pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/py-denyhosts



Module Name:    pkgsrc
Committed By:   he
Date:           Sat Nov 27 14:28:11 UTC 2021

Modified Files:
        pkgsrc/security/py-denyhosts: Makefile PLIST distinfo
Added Files:
        pkgsrc/security/py-denyhosts/patches: patch-daemon-control-dist
            patch-denyhosts.conf patch-setup.py
Removed Files:
        pkgsrc/security/py-denyhosts/patches: patch-aa patch-ab patch-ac
            patch-ad patch-ae patch-af

Log Message:
Update py-denyhosts to version 3.0.

Pkgsrc changes:
 * Change naming style for patches
 * Adapt patches to new version
 * Relinquish maintainership to indicate others can update
 * Add dependency on py-expat

Upstream changes:

3.0
======================

Initial translation of code from Python 2 to Python 3.
DenyHosts can now be run as either a Python 2 or a Python 3
program.

Added patch from Fedora to fix initial sync issue and
insure info logging stream is active.
(Provided by Jason Tibbitts.)

Added "import logging" to denyhosts.py to avoid errors
when setting up logging. (See above change.)

Added option PF_TABLE_FILE to the configuration file.
When this option is enabled it causes DenyHosts to write
blocked IP addresses to a text file. The default location
is /etc/blacklist. This text file should correspond to a
PF firewall table.

At start-up, try to create the file specified by
HOSTS_DENY. That way we avoid errors later if the
file does not exists. Can be a problem on operating systems
where /etc/hosts.deny does not exist in the default
configuration.

Added regex pattern to detect invalid user accounts. This blocks
connections from remote hosts who are attempting to login
with accounts not found on the local system.
While these connections to non-existent accounts are relatively harmless,
they are usually used as part of a brute force attack and filtering them
before they reach OpenSSH is a good idea.

2.10
======================

- Updated example rule for PF in configuration file
  to make black listing attacking IPs more effective.

- Added debugging info in case we cannot create a new
  PF table entry.

- Fixed syntax for comparing suspecious logins. Avoids
  always testing true/false depending on Python version.

- No longer require ETC_DIR in the configuration file.
  Use a default value "/etc" if ETC_DIR is not manually
  specified.

- Make sure DenyHosts logs when running in foreground mode.
  When in foreground, warnings are logged to a file rather
  than outputted to terminal. Keeps things clean.

- Add --unlock command line arguement to remove old
  lock files.

- Updated README, version and Makefile with new
  version/maintainer information.

- Added check for PAM failures on FreeBSD. This should block both
  failed user logins that are reported by PAM and also block
  repteated attempts at accessing the root account when root
  logins are disabled by OpenSSH. The latter does not really add
  more practical protection, but can prevent the connection \
  attempts at the firewall level before the OpenSSH service
  is contacted.

- Add systemd unit file, denyhosts.service

2.9 (November 3, 2014)
======================

- DenyHost now supports working with the PF
  packet filter, a popular firewall for FreeBSD,
  OpenBSD, TrueOS, PC-BSD and NetBSD.
  To enable PF support in DenyHost, comment
  out the IPTABLES option in the denyhosts.conf file
  and enable the PFCTL_PATH and PF_TABLE options.

  DenyHost will add misbehaving IP addresses to the
  PF table specified by "PF_TABLE". This table
  should be blocked using the pf.conf file. Please
  see the denyhosts.conf file for more information
  and example PF rules for blocking incoming traffic.

  Please note that even if /etc/hosts.deny is not used
  to block incoming connectins, the file should still exists
  or DenyHosts may throw an error. (This should be fixed
  in the next release.)

2.8 (June 12, 2014)
===================

- Use standard errno instead of hardcoded errno value.
  Patch provided by Pino Toscano.

- Make sure PLUGIN_DENY is called for each host we receive from
  the sync server.
  Patch provided by Sean M. Collins.

- Made sure only new hosts in hosts.deny are reported as new, not
  all hosts. This prevents the PLUGIN_DENY plugin from getting
  old entries repeatedly.
  Patch provided by Chris Erdle.

- We now check user defined regular expression filters, even
  if we already found a match with an existing filter. This
  allows the user to filter more services without using
  a plugin.
  Patch provided by Ben.

- Added --purge-all command line flag to allow us to remove all
  old entries from the deny file without waiting.
  Patch provided by 9MediaCenterGUI on SourceForge.

- Updated copyright information and some documentation.

- Added manual page from Debian and fixed typo. Added
  additional command line options to man page.

- Added --purgeip option to allow us to remove specific
  IP addresses from the blocked list at start time.
  Patch provided by Nelson Howell.
  Should close Debian bug 529089.

