denyhosts/contribs10/denyhosts.spec

#
# spec file for package denyhosts
#
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%define release 11
%define _unitdir /usr/lib/systemd/system/
%global with_systemd     1

Name:           denyhosts
Version:        3.1
Release:        %{release}%{?dist}
Summary:        Utility to help system administrators thwart brute-force ssh hackers
License:        GPL-2.0-only
Group:          Productivity/Networking/Security
Url:            https://github.com/denyhosts/denyhosts
Source:         %{name}-%{version}.tar.gz
Source2:        denyhosts.init
Source3:        logrotate.denyhosts
Source4:        denyhosts-dh_reenable
Source5:        denyhosts.README
BuildRequires:  perl
BuildRequires:  python-devel
BuildRequires:  python-ipaddr
Requires:       python-ipaddr
Requires:       logrotate
Requires:       python
Requires:       rsyslog
BuildRequires:   python-rpm-macros
#BuildRequires:  systemd-rpm-macros
BuildRequires:  systemd
%{?systemd_requires}
BuildArch:      noarch
BuildRoot:      %{_tmppath}/%{name}-%{version}-build


%description
DenyHosts is a python program that automatically blocks ssh attacks by adding
entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux 
administrators about offending hosts, attacked users and suspicious logins.

%prep
%setup -q

%build
export CFLAGS="%{optflags}"
python setup.py build

%install
python setup.py install \
        --root=%{buildroot} \
        --prefix=%{_prefix} \
    --install-scripts=%{_sbindir}

#remove bytecode (wrong mtime)
find %{buildroot}%{python_sitelib} -name "*.pyc" -delete

# create work directory
mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts
# install denyhosts-reenable script
install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable
# file containing blocked IP addresses - track it for the user 
# ('rpm -qf /etc/blacklist' should give a hint)
touch %{buildroot}%{_sysconfdir}/blacklist

# configuration file
sed -i "s|^#SECURE_LOG = /var/log/messages|SECURE_LOG = /var/log/messages|g; \
                s|^SECURE_LOG = /var/log/auth.log|#SECURE_LOG = /var/log/auth.log|g; \
                s|^IPTABLES = /sbin/iptables|IPTABLES = /usr/sbin/iptables|g;" \
                %{buildroot}%{_sysconfdir}/denyhosts.conf

# daemon-control-dist
sed -i "s|/usr/bin/env python|%{_bindir}/python|g" %{buildroot}%{_sbindir}/daemon-control-dist

# init script / systemd service
%if %{with_systemd}
install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts
%else
install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts
ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts
%endif

# logfile handling
install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts
mkdir -p %{buildroot}%{_localstatedir}/log
touch %{buildroot}%{_localstatedir}/log/denyhosts

# move the main app
mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts
sed -i "s|/usr/bin/denyhosts.py|/usr/sbin/denyhosts|g"  %{buildroot}%{_unitdir}/denyhosts.service

# fix wrong env-path
pushd %{buildroot} >/dev/null
for i in `find -name "*.py"`; do
        sed -i "s@\!.*/bin/env.*@\!%{_bindir}/python@g" $i
done
popd >/dev/null

# handle plugins
mkdir -p %{buildroot}%{_datadir}/%{name}
install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name}

# move some files to the documentation directory
install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE
install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/
install -m0644 *.txt  %{buildroot}%{_defaultdocdir}/%{name}/
install -m0644 *.md   %{buildroot}%{_defaultdocdir}/%{name}/
install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/

%if %{with_systemd}
%pre
%service_add_pre %{name}.service
%endif

%post
%if %{with_systemd}
%service_add_post %{name}.service
%else
%{fillup_and_insserv -f denyhosts}
%endif

%preun
%if %{with_systemd}
%service_del_preun %{name}.service
%else
%stop_on_removal denyhosts
%endif

%postun
%if %{with_systemd}
%service_del_postun %{name}.service
%else
%insserv_cleanup
%endif


%files
%doc %{_defaultdocdir}/%{name}
%if 0%{?suse_version} > 1315
%license LICENSE.txt
%endif
%{_sbindir}/daemon-control-dist
%{_sbindir}/denyhosts
%{_sbindir}/rcdenyhosts
%{_sbindir}/dh_reenable
%{python_sitelib}/DenyHosts*
%{_mandir}/man8/denyhosts.8.gz
%dir %{_localstatedir}/lib/denyhosts
%{_datadir}/%{name}
%ghost %{_localstatedir}/log/denyhosts
%ghost %config(noreplace) %{_sysconfdir}/blacklist
%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
%config(noreplace) %{_sysconfdir}/denyhosts.conf
%if %{with_systemd}
%{_unitdir}/denyhosts.service
%else
%attr(755,root,root) %{_sysconfdir}/init.d/denyhosts
%endif

