denyhosts/contribs10/denyhosts.spec

#
# spec file for package denyhosts
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#


%if 0%{?suse_version} < 1120
%define python_sitelib  %{py_sitedir}
%endif

%if 0%{?suse_version} >= 1210
%bcond_without systemd
%else
%bcond_with systemd
%endif


Name:           denyhosts
Version:        3.1
Release:        lp152.1.1
Summary:        Utility to help system administrators thwart brute-force ssh hackers
License:        GPL-2.0-only
Group:          Productivity/Networking/Security
Url:            https://github.com/denyhosts/denyhosts
Source:         %{name}-%{version}.tar.gz
Source2:        denyhosts.init
Source3:        logrotate.denyhosts
Source4:        denyhosts-dh_reenable
Source5:        denyhosts.README
BuildRequires:  perl
BuildRequires:  python-devel
BuildRequires:  python-ipaddr
Requires:       python-ipaddr
Requires:       logrotate
Requires:       python
Requires:       rsyslog
%if %{with systemd}
BuildRequires:  systemd-rpm-macros
%{?systemd_requires}
%else
PreReq:         %insserv_prereq
%endif
%py_requires
%if 0%{?suse_version} > 1110
BuildArch:      noarch
%endif
BuildRoot:      %{_tmppath}/%{name}-%{version}-build


%description
DenyHosts is a python program that automatically blocks ssh attacks by adding
entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux 
administrators about offending hosts, attacked users and suspicious logins.

%prep
%setup -q

%build
export CFLAGS="%{optflags}"
python setup.py build

%install
python setup.py install \
        --root=%{buildroot} \
        --prefix=%{_prefix} \
    --install-scripts=%{_sbindir}

#remove bytecode (wrong mtime)
find %{buildroot}%{python_sitelib} -name "*.pyc" -delete

# create work directory
mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts
# install denyhosts-reenable script
install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable
# file containing blocked IP addresses - track it for the user 
# ('rpm -qf /etc/blacklist' should give a hint)
touch %{buildroot}%{_sysconfdir}/blacklist

# configuration file
sed -i "s|^#SECURE_LOG = /var/log/messages|SECURE_LOG = /var/log/messages|g; \
                s|^SECURE_LOG = /var/log/auth.log|#SECURE_LOG = /var/log/auth.log|g; \
                s|^IPTABLES = /sbin/iptables|IPTABLES = /usr/sbin/iptables|g;" \
                %{buildroot}%{_sysconfdir}/denyhosts.conf

# daemon-control-dist
sed -i "s|/usr/bin/env python|%{_bindir}/python|g" %{buildroot}%{_sbindir}/daemon-control-dist

# init script / systemd service
%if %{with systemd}
install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts
%else
install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts
ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts
%endif

# logfile handling
install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts
mkdir -p %{buildroot}%{_localstatedir}/log
touch %{buildroot}%{_localstatedir}/log/denyhosts

# move the main app
mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts
sed -i "s|/usr/bin/denyhosts.py|/usr/sbin/denyhosts|g"  %{buildroot}%{_unitdir}/denyhosts.service

# fix wrong env-path
pushd %{buildroot} >/dev/null
for i in `find -name "*.py"`; do
        sed -i "s@\!.*/bin/env.*@\!%{_bindir}/python@g" $i
done
popd >/dev/null

# handle plugins
mkdir -p %{buildroot}%{_datadir}/%{name}
install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name}

# move some files to the documentation directory
install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE
install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/
install -m0644 *.txt  %{buildroot}%{_defaultdocdir}/%{name}/
install -m0644 *.md   %{buildroot}%{_defaultdocdir}/%{name}/
install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/

%if %{with systemd}
%pre
%service_add_pre %{name}.service
%endif

%post
%if %{with systemd}
%service_add_post %{name}.service
%else
%{fillup_and_insserv -f denyhosts}
%endif

%preun
%if %{with systemd}
%service_del_preun %{name}.service
%else
%stop_on_removal denyhosts
%endif

%postun
%if %{with systemd}
%service_del_postun %{name}.service
%else
%insserv_cleanup
%endif