- Updated FAILED_ENTRY_REGEX7 to be more flexible.

- Added ability to use Linux iptables to block incoming
  connections. See IPTABLES option in the configuration file.

- Made it possible to block specific ports, allowing remote
  hosts to conenct to some services while being blocked on
  others by the iptables firewall.
  See the BLOCKPORT option in the configuration file.

2.7 (May 18, 2014)
==================

- Forked code from DenyHosts (denyhosts.sf.net)
  New project now maintained at denyhost.sf.net

- Added private moduls patch from Marco Bertorello. Loads
  modules from /usr/share/denyhosts

- Place config, lock and executable file in more
  standard locations. Patch provided by Marco Bertorello.

- Fixed configuration (denyhosts.cfg-dist) to better support
  Debian and Ubuntu. Patch supplied by Marco Nenciarini.

- Added warning to migrate switch. Patch provided by
  Marco Bertorello.

- Avoid installing unwanted files (extra scripts and changelog).
  Patch provided by Marco Nenciarini.

- Fix bug which would not recognize an attack on the root
  user account. Patch provided by Kyle Willmon.

- Fix pattern matching bug (CVE-2007-4323).
  Patch provided by Nico Golde.

- Added foreground mode for debugging.
  Patch supplied by Marco Bertorello.

- Applied patch to fix plugin execution.
  Patched provided by Marco Bertorello.

- Added patch to prevent DenyHosts from running with
  a double --config switch.
  Patch provided by Maro Bertorello.

- Convert path of "env" from /bin/env to /usr/bin/env
  Patch provided by Kyle Willmon.

- Added patch to perform missing bounds check in Purge action.
  Provided by Kyle Willmon.

- Added patch to include SYNC_PROXY_SERVER configuration option.
  Provided by Kyle Willmon.

- Change HOSTNAME_LOOKUP to default to "NO". Will save time.
  Also brings us into closer alignment with FreeBSD patches.

- Added /usr/sbin/nologin to restricted_from_passwd script.
  Requirement from FreeBSD patch set.

- Added variable "ETC_DIR" which dictates the location of
  configuration files. This should usually be set to
  /etc or /usr/local/etc

- The restricted-usernames file is now loaded from the "ETC_DIR"
  directory, rather than from "WORK_DIR" to avoid this
  human-made configuration file from being over-writeen.
  Closes Ubuntu bug #675034

- Confirm setting timestamp over-writes old tiemstamp file.
  Closes Ubuntu bug #564476

- Applied advanced pattern check for authentication file which
  takes into account alternative port numbers. Patch provided by
  Helmut Grohne.

- Updated license and readme files.

- Updated help output from DenyHost script to include --config tip.


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 pkgsrc/security/py-denyhosts/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/security/py-denyhosts/PLIST
cvs rdiff -u -r1.9 -r1.10 pkgsrc/security/py-denyhosts/distinfo
cvs rdiff -u -r1.1.1.1 -r0 pkgsrc/security/py-denyhosts/patches/patch-aa \
    pkgsrc/security/py-denyhosts/patches/patch-ab \
    pkgsrc/security/py-denyhosts/patches/patch-ad \
    pkgsrc/security/py-denyhosts/patches/patch-ae
cvs rdiff -u -r1.2 -r0 pkgsrc/security/py-denyhosts/patches/patch-ac
cvs rdiff -u -r1.3 -r0 pkgsrc/security/py-denyhosts/patches/patch-af
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/security/py-denyhosts/patches/patch-daemon-control-dist \
    pkgsrc/security/py-denyhosts/patches/patch-denyhosts.conf \
    pkgsrc/security/py-denyhosts/patches/patch-setup.py

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/py-denyhosts/Makefile
diff -u pkgsrc/security/py-denyhosts/Makefile:1.22 pkgsrc/security/py-denyhosts/Makefile:1.23
--- pkgsrc/security/py-denyhosts/Makefile:1.22  Fri Mar 20 11:58:19 2020
+++ pkgsrc/security/py-denyhosts/Makefile       Sat Nov 27 14:28:10 2021
@@ -1,41 +1,45 @@
-# $NetBSD: Makefile,v 1.22 2020/03/20 11:58:19 nia Exp $
+# $NetBSD: Makefile,v 1.23 2021/11/27 14:28:10 he Exp $
 
-VER=           2.6
-DISTNAME=      DenyHosts-${VER}
+VER=           3.0
+DISTNAME=      denyhosts-${VER}
 PKGNAME=       ${PYPKGPREFIX}-denyhosts-${VER}
-PKGREVISION=   5
-CATEGORIES=    sysutils
+CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=denyhosts/}
 LICENSE=       gnu-gpl-v2
 
