1 |
jpp |
1.1 |
# |
2 |
|
|
# spec file for package denyhosts |
3 |
|
|
# |
4 |
|
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. |
5 |
|
|
# |
6 |
|
|
# All modifications and additions to the file contributed by third parties |
7 |
|
|
# remain the property of their copyright owners, unless otherwise agreed |
8 |
|
|
# upon. The license for this file, and modifications and additions to the |
9 |
|
|
# file, is the same license as for the pristine package itself (unless the |
10 |
|
|
# license for the pristine package is not an Open Source License, in which |
11 |
|
|
# case the license is the MIT License). An "Open Source License" is a |
12 |
|
|
# license that conforms to the Open Source Definition (Version 1.9) |
13 |
|
|
# published by the Open Source Initiative. |
14 |
|
|
|
15 |
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/ |
16 |
|
|
# |
17 |
|
|
|
18 |
|
|
|
19 |
|
|
%if 0%{?suse_version} < 1120 |
20 |
|
|
%define python_sitelib %{py_sitedir} |
21 |
|
|
%endif |
22 |
|
|
|
23 |
|
|
%if 0%{?suse_version} >= 1210 |
24 |
|
|
%bcond_without systemd |
25 |
|
|
%else |
26 |
|
|
%bcond_with systemd |
27 |
|
|
%endif |
28 |
|
|
|
29 |
|
|
|
30 |
|
|
Name: denyhosts |
31 |
|
|
Version: 3.1 |
32 |
|
|
Release: lp152.1.1 |
33 |
|
|
Summary: Utility to help system administrators thwart brute-force ssh hackers |
34 |
|
|
License: GPL-2.0-only |
35 |
|
|
Group: Productivity/Networking/Security |
36 |
|
|
Url: https://github.com/denyhosts/denyhosts |
37 |
|
|
Source: %{name}-%{version}.tar.gz |
38 |
|
|
Source2: denyhosts.init |
39 |
|
|
Source3: logrotate.denyhosts |
40 |
|
|
Source4: denyhosts-dh_reenable |
41 |
|
|
Source5: denyhosts.README |
42 |
|
|
BuildRequires: perl |
43 |
|
|
BuildRequires: python-devel |
44 |
|
|
BuildRequires: python-ipaddr |
45 |
|
|
Requires: python-ipaddr |
46 |
|
|
Requires: logrotate |
47 |
|
|
Requires: python |
48 |
|
|
Requires: rsyslog |
49 |
|
|
%if %{with systemd} |
50 |
|
|
BuildRequires: systemd-rpm-macros |
51 |
|
|
%{?systemd_requires} |
52 |
|
|
%else |
53 |
|
|
PreReq: %insserv_prereq |
54 |
|
|
%endif |
55 |
|
|
%py_requires |
56 |
|
|
%if 0%{?suse_version} > 1110 |
57 |
|
|
BuildArch: noarch |
58 |
|
|
%endif |
59 |
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build |
60 |
|
|
|
61 |
|
|
|
62 |
|
|
%description |
63 |
|
|
DenyHosts is a python program that automatically blocks ssh attacks by adding |
64 |
|
|
entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux |
65 |
|
|
administrators about offending hosts, attacked users and suspicious logins. |
66 |
|
|
|
67 |
|
|
%prep |
68 |
|
|
%setup -q |
69 |
|
|
|
70 |
|
|
%build |
71 |
|
|
export CFLAGS="%{optflags}" |
72 |
|
|
python setup.py build |
73 |
|
|
|
74 |
|
|
%install |
75 |
|
|
python setup.py install \ |
76 |
|
|
--root=%{buildroot} \ |
77 |
|
|
--prefix=%{_prefix} \ |
78 |
|
|
--install-scripts=%{_sbindir} |
79 |
|
|
|
80 |
|
|
#remove bytecode (wrong mtime) |
81 |
|
|
find %{buildroot}%{python_sitelib} -name "*.pyc" -delete |
82 |
|
|
|
83 |
|
|
# create work directory |
84 |
|
|
mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts |
85 |
|
|
# install denyhosts-reenable script |
86 |
|
|
install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable |
87 |
|
|
# file containing blocked IP addresses - track it for the user |
88 |
|
|
# ('rpm -qf /etc/blacklist' should give a hint) |
89 |
|
|
touch %{buildroot}%{_sysconfdir}/blacklist |
90 |
|
|
|
91 |
|
|
# configuration file |
92 |
|
|
sed -i "s|^#SECURE_LOG = /var/log/messages|SECURE_LOG = /var/log/messages|g; \ |
93 |
|
|
s|^SECURE_LOG = /var/log/auth.log|#SECURE_LOG = /var/log/auth.log|g; \ |
94 |
|
|
s|^IPTABLES = /sbin/iptables|IPTABLES = /usr/sbin/iptables|g;" \ |
95 |
|
|