%files
%doc %{_defaultdocdir}/%{name}
%if 0%{?suse_version} > 1315
%license LICENSE.txt
%endif
%{_sbindir}/daemon-control-dist
%{_sbindir}/denyhosts
%{_sbindir}/rcdenyhosts
%{_sbindir}/dh_reenable
%{python_sitelib}/DenyHosts*
%{_mandir}/man8/denyhosts.8.gz
%dir %{_localstatedir}/lib/denyhosts
%{_datadir}/%{name}
%ghost %{_localstatedir}/log/denyhosts
%ghost %config(noreplace) %{_sysconfdir}/blacklist
%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
%config(noreplace) %{_sysconfdir}/denyhosts.conf
%if %{with systemd}
%{_unitdir}/denyhosts.service
%else
%attr(755,root,root) %{_sysconfdir}/init.d/denyhosts
%endif

%changelog
* Sat Aug 11 2018 javier@opensuse.org
- Update to 3.1
  + Fixes a bug when moving between Python 2 and Python 3
    environments
  + A new check has been added to confirm IP addresses retrieved
    from the security log are valid
  + DenyHosts will now (optionally) check for break-in attacks
    against IMAP services such as Dovecot.
  + A new dependency has been added, the Python ipaddr library
    is now a run-time requirement
* Mon Jul  2 2018 javier@opensuse.org
- Fix path to binary in service file
* Mon Mar 12 2018 lars@linux-schulserver.de
- update to 3.0
  + Initial translation of code from Python 2 to Python 3. DenyHosts
    can now be run as either a Python 2 or a Python 3 program. The new
    code has been tested with Pyhton 2.7 and Python 3.4. If you require
    an older version of Python, please continue to use DenyHosts 2.10
    and let us know of your requirements.
  + Added patch from Fedora to fix initial sync issue and insure info
    logging stream is active. (Provided by Jason Tibbitts.)
  + Added "import logging" to denyhosts.py to avoid errors when setting
    up logging. (See above change.)
  + Added option PF_TABLE_FILE to the configuration file. When this option
    is enabled it causes DenyHosts to write blocked IP addresses to a text
    file.
    The default location is /etc/blacklist. This text file should correspond
    to a PF firewall table.
  + At start-up, try to create the file specified by HOSTS_DENY. That
    way we avoid errors later if the file does not exists. Can be a
    problem on operating systems where /etc/hosts.deny does not exist
    in the default configuration.
  + Added regex pattern to detect invalid user accounts. This blocks
    connections from remote hosts who are attempting to login with
    accounts not found on the local system. While these connections to
    non-existent accounts are relatively harmless, they are usually used
    as part of a brute force attack and filtering them before they
    reach OpenSSH is a good idea.
  + Finally, Jan-Pascal has created a sync server for DenyHosts which
    will allow DenyHosts services to coordinate lists of banned IP addresses.
    The new sync server is open source (GPLv3) and can be set up on
    private servers, networks and VPS. We plan to set up our own sync
    server in the near future. When a sync server is created it will
    be announced at http://denyhost.sourceforge.net/news.php
- require rsyslog to fix the not existing systemd journal support
  (https://github.com/denyhosts/denyhosts/issues/14) - this resolves
  boo#960856 until upstream implemented the feature
- use provided systemd service on newer distributions
- use upstream configuration file instead of own one
- removed ALL patches
* Wed Jan  5 2011 tejas.guruswamy@opensuse.org
- Make package noarch on > 11.2
- Run spec-cleaner
* Thu Apr 15 2010 lars@linux-schulserver.de
- fix dh_reenable as mentioned in bnc #596354
  (thanks to Patrick Shanahan for the patch!)
* Sun Dec 28 2008 lars@linux-schulserver.de
- added some Debian patches
- enhanced init script
- adapted default denyhosts.conf (which is now located in /etc)
- added README.SuSE
- fix some rpmlint warnings
* Wed Dec 20 2006 lars@linux-schulserver.de
- initial package 2.6
  Thanks to Craig Millar for the logrotate and initial init file.
1	jpp	1.1	#
2			# spec file for package denyhosts
3			#
4			# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
5			#
6			# All modifications and additions to the file contributed by third parties
7			# remain the property of their copyright owners, unless otherwise agreed
8			# upon. The license for this file, and modifications and additions to the
9			# file, is the same license as for the pristine package itself (unless the
10			# license for the pristine package is not an Open Source License, in which
11			# case the license is the MIT License). An "Open Source License" is a
