* [meta-networking][PATCH] sshguard 1.6.1+git: add recipe
@ 2015-09-03 17:39 Koen Kooi
2015-09-11 17:46 ` Joe MacDonald
2015-09-23 14:06 ` Martin Jansa
0 siblings, 2 replies; 5+ messages in thread
From: Koen Kooi @ 2015-09-03 17:39 UTC (permalink / raw)
To: openembedded-devel; +Cc: Koen Kooi
SSHguard protects hosts from brute-force attacks against SSH and other
services.
This recipe uses iptables as blocker backend and journald as log backend.
When it's working it will look like this in syslog:
Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds
Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
And the iptable rules:
root@soekris:~# iptables -L sshguard --line-numbers
Chain sshguard (1 references)
num target prot opt source destination
1 DROP all -- hn.kd.ny.adsl anywhere
2 DROP all -- 61.182.15.194 anywhere
3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere
Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
---
.../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++
.../sshguard/sshguard/sshguard-journalctl | 2 +
.../sshguard/sshguard/sshguard.service | 12 ++++++
.../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++
4 files changed, 100 insertions(+)
create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall
create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service
create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb
diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
new file mode 100644
index 0000000..b683368
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#
+# Function that enables firewall
+#
+do_enable_firewall()
+{
+ # creating sshguard chain
+ iptables -N sshguard 2> /dev/null
+ ip6tables -N sshguard 2> /dev/null
+ # block traffic from abusers
+ iptables -I INPUT -j sshguard 2> /dev/null
+ ip6tables -I INPUT -j sshguard 2> /dev/null
+}
+#
+# Function that disables firewall
+#
+do_disable_firewall()
+{
+ # flushes list of abusers
+ iptables -F sshguard 2> /dev/null
+ ip6tables -F sshguard 2> /dev/null
+ # removes sshguard firewall rules
+ iptables -D INPUT -j sshguard 2> /dev/null
+ ip6tables -D INPUT -j sshguard 2> /dev/null
+ # removing sshguard chain
+ iptables -X sshguard 2> /dev/null
+ ip6tables -X sshguard 2> /dev/null
+}
+
+case "$1" in
+ enable)
+ do_enable_firewall
+ ;;
+ disable)
+ do_disable_firewall
+ ;;
+ restart)
+ do_disable_firewall
+ do_enable_firewall
+ ;;
+ *)
+ exit 1
+ ;;
+esac
+
+exit 0
+
diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
new file mode 100644
index 0000000..e7c615b
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
@@ -0,0 +1,2 @@
+#!/bin/sh
+/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
new file mode 100644
index 0000000..e2590fa
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=SSHGuard
+After=network.service
+
+[Service]
+PIDFile=/run/sshguard.pid
+ExecStartPre=/usr/lib/sshguard/firewall enable
+ExecStopPost=/usr/lib/sshguard/firewall disable
+ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
new file mode 100644
index 0000000..04435e8
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
@@ -0,0 +1,38 @@
+SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
+
+LICENSE = "ISC"
+LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
+
+PV = "1.6.1+git${SRCPV}"
+
+SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
+SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
+ file://firewall \
+ file://sshguard.service \
+ file://sshguard-journalctl \
+ "
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "flex-native"
+
+inherit autotools-brokensep systemd
+
+EXTRA_OECONF += " --with-firewall=iptables \
+ --with-iptables=${sbindir}/iptables \
+ "
+
+do_install_append() {
+ install -d ${D}${libdir}/sshguard
+ install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
+ install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
+
+ sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
+
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
+ sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
+}
+
+FILES_${PN} += "${systemd_unitdir}"
+RDEPENDS_${PN} += "iptables"
--
2.0.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] sshguard 1.6.1+git: add recipe
2015-09-03 17:39 [meta-networking][PATCH] sshguard 1.6.1+git: add recipe Koen Kooi
@ 2015-09-11 17:46 ` Joe MacDonald
2015-09-11 18:20 ` Koen Kooi
2015-09-23 14:06 ` Martin Jansa
1 sibling, 1 reply; 5+ messages in thread
From: Joe MacDonald @ 2015-09-11 17:46 UTC (permalink / raw)
To: Koen Kooi; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 6551 bytes --]
I had the following build failure when I merged this:
sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'
for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) {
I put the contents of the logfile here:
http://pastebin.com/g1dCJcGY
Can you take a look at this?