%changelog
* Sun Mar 14 2021 Jean-Philippe Pialasse <tests@pialasse.com> 3.1-11.sme
- First release for SME10 [SME: 11459]
  imported from opensuse, reworked spec file to build it on CentOS 7 / SME 10

* Sat Aug 11 2018 javier@opensuse.org
- Update to 3.1
  + Fixes a bug when moving between Python 2 and Python 3
    environments
  + A new check has been added to confirm IP addresses retrieved
    from the security log are valid
  + DenyHosts will now (optionally) check for break-in attacks
    against IMAP services such as Dovecot.
  + A new dependency has been added, the Python ipaddr library
    is now a run-time requirement
* Mon Jul  2 2018 javier@opensuse.org
- Fix path to binary in service file
* Mon Mar 12 2018 lars@linux-schulserver.de
- update to 3.0
  + Initial translation of code from Python 2 to Python 3. DenyHosts
    can now be run as either a Python 2 or a Python 3 program. The new
    code has been tested with Pyhton 2.7 and Python 3.4. If you require
    an older version of Python, please continue to use DenyHosts 2.10
    and let us know of your requirements.
  + Added patch from Fedora to fix initial sync issue and insure info
    logging stream is active. (Provided by Jason Tibbitts.)
  + Added "import logging" to denyhosts.py to avoid errors when setting
    up logging. (See above change.)
  + Added option PF_TABLE_FILE to the configuration file. When this option
    is enabled it causes DenyHosts to write blocked IP addresses to a text
    file.
    The default location is /etc/blacklist. This text file should correspond
    to a PF firewall table.
  + At start-up, try to create the file specified by HOSTS_DENY. That
    way we avoid errors later if the file does not exists. Can be a
    problem on operating systems where /etc/hosts.deny does not exist
    in the default configuration.
  + Added regex pattern to detect invalid user accounts. This blocks
    connections from remote hosts who are attempting to login with
    accounts not found on the local system. While these connections to
    non-existent accounts are relatively harmless, they are usually used
    as part of a brute force attack and filtering them before they
    reach OpenSSH is a good idea.
  + Finally, Jan-Pascal has created a sync server for DenyHosts which
    will allow DenyHosts services to coordinate lists of banned IP addresses.
    The new sync server is open source (GPLv3) and can be set up on
    private servers, networks and VPS. We plan to set up our own sync
    server in the near future. When a sync server is created it will
    be announced at http://denyhost.sourceforge.net/news.php
- require rsyslog to fix the not existing systemd journal support
  (https://github.com/denyhosts/denyhosts/issues/14) - this resolves
  boo#960856 until upstream implemented the feature
- use provided systemd service on newer distributions
- use upstream configuration file instead of own one
- removed ALL patches
* Wed Jan  5 2011 tejas.guruswamy@opensuse.org
- Make package noarch on > 11.2
- Run spec-cleaner
* Thu Apr 15 2010 lars@linux-schulserver.de
- fix dh_reenable as mentioned in bnc #596354
  (thanks to Patrick Shanahan for the patch!)
* Sun Dec 28 2008 lars@linux-schulserver.de
- added some Debian patches
- enhanced init script
- adapted default denyhosts.conf (which is now located in /etc)
- added README.SuSE
- fix some rpmlint warnings
* Wed Dec 20 2006 lars@linux-schulserver.de
- initial package 2.6
  Thanks to Craig Millar for the logrotate and initial init file.
1	jpp	1.1	#
2			# spec file for package denyhosts
3			#
4			# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
5			#
6			# All modifications and additions to the file contributed by third parties
7			# remain the property of their copyright owners, unless otherwise agreed
8			# upon. The license for this file, and modifications and additions to the
9			# file, is the same license as for the pristine package itself (unless the
10			# license for the pristine package is not an Open Source License, in which
11			# case the license is the MIT License). An "Open Source License" is a
12			# license that conforms to the Open Source Definition (Version 1.9)
13			# published by the Open Source Initiative.
14
15			# Please submit bugfixes or comments via http://bugs.opensuse.org/
16			#
17	jpp	1.2	%define release 11
18			%define _unitdir /usr/lib/systemd/system/
19			%global with_systemd 1
20	jpp	1.1
21			Name: denyhosts