12			# license that conforms to the Open Source Definition (Version 1.9)
13			# published by the Open Source Initiative.
14
15			# Please submit bugfixes or comments via http://bugs.opensuse.org/
16			#
17
18
19			%if 0%{?suse_version} < 1120
20			%define python_sitelib %{py_sitedir}
21			%endif
22
23			%if 0%{?suse_version} >= 1210
24			%bcond_without systemd
25			%else
26			%bcond_with systemd
27			%endif
28
29
30			Name: denyhosts
31			Version: 3.1
32			Release: lp152.1.1
33			Summary: Utility to help system administrators thwart brute-force ssh hackers
34			License: GPL-2.0-only
35			Group: Productivity/Networking/Security
36			Url: https://github.com/denyhosts/denyhosts
37			Source: %{name}-%{version}.tar.gz
38			Source2: denyhosts.init
39			Source3: logrotate.denyhosts
40			Source4: denyhosts-dh_reenable
41			Source5: denyhosts.README
42			BuildRequires: perl
43			BuildRequires: python-devel
44			BuildRequires: python-ipaddr
45			Requires: python-ipaddr
46			Requires: logrotate
47			Requires: python
48			Requires: rsyslog
49			%if %{with systemd}
50			BuildRequires: systemd-rpm-macros
51			%{?systemd_requires}
52			%else
53			PreReq: %insserv_prereq
54			%endif
55			%py_requires
56			%if 0%{?suse_version} > 1110
57			BuildArch: noarch
58			%endif
59			BuildRoot: %{_tmppath}/%{name}-%{version}-build
60
61
62			%description
63			DenyHosts is a python program that automatically blocks ssh attacks by adding
64			entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux
65			administrators about offending hosts, attacked users and suspicious logins.
66
67			%prep
68			%setup -q
69
70			%build
71			export CFLAGS="%{optflags}"
72			python setup.py build
73
74			%install
75			python setup.py install \
76			--root=%{buildroot} \
77			--prefix=%{_prefix} \
78			--install-scripts=%{_sbindir}
79
80			#remove bytecode (wrong mtime)
81			find %{buildroot}%{python_sitelib} -name "*.pyc" -delete
82
83			# create work directory
84			mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts
85			# install denyhosts-reenable script
86			install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable
87			# file containing blocked IP addresses - track it for the user
88			# ('rpm -qf /etc/blacklist' should give a hint)
89			touch %{buildroot}%{_sysconfdir}/blacklist
90
91			# configuration file
92			sed -i "s\|^#SECURE_LOG = /var/log/messages\|SECURE_LOG = /var/log/messages\|g; \
93			s\|^SECURE_LOG = /var/log/auth.log\|#SECURE_LOG = /var/log/auth.log\|g; \
94			s\|^IPTABLES = /sbin/iptables\|IPTABLES = /usr/sbin/iptables\|g;" \
95			%{buildroot}%{_sysconfdir}/denyhosts.conf
96
97			# daemon-control-dist
98			sed -i "s\|/usr/bin/env python\|%{_bindir}/python\|g" %{buildroot}%{_sbindir}/daemon-control-dist
99
100			# init script / systemd service
101			%if %{with systemd}
102			install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service
103			ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts
104			%else
105			install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts
106			ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts
107			%endif
108
109			# logfile handling
110			install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts
111			mkdir -p %{buildroot}%{_localstatedir}/log
112			touch %{buildroot}%{_localstatedir}/log/denyhosts
113
114			# move the main app
115			mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts
116			sed -i "s\|/usr/bin/denyhosts.py\|/usr/sbin/denyhosts\|g" %{buildroot}%{_unitdir}/denyhosts.service
117
118			# fix wrong env-path
119			pushd %{buildroot} >/dev/null
120			for i in `find -name "*.py"`; do
121			sed -i "s@\!./bin/env.@\!%{_bindir}/python@g" $i
122			done
123			popd >/dev/null
124
125			# handle plugins
126			mkdir -p %{buildroot}%{_datadir}/%{name}
127			install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name}
128
129			# move some files to the documentation directory
130			install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE
131			install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/
132			install -m0644 *.txt %{buildroot}%{_defaultdocdir}/%{name}/
133			install -m0644 *.md %{buildroot}%{_defaultdocdir}/%{name}/
134			install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/
135
136			%if %{with systemd}
137			%pre
138			%service_add_pre %{name}.service
139			%endif
140
141			%post
142			%if %{with systemd}
143			%service_add_post %{name}.service
144			%else
145			%{fillup_and_insserv -f denyhosts}
146			%endif
147
148			%preun
149			%if %{with systemd}
150			%service_del_preun %{name}.service
