Hi,
I've recently created a package for SSHGuard [1]. SSHGuard is a program
to block brute-force attacks on SSH and other services, similar to
fail2ban/etc.
Now, my issue is the following:
- SSHGuard is completely agnostic with respect to the firewall-backend
it uses and the logs it reads. Accordingly, it ships with an example
config file that does not set either backend or logreader, the user has
to do that themselves. There are, however, commented example lines
configuring iptables + journald.
- Fedora, obviously, by default uses firewalld and journald.
What is the guideline for packaging software like this:
1) Leave it as upstream ships it.
- user will have to configure the package before it becomes
functional
- no dependency on any non-essential packages
2) ship example config file as real config file, with upstream's example
config activated
- package works out-of-the-box
- introduces additional, non-default dependency (iptables)
3) ship custom config file preconfigured for Fedora defaults
- package works out-of-the-box
- introduces dependency on default Fedora packages (firewalld)
Granted, option (2) is rather silly, but is (1) or (3) the correct way
to go about configuring the package?
Best,
Christopher
[1]
https://copr.fedorainfracloud.org/coprs/lcts/sshguard/
[2]
https://www.sshguard.net/