# # spec file for package denyhosts # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %define release 11 %define _unitdir /usr/lib/systemd/system/ %global with_systemd 1 Name: denyhosts Version: 3.1 Release: %{release}%{?dist} Summary: Utility to help system administrators thwart brute-force ssh hackers License: GPL-2.0-only Group: Productivity/Networking/Security Url: https://github.com/denyhosts/denyhosts Source: %{name}-%{version}.tar.gz Source2: denyhosts.init Source3: logrotate.denyhosts Source4: denyhosts-dh_reenable Source5: denyhosts.README BuildRequires: perl BuildRequires: python-devel BuildRequires: python-ipaddr Requires: python-ipaddr Requires: logrotate Requires: python Requires: rsyslog BuildRequires: python-rpm-macros #BuildRequires: systemd-rpm-macros BuildRequires: systemd %{?systemd_requires} BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description DenyHosts is a python program that automatically blocks ssh attacks by adding entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins. %prep %setup -q %build export CFLAGS="%{optflags}" python setup.py build %install python setup.py install \ --root=%{buildroot} \ --prefix=%{_prefix} \ --install-scripts=%{_sbindir} #remove bytecode (wrong mtime) find %{buildroot}%{python_sitelib} -name "*.pyc" -delete # create work directory mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts # install denyhosts-reenable script install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable # file containing blocked IP addresses - track it for the user # ('rpm -qf /etc/blacklist' should give a hint) touch %{buildroot}%{_sysconfdir}/blacklist # configuration file sed -i "s|^#SECURE_LOG = /var/log/messages|SECURE_LOG = /var/log/messages|g; \ s|^SECURE_LOG = /var/log/auth.log|#SECURE_LOG = /var/log/auth.log|g; \ s|^IPTABLES = /sbin/iptables|IPTABLES = /usr/sbin/iptables|g;" \ %{buildroot}%{_sysconfdir}/denyhosts.conf # daemon-control-dist sed -i "s|/usr/bin/env python|%{_bindir}/python|g" %{buildroot}%{_sbindir}/daemon-control-dist # init script / systemd service %if %{with_systemd} install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts %else install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts %endif # logfile handling install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts mkdir -p %{buildroot}%{_localstatedir}/log touch %{buildroot}%{_localstatedir}/log/denyhosts # move the main app mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts sed -i "s|/usr/bin/denyhosts.py|/usr/sbin/denyhosts|g" %{buildroot}%{_unitdir}/denyhosts.service # fix wrong env-path pushd %{buildroot} >/dev/null for i in `find -name "*.py"`; do sed -i "s@\!.*/bin/env.*@\!%{_bindir}/python@g" $i done popd >/dev/null # handle plugins mkdir -p %{buildroot}%{_datadir}/%{name} install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name} # move some files to the documentation directory install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/ install -m0644 *.txt %{buildroot}%{_defaultdocdir}/%{name}/ install -m0644 *.md %{buildroot}%{_defaultdocdir}/%{name}/ install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/ %if %{with_systemd} %pre %service_add_pre %{name}.service %endif %post %if %{with_systemd} %service_add_post %{name}.service %else %{fillup_and_insserv -f denyhosts} %endif %preun %if %{with_systemd} %service_del_preun %{name}.service %else %stop_on_removal denyhosts %endif %postun %if %{with_systemd} %service_del_postun %{name}.service %else %insserv_cleanup %endif %files %doc %{_defaultdocdir}/%{name} %if 0%{?suse_version} > 1315 %license LICENSE.txt %endif %{_sbindir}/daemon-control-dist %{_sbindir}/denyhosts %{_sbindir}/rcdenyhosts %{_sbindir}/dh_reenable %{python_sitelib}/DenyHosts* %{_mandir}/man8/denyhosts.8.gz %dir %{_localstatedir}/lib/denyhosts %{_datadir}/%{name} %ghost %{_localstatedir}/log/denyhosts %ghost %config(noreplace) %{_sysconfdir}/blacklist %config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts %config(noreplace) %{_sysconfdir}/denyhosts.conf %if %{with_systemd} %{_unitdir}/denyhosts.service %else %attr(755,root,root) %{_sysconfdir}/init.d/denyhosts %endif %changelog * Sun Mar 14 2021 Jean-Philippe Pialasse 3.1-11.sme - First release for SME10 [SME: 11459] imported from opensuse, reworked spec file to build it on CentOS 7 / SME 10 * Sat Aug 11 2018 javier@opensuse.org - Update to 3.1 + Fixes a bug when moving between Python 2 and Python 3 environments + A new check has been added to confirm IP addresses retrieved from the security log are valid + DenyHosts will now (optionally) check for break-in attacks against IMAP services such as Dovecot. + A new dependency has been added, the Python ipaddr library is now a run-time requirement * Mon Jul 2 2018 javier@opensuse.org - Fix path to binary in service file * Mon Mar 12 2018 lars@linux-schulserver.de - update to 3.0 + Initial translation of code from Python 2 to Python 3. DenyHosts can now be run as either a Python 2 or a Python 3 program. The new code has been tested with Pyhton 2.7 and Python 3.4. If you require an older version of Python, please continue to use DenyHosts 2.10 and let us know of your requirements. + Added patch from Fedora to fix initial sync issue and insure info logging stream is active. (Provided by Jason Tibbitts.) + Added "import logging" to denyhosts.py to avoid errors when setting up logging. (See above change.) + Added option PF_TABLE_FILE to the configuration file. When this option is enabled it causes DenyHosts to write blocked IP addresses to a text file. The default location is /etc/blacklist. This text file should correspond to a PF firewall table. + At start-up, try to create the file specified by HOSTS_DENY. That way we avoid errors later if the file does not exists. Can be a problem on operating systems where /etc/hosts.deny does not exist in the default configuration. + Added regex pattern to detect invalid user accounts. This blocks connections from remote hosts who are attempting to login with accounts not found on the local system. While these connections to non-existent accounts are relatively harmless, they are usually used as part of a brute force attack and filtering them before they reach OpenSSH is a good idea. + Finally, Jan-Pascal has created a sync server for DenyHosts which will allow DenyHosts services to coordinate lists of banned IP addresses. The new sync server is open source (GPLv3) and can be set up on private servers, networks and VPS. We plan to set up our own sync server in the near future. When a sync server is created it will be announced at http://denyhost.sourceforge.net/news.php - require rsyslog to fix the not existing systemd journal support (https://github.com/denyhosts/denyhosts/issues/14) - this resolves boo#960856 until upstream implemented the feature - use provided systemd service on newer distributions - use upstream configuration file instead of own one - removed ALL patches * Wed Jan 5 2011 tejas.guruswamy@opensuse.org - Make package noarch on > 11.2 - Run spec-cleaner * Thu Apr 15 2010 lars@linux-schulserver.de - fix dh_reenable as mentioned in bnc #596354 (thanks to Patrick Shanahan for the patch!) * Sun Dec 28 2008 lars@linux-schulserver.de - added some Debian patches - enhanced init script - adapted default denyhosts.conf (which is now located in /etc) - added README.SuSE - fix some rpmlint warnings * Wed Dec 20 2006 lars@linux-schulserver.de - initial package 2.6 Thanks to Craig Millar for the logrotate and initial init file.