aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKoen Kooi <koen@dominion.thruhere.net>2015-09-03 19:39:16 +0200
committerMartin Jansa <Martin.Jansa@gmail.com>2017-08-31 15:22:59 +0200
commit048ccb09d12047436a83b8576a5209073bf15af5 (patch)
tree1d3446d522da32e60b03a9b671e0c7d01023ad12
parent378728beaa5d2f90c85fd7f2a83f31125c583274 (diff)
downloadmeta-openembedded-contrib-048ccb09d12047436a83b8576a5209073bf15af5.tar.gz
meta-openembedded-contrib-048ccb09d12047436a83b8576a5209073bf15af5.tar.bz2
meta-openembedded-contrib-048ccb09d12047436a83b8576a5209073bf15af5.zip
sshguard 1.6.1+git: add recipe
SSHguard protects hosts from brute-force attacks against SSH and other services. This recipe uses iptables as blocker backend and journald as log backend. When it's working it will look like this in syslog: Sep 03 19:35:29 soekris sshguard[27044]: Started with danger threshold=40 ; minimum block=420 seconds Sep 03 19:35:29 soekris sshguard[27044]: Blocking 24.234.171.90:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). Sep 03 19:35:29 soekris sshguard[27044]: Blocking 61.182.15.194:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). Sep 03 19:35:29 soekris sshguard[27044]: Blocking 115.58.38.53:4 for >630secs: 40 danger in 4 attacks over 0 seconds (all: 40d in 1 abuses over 0s). And the iptable rules: root@soekris:~# iptables -L sshguard --line-numbers Chain sshguard (1 references) num target prot opt source destination 1 DROP all -- hn.kd.ny.adsl anywhere 2 DROP all -- 61.182.15.194 anywhere 3 DROP all -- wsip-24-234-171-90.lv.lv.cox.net anywhere Signed-off-by: Koen Kooi <koen@dominion.thruhere.net> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r--meta-networking/recipes-support/sshguard/sshguard/firewall48
-rw-r--r--meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl2
-rw-r--r--meta-networking/recipes-support/sshguard/sshguard/sshguard.service12
-rw-r--r--meta-networking/recipes-support/sshguard/sshguard_git.bb38
4 files changed, 100 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/sshguard/sshguard/firewall b/meta-networking/recipes-support/sshguard/sshguard/firewall
new file mode 100644
index 0000000000..b6833681ec
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard/firewall
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#
+# Function that enables firewall
+#
+do_enable_firewall()
+{
+ # creating sshguard chain
+ iptables -N sshguard 2> /dev/null
+ ip6tables -N sshguard 2> /dev/null
+ # block traffic from abusers
+ iptables -I INPUT -j sshguard 2> /dev/null
+ ip6tables -I INPUT -j sshguard 2> /dev/null
+}
+#
+# Function that disables firewall
+#
+do_disable_firewall()
+{
+ # flushes list of abusers
+ iptables -F sshguard 2> /dev/null
+ ip6tables -F sshguard 2> /dev/null
+ # removes sshguard firewall rules
+ iptables -D INPUT -j sshguard 2> /dev/null
+ ip6tables -D INPUT -j sshguard 2> /dev/null
+ # removing sshguard chain
+ iptables -X sshguard 2> /dev/null
+ ip6tables -X sshguard 2> /dev/null
+}
+
+case "$1" in
+ enable)
+ do_enable_firewall
+ ;;
+ disable)
+ do_disable_firewall
+ ;;
+ restart)
+ do_disable_firewall
+ do_enable_firewall
+ ;;
+ *)
+ exit 1
+ ;;
+esac
+
+exit 0
+
diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
new file mode 100644
index 0000000000..e7c615b95c
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard-journalctl
@@ -0,0 +1,2 @@
+#!/bin/sh
+/bin/journalctl -fb -t sshd -n100 | /usr/sbin/sshguard -l- "$@"
diff --git a/meta-networking/recipes-support/sshguard/sshguard/sshguard.service b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
new file mode 100644
index 0000000000..e2590fadda
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard/sshguard.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=SSHGuard
+After=network.service
+
+[Service]
+PIDFile=/run/sshguard.pid
+ExecStartPre=/usr/lib/sshguard/firewall enable
+ExecStopPost=/usr/lib/sshguard/firewall disable
+ExecStart=/usr/lib/sshguard/sshguard-journalctl -i /run/sshguard.pid
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta-networking/recipes-support/sshguard/sshguard_git.bb b/meta-networking/recipes-support/sshguard/sshguard_git.bb
new file mode 100644
index 0000000000..04435e82fa
--- /dev/null
+++ b/meta-networking/recipes-support/sshguard/sshguard_git.bb
@@ -0,0 +1,38 @@
+SUMMARY = "SSHguard protects hosts from brute-force attacks against SSH and other services."
+
+LICENSE = "ISC"
+LIC_FILES_CHKSUM = "file://COPYING;md5=47a33fc98cd20713882c4d822a57bf4d"
+
+PV = "1.6.1+git${SRCPV}"
+
+SRCREV = "019a0406811a536faf3f90cdd7a0a538ee24d789"
+SRC_URI = "git://bitbucket.org/sshguard/sshguard.git;protocol=https;branch=1.6 \
+ file://firewall \
+ file://sshguard.service \
+ file://sshguard-journalctl \
+ "
+
+S = "${WORKDIR}/git"
+
+DEPENDS = "flex-native"
+
+inherit autotools-brokensep systemd
+
+EXTRA_OECONF += " --with-firewall=iptables \
+ --with-iptables=${sbindir}/iptables \
+ "
+
+do_install_append() {
+ install -d ${D}${libdir}/sshguard
+ install -m 0755 ${WORKDIR}/firewall ${D}${libdir}/sshguard
+ install -m 0755 ${WORKDIR}/sshguard-journalctl ${D}${libdir}/sshguard
+
+ sed -i -e s:/bin:${base_bindir}:g -e s:/usr/sbin:${sbindir}:g ${D}${libdir}/sshguard/sshguard-journalctl
+
+ install -d ${D}${systemd_unitdir}/system
+ install -m 0644 ${WORKDIR}/sshguard.service ${D}${systemd_unitdir}/system
+ sed -i -e s:/usr/lib:${libdir}:g ${D}${systemd_unitdir}/system/sshguard.service
+}
+
+FILES_${PN} += "${systemd_unitdir}"
+RDEPENDS_${PN} += "iptables"