-MAINTAINER=    he%NetBSD.org@localhost
+MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
 HOMEPAGE=      http://denyhosts.sourceforge.net/
 COMMENT=       Watch auth log for invalid ssh login attempts and block hosts
 
 PYDISTUTILSPKG=        yes
 
-CONF_FILES+=   ${PREFIX}/share/denyhosts/denyhosts.cfg-dist \
-               ${PREFIX}/etc/denyhosts.conf
+EGDIR=         share/examples/denyhosts
+INSTALLATION_DIRS+=    ${EGDIR}
+
+CONF_FILES+=   ${PREFIX}/${EGDIR}/denyhosts.conf \
+               ${PKG_SYSCONFDIR}/denyhosts.conf
 
 FILES_SUBST+=  PYTHONBIN=${PYTHONBIN:Q}
 
 SUBST_CLASSES+=        cf
 SUBST_STAGE.cf=        post-configure
-SUBST_VARS.cf= VARBASE PREFIX VARBASE PKG_SYSCONFDIR PYTHONBIN
-SUBST_FILES.cf=        setup.py denyhosts.cfg-dist daemon-control-dist
+SUBST_VARS.cf= VARBASE PREFIX VARBASE PKG_SYSCONFDIR PYTHONBIN PKGMANDIR
+SUBST_FILES.cf=        setup.py denyhosts.conf daemon-control-dist
 
 REPLACE_PYTHON=                daemon-control-dist plugins/test_deny.py setup.py
 REPLACE_PYTHON+=       scripts/restricted_from_invalid.py
 REPLACE_PYTHON+=       scripts/restricted_from_passwd.py
 
 PYTHON_SELF_CONFLICT=          yes
-PYTHON_VERSIONS_ACCEPTED=      27
 
 RCD_SCRIPTS+=  denyhosts
 SMF_NAME=      denyhost
 
-post-configure:
-       ${RM} ${WRKDIR}/${DISTNAME}/scripts/*.orig
+DEPENDS+=      ${PYPKGPREFIX}-expat>=0:../../textproc/py-expat
+
+post-install:
+       mv ${DESTDIR}/${PKG_SYSCONFDIR}/denyhosts.conf \
+               ${DESTDIR}/${PREFIX}/${EGDIR}/denyhosts.conf
 
 .include "../../lang/python/extension.mk"
 .include "../../lang/python/application.mk"

Index: pkgsrc/security/py-denyhosts/PLIST
diff -u pkgsrc/security/py-denyhosts/PLIST:1.3 pkgsrc/security/py-denyhosts/PLIST:1.4
--- pkgsrc/security/py-denyhosts/PLIST:1.3      Tue Mar 11 14:05:14 2014
+++ pkgsrc/security/py-denyhosts/PLIST  Sat Nov 27 14:28:10 2021
@@ -1,4 +1,5 @@
-@comment $NetBSD: PLIST,v 1.3 2014/03/11 14:05:14 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.4 2021/11/27 14:28:10 he Exp $
+bin/daemon-control-dist
 bin/denyhosts.py
 ${PYSITELIB}/DenyHosts/__init__.py
 ${PYSITELIB}/DenyHosts/__init__.pyc
@@ -30,9 +31,6 @@ ${PYSITELIB}/DenyHosts/lockfile.pyo
 ${PYSITELIB}/DenyHosts/loginattempt.py
 ${PYSITELIB}/DenyHosts/loginattempt.pyc
 ${PYSITELIB}/DenyHosts/loginattempt.pyo
-${PYSITELIB}/DenyHosts/old-daemon.py
-${PYSITELIB}/DenyHosts/old-daemon.pyc
-${PYSITELIB}/DenyHosts/old-daemon.pyo
 ${PYSITELIB}/DenyHosts/plugin.py
 ${PYSITELIB}/DenyHosts/plugin.pyc
 ${PYSITELIB}/DenyHosts/plugin.pyo
@@ -63,15 +61,6 @@ ${PYSITELIB}/DenyHosts/util.pyo
 ${PYSITELIB}/DenyHosts/version.py
 ${PYSITELIB}/DenyHosts/version.pyc
 ${PYSITELIB}/DenyHosts/version.pyo
-share/denyhosts/CHANGELOG.txt
-share/denyhosts/LICENSE.txt
-share/denyhosts/README.txt
-share/denyhosts/daemon-control-dist
-share/denyhosts/denyhosts.cfg-dist
-share/denyhosts/plugins/README.contrib
-share/denyhosts/plugins/shorewall_allow.sh
-share/denyhosts/plugins/shorewall_deny.sh
-share/denyhosts/plugins/test_deny.py
-share/denyhosts/scripts/restricted_from_invalid.py
-share/denyhosts/scripts/restricted_from_passwd.py
-share/denyhosts/setup.py
+man/man8/denyhosts.8
+share/examples/denyhosts/denyhosts.conf
+@pkgdir etc