22			Version: 3.1
23	jpp	1.2	Release: %{release}%{?dist}
24	jpp	1.1	Summary: Utility to help system administrators thwart brute-force ssh hackers
25			License: GPL-2.0-only
26			Group: Productivity/Networking/Security
27			Url: https://github.com/denyhosts/denyhosts
28			Source: %{name}-%{version}.tar.gz
29			Source2: denyhosts.init
30			Source3: logrotate.denyhosts
31			Source4: denyhosts-dh_reenable
32			Source5: denyhosts.README
33			BuildRequires: perl
34			BuildRequires: python-devel
35			BuildRequires: python-ipaddr
36			Requires: python-ipaddr
37			Requires: logrotate
38			Requires: python
39			Requires: rsyslog
40	jpp	1.2	BuildRequires: python-rpm-macros
41			#BuildRequires: systemd-rpm-macros
42			BuildRequires: systemd
43	jpp	1.1	%{?systemd_requires}
44			BuildArch: noarch
45			BuildRoot: %{_tmppath}/%{name}-%{version}-build
46
47
48			%description
49			DenyHosts is a python program that automatically blocks ssh attacks by adding
50			entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux
51			administrators about offending hosts, attacked users and suspicious logins.
52
53			%prep
54			%setup -q
55
56			%build
57			export CFLAGS="%{optflags}"
58			python setup.py build
59
60			%install
61			python setup.py install \
62			--root=%{buildroot} \
63			--prefix=%{_prefix} \
64			--install-scripts=%{_sbindir}
65
66			#remove bytecode (wrong mtime)
67			find %{buildroot}%{python_sitelib} -name "*.pyc" -delete
68
69			# create work directory
70			mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts
71			# install denyhosts-reenable script
72			install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable
73			# file containing blocked IP addresses - track it for the user
74			# ('rpm -qf /etc/blacklist' should give a hint)
75			touch %{buildroot}%{_sysconfdir}/blacklist
76
77			# configuration file
78			sed -i "s\|^#SECURE_LOG = /var/log/messages\|SECURE_LOG = /var/log/messages\|g; \
79			s\|^SECURE_LOG = /var/log/auth.log\|#SECURE_LOG = /var/log/auth.log\|g; \
80			s\|^IPTABLES = /sbin/iptables\|IPTABLES = /usr/sbin/iptables\|g;" \
81			%{buildroot}%{_sysconfdir}/denyhosts.conf
82
83			# daemon-control-dist
84			sed -i "s\|/usr/bin/env python\|%{_bindir}/python\|g" %{buildroot}%{_sbindir}/daemon-control-dist
85
86			# init script / systemd service
87	jpp	1.2	%if %{with_systemd}
88	jpp	1.1	install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service
89			ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts
90			%else
91			install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts
92			ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts
93			%endif
94
95			# logfile handling
96			install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts
97			mkdir -p %{buildroot}%{_localstatedir}/log
98			touch %{buildroot}%{_localstatedir}/log/denyhosts
99
100			# move the main app
101			mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts
102			sed -i "s\|/usr/bin/denyhosts.py\|/usr/sbin/denyhosts\|g" %{buildroot}%{_unitdir}/denyhosts.service
103
104			# fix wrong env-path
105			pushd %{buildroot} >/dev/null
106			for i in `find -name "*.py"`; do
107			sed -i "s@\!./bin/env.@\!%{_bindir}/python@g" $i
108			done
109			popd >/dev/null
110
111			# handle plugins
112			mkdir -p %{buildroot}%{_datadir}/%{name}
113			install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name}
114
115			# move some files to the documentation directory
116			install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE
117			install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/
118			install -m0644 *.txt %{buildroot}%{_defaultdocdir}/%{name}/
119			install -m0644 *.md %{buildroot}%{_defaultdocdir}/%{name}/
120			install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/
121
122	jpp	1.2	%if %{with_systemd}
123	jpp	1.1	%pre
124			%service_add_pre %{name}.service
125			%endif
126
127			%post
128	jpp	1.2	%if %{with_systemd}
129	jpp	1.1	%service_add_post %{name}.service
130			%else
131			%{fillup_and_insserv -f denyhosts}
132			%endif
133
134			%preun
135	jpp	1.2	%if %{with_systemd}
136	jpp	1.1	%service_del_preun %{name}.service
137			%else
138			%stop_on_removal denyhosts
139			%endif
140
141			%postun
142	jpp	1.2	%if %{with_systemd}
143	jpp	1.1	%service_del_postun %{name}.service
144			%else
145			%insserv_cleanup
146			%endif
147
148
149			%files
150			%doc %{_defaultdocdir}/%{name}
151			%if 0%{?suse_version} > 1315
152			%license LICENSE.txt
153			%endif