Thanks,
-J.
[[oe] [meta-networking][PATCH] sshguard 1.6.1+git: add recipe] On 15.09.03 (Thu 19:39) Koen Kooi wrote:
> SSHguard protects hosts from brute-force attacks against SSH and other
> services.
>
> This recipe uses iptables as blocker backend and journald as log backend.
>
> When it's working it will look like this in syslog:
>
> Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
>
> And the iptable rules:
>
> root@soekris:~# iptables -L sshguard --line-numbers
> Chain sshguard (1 references)
> num target prot opt source destination
> 1 DROP all -- hn.kd.ny.adsl anywhere
> 2 DROP all -- 61.182.15.194 anywhere
> 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere
>
> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> ---
> .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++
> .../sshguard/sshguard/sshguard-journalctl | 2 +
> .../sshguard/sshguard/sshguard.service | 12 ++++++
> .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++
> 4 files changed, 100 insertions(+)
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb
>
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
> new file mode 100644
> index 0000000..b683368
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
> @@ -0,0 +1,48 @@
> +#!/bin/sh
> +
> +#
> +# Function that enables firewall
> +#
> +do_enable_firewall()
> +{
> + # creating sshguard chain
> + iptables -N sshguard 2> /dev/null
> + ip6tables -N sshguard 2> /dev/null
> + # block traffic from abusers
> + iptables -I INPUT -j sshguard 2> /dev/null
> + ip6tables -I INPUT -j sshguard 2> /dev/null
> +}
> +#
> +# Function that disables firewall
> +#
> +do_disable_firewall()
> +{
> + # flushes list of abusers
> + iptables -F sshguard 2> /dev/null
> + ip6tables -F sshguard 2> /dev/null
> + # removes sshguard firewall rules
> + iptables -D INPUT -j sshguard 2> /dev/null
> + ip6tables -D INPUT -j sshguard 2> /dev/null
> + # removing sshguard chain
> + iptables -X sshguard 2> /dev/null
> + ip6tables -X sshguard 2> /dev/null
> +}
> +
> +case "$1" in
> + enable)
> + do_enable_firewall
> + ;;
> + disable)
> + do_disable_firewall
> + ;;
> + restart)
> + do_disable_firewall
> + do_enable_firewall
> + ;;
> + *)
> + exit 1
> + ;;
> +esac
> +
> +exit 0
> +
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> new file mode 100644
> index 0000000..e7c615b
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> @@ -0,0 +1,2 @@
> +#!/bin/sh
> +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> new file mode 100644
> index 0000000..e2590fa
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> @@ -0,0 +1,12 @@
> +[Unit]
> +Description=SSHGuard
> +After=network.service
> +
> +[Service]
> +PIDFile=/run/sshguard.pid
> +ExecStartPre=/usr/lib/sshguard/firewall enable
> +ExecStopPost=/usr/lib/sshguard/firewall disable
> +ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> new file mode 100644
> index 0000000..04435e8
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> @@ -0,0 +1,38 @@
> +SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
> +
> +LICENSE = "ISC"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
> +
> +PV = "1.6.1+git${SRCPV}"
> +
> +SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
> +SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
> + file://firewall \
> + file://sshguard.service \
> + file://sshguard-journalctl \
> + "
> +
> +S = "${WORKDIR}/git"
> +
> +DEPENDS = "flex-native"
> +
> +inherit autotools-brokensep systemd
> +
> +EXTRA_OECONF += " --with-firewall=iptables \
> + --with-iptables=${sbindir}/iptables \
> + "
> +
> +do_install_append() {
> + install -d ${D}${libdir}/sshguard
> + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
> + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
> +
> + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
> + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
> +}
> +
> +FILES_${PN} += "${systemd_unitdir}"
> +RDEPENDS_${PN} += "iptables"
> --
> 2.0.1
>
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] sshguard 1.6.1+git: add recipe
2015-09-11 17:46 ` Joe MacDonald
@ 2015-09-11 18:20 ` Koen Kooi
2015-09-11 18:57 ` Joe MacDonald
0 siblings, 1 reply; 5+ messages in thread
From: Koen Kooi @ 2015-09-11 18:20 UTC (permalink / raw)
To: Joe MacDonald; +Cc: openembedded-devel
> Op 11 sep. 2015, om 19:46 heeft Joe MacDonald <Joe_MacDonald@mentor.com> het volgende geschreven:
>
> I had the following build failure when I merged this:
>
> sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'
> for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) {
>
>
> I put the contents of the logfile here:
>
> http://pastebin.com/g1dCJcGY
>
> Can you take a look at this?