%{buildroot}%{_sysconfdir}/denyhosts.conf |
96 |
|
|
|
97 |
|
|
# daemon-control-dist |
98 |
|
|
sed -i "s|/usr/bin/env python|%{_bindir}/python|g" %{buildroot}%{_sbindir}/daemon-control-dist |
99 |
|
|
|
100 |
|
|
# init script / systemd service |
101 |
|
|
%if %{with systemd} |
102 |
|
|
install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service |
103 |
|
|
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts |
104 |
|
|
%else |
105 |
|
|
install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts |
106 |
|
|
ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts |
107 |
|
|
%endif |
108 |
|
|
|
109 |
|
|
# logfile handling |
110 |
|
|
install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts |
111 |
|
|
mkdir -p %{buildroot}%{_localstatedir}/log |
112 |
|
|
touch %{buildroot}%{_localstatedir}/log/denyhosts |
113 |
|
|
|
114 |
|
|
# move the main app |
115 |
|
|
mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts |
116 |
|
|
sed -i "s|/usr/bin/denyhosts.py|/usr/sbin/denyhosts|g" %{buildroot}%{_unitdir}/denyhosts.service |
117 |
|
|
|
118 |
|
|
# fix wrong env-path |
119 |
|
|
pushd %{buildroot} >/dev/null |
120 |
|
|
for i in `find -name "*.py"`; do |
121 |
|
|
sed -i "s@\!.*/bin/env.*@\!%{_bindir}/python@g" $i |
122 |
|
|
done |
123 |
|
|
popd >/dev/null |
124 |
|
|
|
125 |
|
|
# handle plugins |
126 |
|
|
mkdir -p %{buildroot}%{_datadir}/%{name} |
127 |
|
|
install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name} |
128 |
|
|
|
129 |
|
|
# move some files to the documentation directory |
130 |
|
|
install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE |
131 |
|
|
install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/ |
132 |
|
|
install -m0644 *.txt %{buildroot}%{_defaultdocdir}/%{name}/ |
133 |
|
|
install -m0644 *.md %{buildroot}%{_defaultdocdir}/%{name}/ |
134 |
|
|
install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/ |
135 |
|
|
|
136 |
|
|
%if %{with systemd} |
137 |
|
|
%pre |
138 |
|
|
%service_add_pre %{name}.service |
139 |
|
|
%endif |
140 |
|
|
|
141 |
|
|
%post |
142 |
|
|
%if %{with systemd} |
143 |
|
|
%service_add_post %{name}.service |
144 |
|
|
%else |
145 |
|
|
%{fillup_and_insserv -f denyhosts} |
146 |
|
|
%endif |
147 |
|
|
|
148 |
|
|
%preun |
149 |
|
|
%if %{with systemd} |
150 |
|
|
%service_del_preun %{name}.service |
151 |
|
|
%else |
152 |
|
|
%stop_on_removal denyhosts |
153 |
|
|
%endif |
154 |
|
|
|
155 |
|
|
%postun |
156 |
|
|
%if %{with systemd} |
157 |
|
|
%service_del_postun %{name}.service |
158 |
|
|
%else |
159 |
|
|
%insserv_cleanup |
160 |
|
|
%endif |
161 |
|
|
|
162 |
|
|
|
163 |
|
|
%files |
164 |
|
|
%doc %{_defaultdocdir}/%{name} |
165 |
|
|
%if 0%{?suse_version} > 1315 |
166 |
|
|
%license LICENSE.txt |
167 |
|
|
%endif |
168 |
|
|
%{_sbindir}/daemon-control-dist |
169 |
|
|
%{_sbindir}/denyhosts |
170 |
|
|
%{_sbindir}/rcdenyhosts |
171 |
|
|
%{_sbindir}/dh_reenable |
172 |
|
|
%{python_sitelib}/DenyHosts* |
173 |
|
|
%{_mandir}/man8/denyhosts.8.gz |
174 |
|
|
%dir %{_localstatedir}/lib/denyhosts |
175 |
|
|
%{_datadir}/%{name} |
176 |
|
|
%ghost %{_localstatedir}/log/denyhosts |
177 |
|
|
%ghost %config(noreplace) %{_sysconfdir}/blacklist |
178 |
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts |
179 |
|
|
%config(noreplace) %{_sysconfdir}/denyhosts.conf |
180 |
|
|
%if %{with systemd} |
181 |
|
|
%{_unitdir}/denyhosts.service |
182 |
|
|
%else |
183 |
|
|
%attr(755,root,root) %{_sysconfdir}/init.d/denyhosts |
184 |
|
|
%endif |
185 |
|
|
|
186 |
|
|
%changelog |
187 |
|
|
* Sat Aug 11 2018 javier@opensuse.org |
188 |
|
|
- Update to 3.1 |
189 |
|
|
+ Fixes a bug when moving between Python 2 and Python 3 |
190 |
|
|
environments |
191 |
|
|
+ A new check has been added to confirm IP addresses retrieved |