154			%{_sbindir}/daemon-control-dist
155			%{_sbindir}/denyhosts
156			%{_sbindir}/rcdenyhosts
157			%{_sbindir}/dh_reenable
158			%{python_sitelib}/DenyHosts*
159			%{_mandir}/man8/denyhosts.8.gz
160			%dir %{_localstatedir}/lib/denyhosts
161			%{_datadir}/%{name}
162			%ghost %{_localstatedir}/log/denyhosts
163			%ghost %config(noreplace) %{_sysconfdir}/blacklist
164			%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
165			%config(noreplace) %{_sysconfdir}/denyhosts.conf
166	jpp	1.2	%if %{with_systemd}
167	jpp	1.1	%{_unitdir}/denyhosts.service
168			%else
169			%attr(755,root,root) %{_sysconfdir}/init.d/denyhosts
170			%endif
171
172			%changelog
173	jpp	1.2	* Sun Mar 14 2021 Jean-Philippe Pialasse <tests@pialasse.com> 3.1-11.sme
174			- First release for SME10 [SME: 11459]
175			imported from opensuse, reworked spec file to build it on CentOS 7 / SME 10
176
177	jpp	1.1	* Sat Aug 11 2018 javier@opensuse.org
178			- Update to 3.1
179			+ Fixes a bug when moving between Python 2 and Python 3
180			environments
181			+ A new check has been added to confirm IP addresses retrieved
182			from the security log are valid
183			+ DenyHosts will now (optionally) check for break-in attacks
184			against IMAP services such as Dovecot.
185			+ A new dependency has been added, the Python ipaddr library
186			is now a run-time requirement
187			* Mon Jul 2 2018 javier@opensuse.org
188			- Fix path to binary in service file
189			* Mon Mar 12 2018 lars@linux-schulserver.de
190			- update to 3.0
191			+ Initial translation of code from Python 2 to Python 3. DenyHosts
192			can now be run as either a Python 2 or a Python 3 program. The new
193			code has been tested with Pyhton 2.7 and Python 3.4. If you require
194			an older version of Python, please continue to use DenyHosts 2.10
195			and let us know of your requirements.
196			+ Added patch from Fedora to fix initial sync issue and insure info
197			logging stream is active. (Provided by Jason Tibbitts.)
198			+ Added "import logging" to denyhosts.py to avoid errors when setting
199			up logging. (See above change.)
200			+ Added option PF_TABLE_FILE to the configuration file. When this option
201			is enabled it causes DenyHosts to write blocked IP addresses to a text
202			file.
203			The default location is /etc/blacklist. This text file should correspond
204			to a PF firewall table.
205			+ At start-up, try to create the file specified by HOSTS_DENY. That
206			way we avoid errors later if the file does not exists. Can be a
207			problem on operating systems where /etc/hosts.deny does not exist
208			in the default configuration.
209			+ Added regex pattern to detect invalid user accounts. This blocks
210			connections from remote hosts who are attempting to login with
211			accounts not found on the local system. While these connections to
212			non-existent accounts are relatively harmless, they are usually used
213			as part of a brute force attack and filtering them before they
214			reach OpenSSH is a good idea.
215			+ Finally, Jan-Pascal has created a sync server for DenyHosts which
216			will allow DenyHosts services to coordinate lists of banned IP addresses.
217			The new sync server is open source (GPLv3) and can be set up on
218			private servers, networks and VPS. We plan to set up our own sync
219			server in the near future. When a sync server is created it will
220			be announced at http://denyhost.sourceforge.net/news.php
221			- require rsyslog to fix the not existing systemd journal support
222			(https://github.com/denyhosts/denyhosts/issues/14) - this resolves
223			boo#960856 until upstream implemented the feature
224			- use provided systemd service on newer distributions
225			- use upstream configuration file instead of own one
226			- removed ALL patches
227			* Wed Jan 5 2011 tejas.guruswamy@opensuse.org
228			- Make package noarch on > 11.2
229			- Run spec-cleaner
230			* Thu Apr 15 2010 lars@linux-schulserver.de
231			- fix dh_reenable as mentioned in bnc #596354
232			(thanks to Patrick Shanahan for the patch!)
233			* Sun Dec 28 2008 lars@linux-schulserver.de
234			- added some Debian patches
235			- enhanced init script
236			- adapted default denyhosts.conf (which is now located in /etc)
237			- added README.SuSE
238			- fix some rpmlint warnings
239			* Wed Dec 20 2006 lars@linux-schulserver.de
240			- initial package 2.6
241			Thanks to Craig Millar for the logrotate and initial init file.