Certainly, thanks for the report! I’ll be away for the next 2 weeks, so don’t hold your breath :)
>
> Thanks,
> -J.
>
> [[oe] [meta-networking][PATCH] sshguard 1.6.1+git: add recipe] On 15.09.03 (Thu 19:39) Koen Kooi wrote:
>
>> SSHguard protects hosts from brute-force attacks against SSH and other
>> services.
>>
>> This recipe uses iptables as blocker backend and journald as log backend.
>>
>> When it's working it will look like this in syslog:
>>
>> Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds
>> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
>> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
>> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
>>
>> And the iptable rules:
>>
>> root@soekris:~# iptables -L sshguard --line-numbers
>> Chain sshguard (1 references)
>> num target prot opt source destination
>> 1 DROP all -- hn.kd.ny.adsl anywhere
>> 2 DROP all -- 61.182.15.194 anywhere
>> 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere
>>
>> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
>> ---
>> .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++
>> .../sshguard/sshguard/sshguard-journalctl | 2 +
>> .../sshguard/sshguard/sshguard.service | 12 ++++++
>> .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++
>> 4 files changed, 100 insertions(+)
>> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall
>> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
>> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service
>> create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb
>>
>> diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
>> new file mode 100644
>> index 0000000..b683368
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
>> @@ -0,0 +1,48 @@
>> +#!/bin/sh
>> +
>> +#
>> +# Function that enables firewall
>> +#
>> +do_enable_firewall()
>> +{
>> + # creating sshguard chain
>> + iptables -N sshguard 2> /dev/null
>> + ip6tables -N sshguard 2> /dev/null
>> + # block traffic from abusers
>> + iptables -I INPUT -j sshguard 2> /dev/null
>> + ip6tables -I INPUT -j sshguard 2> /dev/null
>> +}
>> +#
>> +# Function that disables firewall
>> +#
>> +do_disable_firewall()
>> +{
>> + # flushes list of abusers
>> + iptables -F sshguard 2> /dev/null
>> + ip6tables -F sshguard 2> /dev/null
>> + # removes sshguard firewall rules
>> + iptables -D INPUT -j sshguard 2> /dev/null
>> + ip6tables -D INPUT -j sshguard 2> /dev/null
>> + # removing sshguard chain
>> + iptables -X sshguard 2> /dev/null
>> + ip6tables -X sshguard 2> /dev/null
>> +}
>> +
>> +case "$1" in
>> + enable)
>> + do_enable_firewall
>> + ;;
>> + disable)
>> + do_disable_firewall
>> + ;;
>> + restart)
>> + do_disable_firewall
>> + do_enable_firewall
>> + ;;
>> + *)
>> + exit 1
>> + ;;
>> +esac
>> +
>> +exit 0
>> +
>> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
>> new file mode 100644
>> index 0000000..e7c615b
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
>> @@ -0,0 +1,2 @@
>> +#!/bin/sh
>> +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
>> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
>> new file mode 100644
>> index 0000000..e2590fa
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
>> @@ -0,0 +1,12 @@
>> +[Unit]
>> +Description=SSHGuard
>> +After=network.service
>> +
>> +[Service]
>> +PIDFile=/run/sshguard.pid
>> +ExecStartPre=/usr/lib/sshguard/firewall enable
>> +ExecStopPost=/usr/lib/sshguard/firewall disable
>> +ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
>> +
>> +[Install]
>> +WantedBy=multi-user.target
>> diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
>> new file mode 100644
>> index 0000000..04435e8
>> --- /dev/null
>> +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
>> @@ -0,0 +1,38 @@
>> +SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
>> +
>> +LICENSE = "ISC"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
>> +
>> +PV = "1.6.1+git${SRCPV}"
>> +
>> +SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
>> +SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
>> + file://firewall \
>> + file://sshguard.service \
>> + file://sshguard-journalctl \
>> + "
>> +
>> +S = "${WORKDIR}/git"
>> +
>> +DEPENDS = "flex-native"
>> +
>> +inherit autotools-brokensep systemd
>> +
>> +EXTRA_OECONF += " --with-firewall=iptables \
>> + --with-iptables=${sbindir}/iptables \
>> + "
>> +
>> +do_install_append() {
>> + install -d ${D}${libdir}/sshguard
>> + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
>> + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
>> +
>> + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
>> +
>> + install -d ${D}${systemd_unitdir}/system
>> + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
>> + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
>> +}
>> +
>> +FILES_${PN} += "${systemd_unitdir}"
>> +RDEPENDS_${PN} += "iptables"
>> --
>> 2.0.1
>>
> --
> -Joe MacDonald.