151			%else
152			%stop_on_removal denyhosts
153			%endif
154
155			%postun
156			%if %{with systemd}
157			%service_del_postun %{name}.service
158			%else
159			%insserv_cleanup
160			%endif
161
162
163			%files
164			%doc %{_defaultdocdir}/%{name}
165			%if 0%{?suse_version} > 1315
166			%license LICENSE.txt
167			%endif
168			%{_sbindir}/daemon-control-dist
169			%{_sbindir}/denyhosts
170			%{_sbindir}/rcdenyhosts
171			%{_sbindir}/dh_reenable
172			%{python_sitelib}/DenyHosts*
173			%{_mandir}/man8/denyhosts.8.gz
174			%dir %{_localstatedir}/lib/denyhosts
175			%{_datadir}/%{name}
176			%ghost %{_localstatedir}/log/denyhosts
177			%ghost %config(noreplace) %{_sysconfdir}/blacklist
178			%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
179			%config(noreplace) %{_sysconfdir}/denyhosts.conf
180			%if %{with systemd}
181			%{_unitdir}/denyhosts.service
182			%else
183			%attr(755,root,root) %{_sysconfdir}/init.d/denyhosts
184			%endif
185
186			%changelog
187			* Sat Aug 11 2018 javier@opensuse.org
188			- Update to 3.1
189			+ Fixes a bug when moving between Python 2 and Python 3
190			environments
191			+ A new check has been added to confirm IP addresses retrieved
192			from the security log are valid
193			+ DenyHosts will now (optionally) check for break-in attacks
194			against IMAP services such as Dovecot.
195			+ A new dependency has been added, the Python ipaddr library
196			is now a run-time requirement
197			* Mon Jul 2 2018 javier@opensuse.org
198			- Fix path to binary in service file
199			* Mon Mar 12 2018 lars@linux-schulserver.de
200			- update to 3.0
201			+ Initial translation of code from Python 2 to Python 3. DenyHosts
202			can now be run as either a Python 2 or a Python 3 program. The new
203			code has been tested with Pyhton 2.7 and Python 3.4. If you require
204			an older version of Python, please continue to use DenyHosts 2.10
205			and let us know of your requirements.
206			+ Added patch from Fedora to fix initial sync issue and insure info
207			logging stream is active. (Provided by Jason Tibbitts.)
208			+ Added "import logging" to denyhosts.py to avoid errors when setting
209			up logging. (See above change.)
210			+ Added option PF_TABLE_FILE to the configuration file. When this option
211			is enabled it causes DenyHosts to write blocked IP addresses to a text
212			file.
213			The default location is /etc/blacklist. This text file should correspond
214			to a PF firewall table.
215			+ At start-up, try to create the file specified by HOSTS_DENY. That
216			way we avoid errors later if the file does not exists. Can be a
217			problem on operating systems where /etc/hosts.deny does not exist
218			in the default configuration.
219			+ Added regex pattern to detect invalid user accounts. This blocks
220			connections from remote hosts who are attempting to login with
221			accounts not found on the local system. While these connections to
222			non-existent accounts are relatively harmless, they are usually used
223			as part of a brute force attack and filtering them before they
224			reach OpenSSH is a good idea.
225			+ Finally, Jan-Pascal has created a sync server for DenyHosts which
226			will allow DenyHosts services to coordinate lists of banned IP addresses.
227			The new sync server is open source (GPLv3) and can be set up on
228			private servers, networks and VPS. We plan to set up our own sync
229			server in the near future. When a sync server is created it will
230			be announced at http://denyhost.sourceforge.net/news.php
231			- require rsyslog to fix the not existing systemd journal support
232			(https://github.com/denyhosts/denyhosts/issues/14) - this resolves
233			boo#960856 until upstream implemented the feature
234			- use provided systemd service on newer distributions
235			- use upstream configuration file instead of own one
236			- removed ALL patches
237			* Wed Jan 5 2011 tejas.guruswamy@opensuse.org
238			- Make package noarch on > 11.2
239			- Run spec-cleaner
240			* Thu Apr 15 2010 lars@linux-schulserver.de
241			- fix dh_reenable as mentioned in bnc #596354
242			(thanks to Patrick Shanahan for the patch!)
243			* Sun Dec 28 2008 lars@linux-schulserver.de
244			- added some Debian patches
245			- enhanced init script
246			- adapted default denyhosts.conf (which is now located in /etc)
247			- added README.SuSE
248			- fix some rpmlint warnings
249			* Wed Dec 20 2006 lars@linux-schulserver.de
250			- initial package 2.6
251			Thanks to Craig Millar for the logrotate and initial init file.