[oe] [meta-networking][PATCH] sshguard 1.6.1+git: add recipe
Martin Jansa
martin.jansa at gmail.com
Wed Sep 23 14:06:45 UTC 2015
On Thu, Sep 03, 2015 at 07:39:16PM +0200, Koen Kooi wrote:
> SSHguard protects hosts from brute-force attacks against SSH and other
> services.
>
> This recipe uses iptables as blocker backend and journald as log backend.
>
> When it's working it will look like this in syslog:
>
> Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
> Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s).
>
> And the iptable rules:
Fails to build in world:
http://errors.yoctoproject.org/Errors/Details/18430/
Probably needs something like:
-#define _POSIX_SOURCE
+#define _POSIX_C_SOURCE 200112L
as other recipes failing with similar error.
>
> root at soekris:~# iptables -L sshguard --line-numbers
> Chain sshguard (1 references)
> num target prot opt source destination
> 1 DROP all -- hn.kd.ny.adsl anywhere
> 2 DROP all -- 61.182.15.194 anywhere
> 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere
>
> Signed-off-by: Koen Kooi <koen at dominion.thruhere.net>
> ---
> .../recipes-support/sshguard/sshguard/firewall | 48 ++++++++++++++++++++++
> .../sshguard/sshguard/sshguard-journalctl | 2 +
> .../sshguard/sshguard/sshguard.service | 12 ++++++
> .../recipes-support/sshguard/sshguard_git.bb | 38 +++++++++++++++++
> 4 files changed, 100 insertions(+)
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/firewall
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> create mode 100644 meta-networking/recipes-support/sshguard/sshguard_git.bb
>
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
> new file mode 100644
> index 0000000..b683368
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
> @@ -0,0 +1,48 @@
> +#!/bin/sh
> +
> +#
> +# Function that enables firewall
> +#
> +do_enable_firewall()
> +{
> + # creating sshguard chain
> + iptables -N sshguard 2> /dev/null
> + ip6tables -N sshguard 2> /dev/null
> + # block traffic from abusers
> + iptables -I INPUT -j sshguard 2> /dev/null
> + ip6tables -I INPUT -j sshguard 2> /dev/null
> +}
> +#
> +# Function that disables firewall
> +#
> +do_disable_firewall()
> +{
> + # flushes list of abusers
> + iptables -F sshguard 2> /dev/null
> + ip6tables -F sshguard 2> /dev/null
> + # removes sshguard firewall rules
> + iptables -D INPUT -j sshguard 2> /dev/null
> + ip6tables -D INPUT -j sshguard 2> /dev/null
> + # removing sshguard chain
> + iptables -X sshguard 2> /dev/null
> + ip6tables -X sshguard 2> /dev/null
> +}
> +
> +case "$1" in
> + enable)
> + do_enable_firewall
> + ;;
> + disable)
> + do_disable_firewall
> + ;;
> + restart)
> + do_disable_firewall
> + do_enable_firewall
> + ;;
> + *)
> + exit 1
> + ;;
> +esac
> +
> +exit 0
> +
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> new file mode 100644
> index 0000000..e7c615b
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
> @@ -0,0 +1,2 @@
> +#!/bin/sh
> +/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
> diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> new file mode 100644
> index 0000000..e2590fa
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
> @@ -0,0 +1,12 @@
> +[Unit]
> +Description=SSHGuard
> +After=network.service
> +
> +[Service]
> +PIDFile=/run/sshguard.pid
> +ExecStartPre=/usr/lib/sshguard/firewall enable
> +ExecStopPost=/usr/lib/sshguard/firewall disable
> +ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
> +
> +[Install]
> +WantedBy=multi-user.target
> diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> new file mode 100644
> index 0000000..04435e8
> --- /dev/null
> +++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
> @@ -0,0 +1,38 @@
> +SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
> +
> +LICENSE = "ISC"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
> +
> +PV = "1.6.1+git${SRCPV}"
> +
> +SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
> +SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
> + file://firewall \
> + file://sshguard.service \
> + file://sshguard-journalctl \
> + "
> +
> +S = "${WORKDIR}/git"
> +
> +DEPENDS = "flex-native"
> +
> +inherit autotools-brokensep systemd
> +
> +EXTRA_OECONF += " --with-firewall=iptables \
> + --with-iptables=${sbindir}/iptables \
> + "
> +
> +do_install_append() {
> + install -d ${D}${libdir}/sshguard
> + install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
> + install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
> +
> + sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
> +
> + install -d ${D}${systemd_unitdir}/system
> + install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
> + sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
> +}
> +
> +FILES_${PN} += "${systemd_unitdir}"
> +RDEPENDS_${PN} += "iptables"
> --
> 2.0.1
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel
--
Martin 'JaMa' Jansa jabber: Martin.Jansa at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-devel/attachments/20150923/8dba21f8/attachment-0002.sig>
More information about the Openembedded-devel
mailing list