> :wq
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] sshguard 1.6.1+git: add recipe
2015-09-11 18:20 ` Koen Kooi
@ 2015-09-11 18:57 ` Joe MacDonald
0 siblings, 0 replies; 5+ messages in thread
From: Joe MacDonald @ 2015-09-11 18:57 UTC (permalink / raw)
To: Koen Kooi; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 7534 bytes --]
[Re: [oe] [meta-networking][PATCH] sshguard 1.6.1+git: add recipe] On 15.09.11 (Fri 20:20) Koen Kooi wrote:
>
> > Op 11 sep. 2015, om 19:46 heeft Joe MacDonald <Joe_MacDonald@mentor.com> het volgende geschreven:
> >
> > I had the following build failure when I merged this:
> >
> > sshguard_whitelist.c:350:87: error: dereferencing pointer to incomplete type 'struct addrinfo'
> > for (numaddresses = 0, addriter = hostaddrs; addriter != NULL; addriter = addriter->ai_next, ++numaddresses) {
> >
> >
> > I put the contents of the logfile here:
> >
> > http://pastebin.com/g1dCJcGY
> >
> > Can you take a look at this?
>
> Certainly, thanks for the report! I’ll be away for the next 2 weeks, so don’t hold your breath :)
No problem, thanks for the quick follow-up!
Thanks,
-J.
>
> >
> > Thanks,
> > -J.
> >
> > [[oe] [meta-networking][PATCH] sshguard 1.6.1+git: add recipe] On 15.09.03 (Thu 19:39) Koen Kooi wrote:
> >
> >> SSHguard protects hosts from brute-force attacks against SSH and other
> >> services.
> >>
> >> This recipe uses iptables as blocker backend and journald as log backend.
> >>
> >> When it's working it will look like this in syslog:
> >>
> >> Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds
> >> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> >> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> >> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> >>
> >> And the iptable rules:
> >>
> >> root@soekris:~# iptables -L sshguard --line-numbers
> >> Chain sshguard (1 references)
> >> num target prot opt source destination
> >> 1 DROP all -- hn.kd.ny.adsl anywhere
> >> 2 DROP all -- 61.182.15.194 anywhere
> >> 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere
> >>
> >> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> >> ---
> >> .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++
> >> .../sshguard/sshguard/sshguard-journalctl | 2 +
> >> .../sshguard/sshguard/sshguard.service | 12 ++++++
> >> .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++
> >> 4 files changed, 100 insertions(+)
> >> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall
> >> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> >> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> >> create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb
> >>
> >> diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
> >> new file mode 100644
> >> index 0000000..b683368
> >> --- /dev/null
> >> +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
> >> @@ -0,0 +1,48 @@
> >> +#!/bin/sh
> >> +
> >> +#
> >> +# Function that enables firewall
> >> +#
> >> +do_enable_firewall()
> >> +{
> >> + # creating sshguard chain
> >> + iptables -N sshguard 2> /dev/null
> >> + ip6tables -N sshguard 2> /dev/null
> >> + # block traffic from abusers
> >> + iptables -I INPUT -j sshguard 2> /dev/null
> >> + ip6tables -I INPUT -j sshguard 2> /dev/null
> >> +}
> >> +#
> >> +# Function that disables firewall
> >> +#
> >> +do_disable_firewall()
> >> +{
> >> + # flushes list of abusers
> >> + iptables -F sshguard 2> /dev/null
> >> + ip6tables -F sshguard 2> /dev/null
