make %{?_smp_mflags} V=1
@@ -44,7 +42,7 @@ %make_install
mkdir -p $RPM_BUILD_ROOT%{_unitdir}/ -install -m 644 sshguard.service $RPM_BUILD_ROOT%{_unitdir}/ +install -m 644 examples/sshguard.service $RPM_BUILD_ROOT%{_unitdir}/
%post @@ -60,13 +58,17 @@
%files -%doc README.rst COPYING examples +%doc README.rst examples +%license COPYING +%{_libexecdir}/sshg-* %{_mandir}/man8/sshguard.8* %{_sbindir}/sshguard %{_unitdir}/sshguard.service
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #20 from Daniel code@daniel.priv.no --- SSHGuard 2.0.0 has been released. https://www.sshguard.net/litenewz/feeds/14
SSHGuard 2 introduced a new configuration scheme (changed from piped commands and runtime flags in the init script to a configuration file) and a FirewallD backend that should be of interest to Fedora.
I wrote up a tutorial for users showing how to install and configure SSHGuard on Fedora that might help the packaging effort. https://ctrl.blog/entry/how-to-sshguard-firewalld
I’m not all that familiar with RPM packages or Fedora’s packaging infrastructure, but please let me know if I can help in any way getting SSHGuard packaged for Fedora.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
Andrew Elwell andrew.elwell@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |andrew.elwell@gmail.com
--- Comment #21 from Andrew Elwell andrew.elwell@gmail.com --- I've just noticed this is languishing (as I've got a requirement to use sshguard on some systems). If the original proposed maintainers aren't interested in the 2.0 tree, I'll work the spec and get this rolling again.
Andrew
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #22 from Conrad Meyer cse.cem+redhatbugz@gmail.com --- I'm happy to hand it off to you, Andrew.
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
--- Comment #23 from Andrew Elwell andrew.elwell@gmail.com --- OK - don't run away as I may need it reviewing :-)
https://bugzilla.redhat.com/show_bug.cgi?id=1260845
Christopher Engelhard ce@lcts.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ce@lcts.de
--- Comment #24 from Christopher Engelhard ce@lcts.de --- I have recently created a RPM of this as well (Gitlab: https://gitlab.com/lcts/sshguard-rpm - COPR: https://copr.fedorainfracloud.org/coprs/lcts/sshguard ), feel free to fork that. Currently builds on everything except epel6 (no systemd).
Chris
package-review@lists.fedoraproject.org