From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) by mail.openembedded.org (Postfix) with ESMTP id 70F0076DF8 for ; Wed, 23 Sep 2015 14:06:35 +0000 (UTC) Received: by wicgb1 with SMTP id gb1so207512412wic.1 for ; Wed, 23 Sep 2015 07:06:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:date:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=aR5dFQYASBF0rgW35DOrRTYMIUEN4aac68eml8PjnsE=; b=M/PKF4ErxrFO8PgYHdz2QAiGX5W/M2hoEsS1hOXq2pWO28FZnWw4NNxs7yEKQOnNeu pjj3ql3k5KZ05JEPor6bv5HqCjcnfGfhNeVz01C2Wxs6JnyRok/smZW486295/Drc9hP axOSCa13PdZlkSOtQ3xyV0RCc3A72NXMp3EmMdRjgeo8mR8m9qVIajMNz0ILmgTs4DHX zr961RKpQgI4vwIQj5oOiFNddsHd8vKJ8dGPmmdyhw0jd7N/IsWQI1jUGpa+TZeRJM0A ZnVn8JgjmOxFlNy18SWNe7OIITffAdwjCd6KgWX1d1Pz9fjWE1+QIPt8XXp8NE0LTOTF +lUQ== X-Received: by 10.194.95.103 with SMTP id dj7mr36331835wjb.118.1443017195636; Wed, 23 Sep 2015 07:06:35 -0700 (PDT) Received: from localhost (ip-86-49-34-37.net.upcbroadband.cz. [86.49.34.37]) by smtp.gmail.com with ESMTPSA id pk7sm7489279wjb.2.2015.09.23.07.06.34 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Sep 2015 07:06:34 -0700 (PDT) From: Martin Jansa X-Google-Original-From: Martin Jansa Date: Wed, 23 Sep 2015 16:06:45 +0200 To: openembedded-devel@lists.openembedded.org Message-ID: <20150923140645.GD2384@jama> References: <1441301956-12792-1-git-send-email-koen@dominion.thruhere.net> MIME-Version: 1.0 In-Reply-To: <1441301956-12792-1-git-send-email-koen@dominion.thruhere.net> User-Agent: Mutt/1.5.24 (2015-08-30) Cc: Koen Kooi Subject: Re: [meta-networking][PATCH] sshguard 1.6.1+git: add recipe X-BeenThere: openembedded-devel@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: openembedded-devel@lists.openembedded.org List-Id: Using the OpenEmbedded metadata to build Distributions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Sep 2015 14:06:38 -0000 X-Groupsio-MsgNum: 57516 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2iBwrppp/7QCDedR" Content-Disposition: inline --2iBwrppp/7QCDedR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 03, 2015 at 07:39:16PM +0200, Koen Kooi wrote: > SSHguard protects hosts from brute-force attacks against SSH and other > services. >=20 > This recipe uses iptables as blocker backend and journald as log backend. >=20 > When it's working it will look like this in syslog: >=20 > Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=3D= 40 ; minimum block=3D420 seconds > Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >63= 0secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). > Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >63= 0secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). > Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630= secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). >=20 > And the iptable rules: Fails to build in world: http://errors.yoctoproject.org/Errors/Details/18430/ Probably needs something like: -#define _POSIX_SOURCE +#define _POSIX_C_SOURCE 200112L as other recipes failing with similar error. >=20 > root@soekris:~# iptables -L sshguard --line-numbers > Chain sshguard (1 references) > num target prot opt source destination > 1 DROP all -- hn.kd.ny.adsl anywhere > 2 DROP all -- 61.182.15.194 anywhere > 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere >=20 > Signed-off-by: Koen Kooi > --- > .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++= ++++++ > .../sshguard/sshguard/sshguard-journalctl | 2 + > .../sshguard/sshguard/sshguard.service | 12 ++++++ > .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++ > 4 files changed, 100 insertions(+) > create mode 100644 meta-networking/recipes-support/sshguard/sshguard/fir= ewall > create mode 100644 meta-networking/recipes-support/sshguard/sshguard/ssh= guard-journalctl > create mode 100644 meta-networking/recipes-support/sshguard/sshguard/ssh= guard.service > create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git= =2Ebb >=20 > diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b= /meta-networking/recipes-support/sshguard/sshguard/firewall > new file mode 100644 > index 0000000..b683368 > --- /dev/null > +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall > @@ -0,0 +1,48 @@ > +#!