> >> + # removes sshguard firewall rules
> >> + iptables -D INPUT -j sshguard 2> /dev/null
> >> + ip6tables -D INPUT -j sshguard 2> /dev/null
> >> + # removing sshguard chain
> >> + iptables -X sshguard 2> /dev/null
> >> + ip6tables -X sshguard 2> /dev/null
> >> +}
> >> +
> >> +case "$1" in
> >> + enable)
> >> + do_enable_firewall
> >> + ;;
> >> + disable)
> >> + do_disable_firewall
> >> + ;;
> >> + restart)
> >> + do_disable_firewall
> >> + do_enable_firewall
> >> + ;;
> >> + *)
> >> + exit 1
> >> + ;;
> >> +esac
> >> +
> >> +exit 0
> >> +
> >> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> >> new file mode 100644
> >> index 0000000..e7c615b
> >> --- /dev/null
> >> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> >> @@ -0,0 +1,2 @@
> >> +#!/bin/sh
> >> +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
> >> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> >> new file mode 100644
> >> index 0000000..e2590fa
> >> --- /dev/null
> >> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> >> @@ -0,0 +1,12 @@
> >> +[Unit]
> >> +Description=SSHGuard
> >> +After=network.service
> >> +
> >> +[Service]
> >> +PIDFile=/run/sshguard.pid
> >> +ExecStartPre=/usr/lib/sshguard/firewall enable
> >> +ExecStopPost=/usr/lib/sshguard/firewall disable
> >> +ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
> >> +
> >> +[Install]
> >> +WantedBy=multi-user.target
> >> diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> >> new file mode 100644
> >> index 0000000..04435e8
> >> --- /dev/null
> >> +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> >> @@ -0,0 +1,38 @@
> >> +SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
> >> +
> >> +LICENSE = "ISC"
> >> +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
> >> +
> >> +PV = "1.6.1+git${SRCPV}"
> >> +
> >> +SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
> >> +SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
> >> + file://firewall \
> >> + file://sshguard.service \
> >> + file://sshguard-journalctl \
> >> + "
> >> +
> >> +S = "${WORKDIR}/git"
> >> +
> >> +DEPENDS = "flex-native"
> >> +
> >> +inherit autotools-brokensep systemd
> >> +
> >> +EXTRA_OECONF += " --with-firewall=iptables \
> >> + --with-iptables=${sbindir}/iptables \
> >> + "
> >> +
> >> +do_install_append() {
> >> + install -d ${D}${libdir}/sshguard
> >> + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
> >> + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
> >> +
> >> + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
> >> +
> >> + install -d ${D}${systemd_unitdir}/system
> >> + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
> >> + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
> >> +}
> >> +
> >> +FILES_${PN} += "${systemd_unitdir}"
> >> +RDEPENDS_${PN} += "iptables"
> >> --
> >> 2.0.1
> >>
> > --
> > -Joe MacDonald.
> > :wq
>
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [meta-networking][PATCH] sshguard 1.6.1+git: add recipe
2015-09-03 17:39 [meta-networking][PATCH] sshguard 1.6.1+git: add recipe Koen Kooi
2015-09-11 17:46 ` Joe MacDonald
@ 2015-09-23 14:06 ` Martin Jansa
1 sibling, 0 replies; 5+ messages in thread
From: Martin Jansa @ 2015-09-23 14:06 UTC (permalink / raw)
To: openembedded-devel; +Cc: Koen Kooi
[-- Attachment #1: Type: text/plain, Size: 6563 bytes --]
On Thu, Sep 03, 2015 at 07:39:16PM +0200, Koen Kooi wrote:
> SSHguard protects hosts from brute-force attacks against SSH and other
> services.