192 |
|
|
from the security log are valid |
193 |
|
|
+ DenyHosts will now (optionally) check for break-in attacks |
194 |
|
|
against IMAP services such as Dovecot. |
195 |
|
|
+ A new dependency has been added, the Python ipaddr library |
196 |
|
|
is now a run-time requirement |
197 |
|
|
* Mon Jul 2 2018 javier@opensuse.org |
198 |
|
|
- Fix path to binary in service file |
199 |
|
|
* Mon Mar 12 2018 lars@linux-schulserver.de |
200 |
|
|
- update to 3.0 |
201 |
|
|
+ Initial translation of code from Python 2 to Python 3. DenyHosts |
202 |
|
|
can now be run as either a Python 2 or a Python 3 program. The new |
203 |
|
|
code has been tested with Pyhton 2.7 and Python 3.4. If you require |
204 |
|
|
an older version of Python, please continue to use DenyHosts 2.10 |
205 |
|
|
and let us know of your requirements. |
206 |
|
|
+ Added patch from Fedora to fix initial sync issue and insure info |
207 |
|
|
logging stream is active. (Provided by Jason Tibbitts.) |
208 |
|
|
+ Added "import logging" to denyhosts.py to avoid errors when setting |
209 |
|
|
up logging. (See above change.) |
210 |
|
|
+ Added option PF_TABLE_FILE to the configuration file. When this option |
211 |
|
|
is enabled it causes DenyHosts to write blocked IP addresses to a text |
212 |
|
|
file. |
213 |
|
|
The default location is /etc/blacklist. This text file should correspond |
214 |
|
|
to a PF firewall table. |
215 |
|
|
+ At start-up, try to create the file specified by HOSTS_DENY. That |
216 |
|
|
way we avoid errors later if the file does not exists. Can be a |
217 |
|
|
problem on operating systems where /etc/hosts.deny does not exist |
218 |
|
|
in the default configuration. |
219 |
|
|
+ Added regex pattern to detect invalid user accounts. This blocks |
220 |
|
|
connections from remote hosts who are attempting to login with |
221 |
|
|
accounts not found on the local system. While these connections to |
222 |
|
|
non-existent accounts are relatively harmless, they are usually used |
223 |
|
|
as part of a brute force attack and filtering them before they |
224 |
|
|
reach OpenSSH is a good idea. |
225 |
|
|
+ Finally, Jan-Pascal has created a sync server for DenyHosts which |
226 |
|
|
will allow DenyHosts services to coordinate lists of banned IP addresses. |
227 |
|
|
The new sync server is open source (GPLv3) and can be set up on |
228 |
|
|
private servers, networks and VPS. We plan to set up our own sync |
229 |
|
|
server in the near future. When a sync server is created it will |
230 |
|
|
be announced at http://denyhost.sourceforge.net/news.php |
231 |
|
|
- require rsyslog to fix the not existing systemd journal support |
232 |
|
|
(https://github.com/denyhosts/denyhosts/issues/14) - this resolves |
233 |
|
|
boo#960856 until upstream implemented the feature |
234 |
|
|
- use provided systemd service on newer distributions |
235 |
|
|
- use upstream configuration file instead of own one |
236 |
|
|
- removed ALL patches |
237 |
|
|
* Wed Jan 5 2011 tejas.guruswamy@opensuse.org |
238 |
|
|
- Make package noarch on > 11.2 |
239 |
|
|
- Run spec-cleaner |
240 |
|
|
* Thu Apr 15 2010 lars@linux-schulserver.de |
241 |
|
|
- fix dh_reenable as mentioned in bnc #596354 |
242 |
|
|
(thanks to Patrick Shanahan for the patch!) |
243 |
|
|
* Sun Dec 28 2008 lars@linux-schulserver.de |
244 |
|
|
- added some Debian patches |
245 |
|
|
- enhanced init script |
246 |
|
|
- adapted default denyhosts.conf (which is now located in /etc) |
247 |
|
|
- added README.SuSE |
248 |
|
|
- fix some rpmlint warnings |
249 |
|
|
* Wed Dec 20 2006 lars@linux-schulserver.de |
250 |
|
|
- initial package 2.6 |
251 |
|
|
Thanks to Craig Millar for the logrotate and initial init file. |