/bin/sh > + > +# > +# Function that enables firewall > +# > +do_enable_firewall() > +{ > + # creating sshguard chain > + iptables -N sshguard 2> /dev/null > + ip6tables -N sshguard 2> /dev/null > + # block traffic from abusers > + iptables -I INPUT -j sshguard 2> /dev/null > + ip6tables -I INPUT -j sshguard 2> /dev/null > +} > +# > +# Function that disables firewall > +# > +do_disable_firewall() > +{ > + # flushes list of abusers > + iptables -F sshguard 2> /dev/null > + ip6tables -F sshguard 2> /dev/null > + # removes sshguard firewall rules > + iptables -D INPUT -j sshguard 2> /dev/null > + ip6tables -D INPUT -j sshguard 2> /dev/null > + # removing sshguard chain > + iptables -X sshguard 2> /dev/null > + ip6tables -X sshguard 2> /dev/null > +} > + > +case "$1" in > + enable) > + do_enable_firewall > + ;; > + disable) > + do_disable_firewall > + ;; > + restart) > + do_disable_firewall > + do_enable_firewall > + ;; > + *) > + exit 1 > + ;; > +esac > +=09 > +exit 0 > + > diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-j= ournalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-jour= nalctl > new file mode 100644 > index 0000000..e7c615b > --- /dev/null > +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalc= tl > @@ -0,0 +1,2 @@ > +#!/bin/sh > +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@" > diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.s= ervice b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service > new file mode 100644 > index 0000000..e2590fa > --- /dev/null > +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service > @@ -0,0 +1,12 @@ > +[Unit] > +Description=3DSSHGuard > +After=3Dnetwork.service > + > +[Service] > +PIDFile=3D/run/sshguard.pid > +ExecStartPre=3D/usr/lib/sshguard/firewall enable > +ExecStopPost=3D/usr/lib/sshguard/firewall disable > +ExecStart=3D/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid > + > +[Install] > +WantedBy=3Dmulti-user.target > diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/m= eta-networking/recipes-support/sshguard/sshguard_git.bb > new file mode 100644 > index 0000000..04435e8 > --- /dev/null > +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb > @@ -0,0 +1,38 @@ > +SUMMARY =3D "SSHguard protects hosts from brute-force attacks against SS= H and other services." > + > +LICENSE =3D "ISC" > +LIC_FILES_CHKSUM =3D "file://COPYING;md5=3D47a33fc98cd20713882c4d822a57b= f4d" > + > +PV =3D "1.6.1+git${SRCPV}" > + > +SRCREV =3D "019a0406811a536faf3f90cdd7a0a538ee24d789" > +SRC_URI =3D "git://bitbucket.org/sshguard/sshguard.git;protocol=3Dhttps;= branch=3D1.6 \ > + file://firewall \ > + file://sshguard.service \ > + file://sshguard-journalctl \ > + " > + > +S =3D "${WORKDIR}/git" > + > +DEPENDS =3D "flex-native" > + > +inherit autotools-brokensep systemd > + > +EXTRA_OECONF +=3D " --with-firewall=3Diptables \ > + --with-iptables=3D${sbindir}/iptables \ > + " > + > +do_install_append() { > + install -d ${D}${libdir}/sshguard > + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard > + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard > + > + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${= libdir}/sshguard/sshguard-journalctl > + > + install -d ${D}${systemd_unitdir}/system > + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/s= ystem > + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshgu= ard.service=20 > +} > + > +FILES_${PN} +=3D "${systemd_unitdir}" > +RDEPENDS_${PN} +=3D "iptables" > --=20 > 2.0.1 >=20 > --=20 > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel --=20 Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com --2iBwrppp/7QCDedR Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlYCsfQACgkQN1Ujt2V2gBynkQCfWrR5GwSeSn1SsUdYOPWEYjx9 DpMAn1gvHVJfBT5aQmrV2xpQhu8w5i93 =hFoF -----END PGP SIGNATURE----- --2iBwrppp/7QCDedR--