>
> This recipe uses iptables as blocker backend and journald as log backend.
>
> When it's working it will look like this in syslog:
>
> Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
>
> And the iptable rules:
Fails to build in world:
http://errors.yoctoproject.org/Errors/Details/18430/
Probably needs something like:
-#define _POSIX_SOURCE
+#define _POSIX_C_SOURCE 200112L
as other recipes failing with similar error.
>
> root@soekris:~# iptables -L sshguard --line-numbers
> Chain sshguard (1 references)
> num target prot opt source destination
> 1 DROP all -- hn.kd.ny.adsl anywhere
> 2 DROP all -- 61.182.15.194 anywhere
> 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere
>
> Signed-off-by: Koen Kooi <koen@dominion.thruhere.net>
> ---
> .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++
> .../sshguard/sshguard/sshguard-journalctl | 2 +
> .../sshguard/sshguard/sshguard.service | 12 ++++++
> .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++
> 4 files changed, 100 insertions(+)
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb
>
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
> new file mode 100644
> index 0000000..b683368
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
> @@ -0,0 +1,48 @@
> +#!/bin/sh
> +
> +#
> +# Function that enables firewall
> +#
> +do_enable_firewall()
> +{
> + # creating sshguard chain
> + iptables -N sshguard 2> /dev/null
> + ip6tables -N sshguard 2> /dev/null
> + # block traffic from abusers
> + iptables -I INPUT -j sshguard 2> /dev/null
> + ip6tables -I INPUT -j sshguard 2> /dev/null
> +}
> +#
> +# Function that disables firewall
> +#
> +do_disable_firewall()
> +{
> + # flushes list of abusers
> + iptables -F sshguard 2> /dev/null
> + ip6tables -F sshguard 2> /dev/null
> + # removes sshguard firewall rules
> + iptables -D INPUT -j sshguard 2> /dev/null
> + ip6tables -D INPUT -j sshguard 2> /dev/null
> + # removing sshguard chain
> + iptables -X sshguard 2> /dev/null
> + ip6tables -X sshguard 2> /dev/null
> +}
> +
> +case "$1" in
> + enable)
> + do_enable_firewall
> + ;;
> + disable)
> + do_disable_firewall
> + ;;
> + restart)
> + do_disable_firewall
> + do_enable_firewall
> + ;;
> + *)
> + exit 1
> + ;;
> +esac
> +
> +exit 0
> +
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> new file mode 100644
> index 0000000..e7c615b
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> @@ -0,0 +1,2 @@
> +#!/bin/sh
> +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> new file mode 100644
> index 0000000..e2590fa
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> @@ -0,0 +1,12 @@
> +[Unit]
> +Description=SSHGuard
> +After=network.service
> +
> +[Service]
> +PIDFile=/run/sshguard.pid
> +ExecStartPre=/usr/lib/sshguard/firewall enable
> +ExecStopPost=/usr/lib/sshguard/firewall disable
> +ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> new file mode 100644
> index 0000000..04435e8
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> @@ -0,0 +1,38 @@
> +SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
> +
> +LICENSE = "ISC"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
> +
> +PV = "1.6.1+git${SRCPV}"
> +
> +SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
> +SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
> + file://firewall \
> + file://sshguard.service \
> + file://sshguard-journalctl \
> + "
> +
> +S = "${WORKDIR}/git"
> +
> +DEPENDS = "flex-native"
> +
> +inherit autotools-brokensep systemd
> +
> +EXTRA_OECONF += " --with-firewall=iptables \
> + --with-iptables=${sbindir}/iptables \
> + "
> +
> +do_install_append() {
> + install -d ${D}${libdir}/sshguard
> + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
> + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
> +
> + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
> + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
> +}
> +
> +FILES_${PN} += "${systemd_unitdir}"
> +RDEPENDS_${PN} += "iptables"
> --
> 2.0.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-09-23 14:06 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-03 17:39 [meta-networking][PATCH] sshguard 1.6.1+git: add recipe Koen Kooi
2015-09-11 17:46 ` Joe MacDonald
2015-09-11 18:20 ` Koen Kooi
2015-09-11 18:57 ` Joe MacDonald
2015-09-23 14:06 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.