Index: pkgsrc/security/py-denyhosts/distinfo
diff -u pkgsrc/security/py-denyhosts/distinfo:1.9 pkgsrc/security/py-denyhosts/distinfo:1.10
--- pkgsrc/security/py-denyhosts/distinfo:1.9   Tue Oct 26 11:17:44 2021
+++ pkgsrc/security/py-denyhosts/distinfo       Sat Nov 27 14:28:10 2021
@@ -1,11 +1,8 @@
-$NetBSD: distinfo,v 1.9 2021/10/26 11:17:44 nia Exp $
+$NetBSD: distinfo,v 1.10 2021/11/27 14:28:10 he Exp $
 
-BLAKE2s (DenyHosts-2.6.tar.gz) = 1d5eb1d46d769eaa28a10333e8f635b50868f081da8a98c4f4cde80bf8c93ea7
-SHA512 (DenyHosts-2.6.tar.gz) = 331144348d4930e2fa7a057a779bb7504dfa8ec348660e1a73fcd6a9195258408abb7c77de2bcc96724dfc42afbee918320eebfbc3b380d6ac4ff2d275e89600
-Size (DenyHosts-2.6.tar.gz) = 42667 bytes
-SHA1 (patch-aa) = 4bbb07f5918330a8dd828e8cfdf5bad3c4f50893
-SHA1 (patch-ab) = 3bb578421dc776cd42e769978d09872bc79098e8
-SHA1 (patch-ac) = 67eec2ff93ecfffeda2ed92fe7943fa5bc161083
-SHA1 (patch-ad) = 744c65a2f4bec4c5553ba6c15f9ff0b45932e6fb
-SHA1 (patch-ae) = 16f53356508632a8e9f7e905e399614011f7b038
-SHA1 (patch-af) = df52c4b0e842ab311b3a698ba29ad7d20bd7fbf0
+BLAKE2s (denyhosts-3.0.tar.gz) = 01320ec7ccc6cd83ed09ebadb8d64794379c2e513aeb30f5e6dc5f64007863c3
+SHA512 (denyhosts-3.0.tar.gz) = 8a1c796c259049ffab2c88cef780b175ec75c94216841421f831dfbf45f4ba0cdbcfbb0e3dab7200aa79eeb2416db5234ad5016d5770d8ab2f28ef4c9754e70d
+Size (denyhosts-3.0.tar.gz) = 56283 bytes
+SHA1 (patch-daemon-control-dist) = c73ab5d168c8e885ffd7f3a34d5f013c085e38bc
+SHA1 (patch-denyhosts.conf) = 0fdb12f148cbf655904a80a86301ab26bc4e01cd
+SHA1 (patch-setup.py) = 1a59f6110e17f5fb86adf3a97d55ef842a5088e7

Added files:

Index: pkgsrc/security/py-denyhosts/patches/patch-daemon-control-dist
diff -u /dev/null pkgsrc/security/py-denyhosts/patches/patch-daemon-control-dist:1.1
--- /dev/null   Sat Nov 27 14:28:11 2021
+++ pkgsrc/security/py-denyhosts/patches/patch-daemon-control-dist      Sat Nov 27 14:28:10 2021
@@ -0,0 +1,22 @@
+$NetBSD: patch-daemon-control-dist,v 1.1 2021/11/27 14:28:10 he Exp $
+
+Adapt for pkgsrc.
+
+--- daemon-control-dist.orig   2015-06-27 16:22:43.000000000 +0000
++++ daemon-control-dist
+@@ -11,11 +11,11 @@
+ #### Edit these to suit your configuration ####
+ ###############################################
+ 
+-DENYHOSTS_BIN   = "/usr/sbin/denyhosts"
+-DENYHOSTS_LOCK  = "/run/denyhosts.pid"
+-DENYHOSTS_CFG   = "/etc/denyhosts.conf"
++DENYHOSTS_BIN   = "@PREFIX@/sbin/denyhosts"
++DENYHOSTS_LOCK  = "@VARBASE@/run/denyhosts.pid"
++DENYHOSTS_CFG   = "@PKG_SYSCONFDIR@/denyhosts.conf"
+ 
+-PYTHON_BIN      = "/usr/bin/env python"
++PYTHON_BIN      = "@PYTHONBIN@"
+ 
+ ###############################################
+ ####         Do not edit below             ####
Index: pkgsrc/security/py-denyhosts/patches/patch-denyhosts.conf
diff -u /dev/null pkgsrc/security/py-denyhosts/patches/patch-denyhosts.conf:1.1
--- /dev/null   Sat Nov 27 14:28:11 2021
+++ pkgsrc/security/py-denyhosts/patches/patch-denyhosts.conf   Sat Nov 27 14:28:10 2021
@@ -0,0 +1,65 @@
+$NetBSD: patch-denyhosts.conf,v 1.1 2021/11/27 14:28:10 he Exp $
+
+Adapt for pkgsrc (primarily NetBSD).
+
+--- denyhosts.conf.orig        2015-06-27 16:22:43.000000000 +0000
++++ denyhosts.conf
+@@ -14,6 +14,9 @@
+ # Mandrake, FreeBSD or OpenBSD: 
+ #SECURE_LOG = /var/log/auth.log
+ #
++# NetBSD:
++SECURE_LOG = @VARBASE@/log/authlog
++#
+ # SuSE or Gentoo:
+ #SECURE_LOG = /var/log/messages
+ #
+@@ -25,7 +28,7 @@
+ #SECURE_LOG=/private/var/log/system.log
+ #
+ # Debian and Ubuntu
+-SECURE_LOG = /var/log/auth.log
++#SECURE_LOG = /var/log/auth.log
+ ########################################################################
+ 
+ ########################################################################
+@@ -152,7 +155,8 @@ DENY_THRESHOLD_RESTRICTED = 1
+ # Note: it is recommended that you use an absolute pathname
+ # for this value (eg. /home/foo/denyhost/data)
+ #
+-WORK_DIR = /var/lib/denyhosts
++#WORK_DIR = /var/lib/denyhosts
++WORK_DIR = @VARBASE@/db/denyhosts/data
+ #
+ #######################################################################
+ 
+@@ -164,7 +168,7 @@ WORK_DIR = /var/lib/denyhosts
+ # Note: it is recommended that you use an absolute pathname
+ # for this value (eg. /etc or /usr/local/etc)
+ #
+-ETC_DIR = /etc
++ETC_DIR = @PKG_SYSCONFDIR@
+ #
+ #######################################################################
+ 
+@@ -210,8 +214,9 @@ HOSTNAME_LOOKUP=NO
+ # Redhat/Fedora:
+ #LOCK_FILE = /var/lock/subsys/denyhosts
+ #
+-# Debian or Gentoo
+-LOCK_FILE = /var/run/denyhosts.pid
++# Debian or Gentoo or NetBSD
++#LOCK_FILE = /var/run/denyhosts.pid
++LOCK_FILE = @VARBASE@/run/denyhosts.pid
+ #
+ # Misc
+ #LOCK_FILE = /tmp/denyhosts.lock
+@@ -230,7 +235,7 @@ LOCK_FILE = /var/run/denyhosts.pid
+ # /sbin/iptables
+ # If this option is not set or commented out then the iptables
+ # firewall is not used.
+-IPTABLES = /sbin/iptables
++#IPTABLES = /sbin/iptables
+ #
+ # Warning: If you are running IPTABLES, please make sure to comment
+ # out the PFCTL_PATH and the PF_TABLE variables below. PF and
Index: pkgsrc/security/py-denyhosts/patches/patch-setup.py
diff -u /dev/null pkgsrc/security/py-denyhosts/patches/patch-setup.py:1.1
--- /dev/null   Sat Nov 27 14:28:11 2021
+++ pkgsrc/security/py-denyhosts/patches/patch-setup.py Sat Nov 27 14:28:10 2021
@@ -0,0 +1,19 @@
+$NetBSD: patch-setup.py,v 1.1 2021/11/27 14:28:10 he Exp $
+
+Adapt for pkgsrc.
+
+--- setup.py.orig      2015-06-27 16:22:43.000000000 +0000
++++ setup.py
+@@ -10,9 +10,9 @@ from distutils.core import setup
+ from DenyHosts.util import normalize_whitespace
+ from DenyHosts.version import VERSION
+ 
+-etcpath = "/etc"
+-manpath = "/usr/share/man/man8"
+-libpath = "/usr/share/denyhosts"
++etcpath = "@PKG_SYSCONFDIR@"
++manpath = "@PREFIX@/@PKGMANDIR@/man8"
++libpath = "@PREFIX@/share/denyhosts"
+ scriptspath = ospj("scripts", libpath)
+ pluginspath = ospj("plugins", libpath)
+ 



Home | Main Index | Thread Index | Old Index