247 lines
8.9 KiB
RPMSpec
247 lines
8.9 KiB
RPMSpec
#
|
|
# spec file for package denyhosts
|
|
#
|
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
%define release 12
|
|
%define _unitdir /usr/lib/systemd/system/
|
|
%global with_systemd 1
|
|
|
|
Name: denyhosts
|
|
Version: 3.1
|
|
Release: %{release}%{?dist}
|
|
Summary: Utility to help system administrators thwart brute-force ssh hackers
|
|
License: GPL-2.0-only
|
|
Group: Productivity/Networking/Security
|
|
Url: https://github.com/denyhosts/denyhosts
|
|
Source: %{name}-%{version}.tar.gz
|
|
Source2: denyhosts.init
|
|
Source3: logrotate.denyhosts
|
|
Source4: denyhosts-dh_reenable
|
|
Source5: denyhosts.README
|
|
BuildRequires: perl
|
|
BuildRequires: python-devel
|
|
BuildRequires: python-ipaddr
|
|
Requires: python-ipaddr
|
|
Requires: logrotate
|
|
Requires: python
|
|
Requires: rsyslog
|
|
BuildRequires: python-rpm-macros
|
|
#BuildRequires: systemd-rpm-macros
|
|
BuildRequires: systemd
|
|
%{?systemd_requires}
|
|
BuildArch: noarch
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
|
|
|
|
%description
|
|
DenyHosts is a python program that automatically blocks ssh attacks by adding
|
|
entries to %{_sysconfdir}/hosts.deny. DenyHosts will also inform Linux
|
|
administrators about offending hosts, attacked users and suspicious logins.
|
|
|
|
%prep
|
|
%setup -q
|
|
|
|
%build
|
|
export CFLAGS="%{optflags}"
|
|
python setup.py build
|
|
|
|
%install
|
|
python setup.py install \
|
|
--root=%{buildroot} \
|
|
--prefix=%{_prefix} \
|
|
--install-scripts=%{_sbindir}
|
|
|
|
#remove bytecode (wrong mtime)
|
|
find %{buildroot}%{python_sitelib} -name "*.pyc" -delete
|
|
|
|
# create work directory
|
|
mkdir -p %{buildroot}%{_localstatedir}/lib/denyhosts
|
|
# install denyhosts-reenable script
|
|
install -D -m755 %{SOURCE4} %{buildroot}%{_sbindir}/dh_reenable
|
|
# file containing blocked IP addresses - track it for the user
|
|
# ('rpm -qf /etc/blacklist' should give a hint)
|
|
touch %{buildroot}%{_sysconfdir}/blacklist
|
|
|
|
# configuration file
|
|
sed -i "s|^#SECURE_LOG = /var/log/messages|SECURE_LOG = /var/log/messages|g; \
|
|
s|^SECURE_LOG = /var/log/auth.log|#SECURE_LOG = /var/log/auth.log|g; \
|
|
s|^IPTABLES = /sbin/iptables|IPTABLES = /usr/sbin/iptables|g;" \
|
|
%{buildroot}%{_sysconfdir}/denyhosts.conf
|
|
|
|
# daemon-control-dist
|
|
sed -i "s|/usr/bin/env python|%{_bindir}/python|g" %{buildroot}%{_sbindir}/daemon-control-dist
|
|
|
|
# init script / systemd service
|
|
%if %{with_systemd}
|
|
install -D -m644 denyhosts.service %{buildroot}%{_unitdir}/denyhosts.service
|
|
ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rcdenyhosts
|
|
%else
|
|
install -D -m755 %{SOURCE2} %{buildroot}%{_sysconfdir}/init.d/denyhosts
|
|
ln -s %{_sysconfdir}/init.d/denyhosts %{buildroot}%{_sbindir}/rcdenyhosts
|
|
%endif
|
|
|
|
# logfile handling
|
|
install -D -m644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/denyhosts
|
|
mkdir -p %{buildroot}%{_localstatedir}/log
|
|
touch %{buildroot}%{_localstatedir}/log/denyhosts
|
|
|
|
# move the main app
|
|
mv %{buildroot}%{_sbindir}/denyhosts.py %{buildroot}%{_sbindir}/denyhosts
|
|
sed -i "s|/usr/bin/denyhosts.py|/usr/sbin/denyhosts|g" %{buildroot}%{_unitdir}/denyhosts.service
|
|
|
|
# fix wrong env-path
|
|
pushd %{buildroot} >/dev/null
|
|
for i in `find -name "*.py"`; do
|
|
sed -i "s@\!.*/bin/env.*@\!%{_bindir}/python@g" $i
|
|
done
|
|
popd >/dev/null
|
|
|
|
# handle plugins
|
|
mkdir -p %{buildroot}%{_datadir}/%{name}
|
|
install -m0755 plugins/*{.sh,py} %{buildroot}%{_datadir}/%{name}
|
|
|
|
# move some files to the documentation directory
|
|
install -D -m644 %{SOURCE5} %{buildroot}%{_defaultdocdir}/%{name}/README.SUSE
|
|
install -m0644 plugins/README.contrib %{buildroot}%{_defaultdocdir}/%{name}/
|
|
install -m0644 *.txt %{buildroot}%{_defaultdocdir}/%{name}/
|
|
install -m0644 *.md %{buildroot}%{_defaultdocdir}/%{name}/
|
|
install -m0644 *.conf %{buildroot}%{_defaultdocdir}/%{name}/
|
|
|
|
#% if %{with_systemd}
|
|
#% pre
|
|
#% service_add_pre %{name}.service
|
|
#% endif
|
|
|
|
#% post
|
|
#% if %{with_systemd}
|
|
#% service_add_post %{name}.service
|
|
#% else
|
|
#% {fillup_and_insserv -f denyhosts}
|
|
#% endif
|
|
|
|
#% preun
|
|
#% if %{with_systemd}
|
|
#% service_del_preun %{name}.service
|
|
#% else
|
|
#% stop_on_removal denyhosts
|
|
#% endif
|
|
|
|
#% postun
|
|
#% if %{with_systemd}
|
|
#% service_del_postun %{name}.service
|
|
#% else
|
|
#% insserv_cleanup
|
|
#% endif
|
|
|
|
|
|
%files
|
|
%doc %{_defaultdocdir}/%{name}
|
|
%if 0%{?suse_version} > 1315
|
|
%license LICENSE.txt
|
|
%endif
|
|
%{_sbindir}/daemon-control-dist
|
|
%{_sbindir}/denyhosts
|
|
%{_sbindir}/rcdenyhosts
|
|
%{_sbindir}/dh_reenable
|
|
%{python_sitelib}/DenyHosts*
|
|
%{_mandir}/man8/denyhosts.8.gz
|
|
%dir %{_localstatedir}/lib/denyhosts
|
|
%{_datadir}/%{name}
|
|
%ghost %{_localstatedir}/log/denyhosts
|
|
%ghost %config(noreplace) %{_sysconfdir}/blacklist
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/denyhosts
|
|
%config(noreplace) %{_sysconfdir}/denyhosts.conf
|
|
%if %{with_systemd}
|
|
%{_unitdir}/denyhosts.service
|
|
%else
|
|
%attr(755,root,root) %{_sysconfdir}/init.d/denyhosts
|
|
%endif
|
|
|
|
%changelog
|
|
* Thu Oct 09 2025 BogusDateBot
|
|
- Eliminated rpmbuild "bogus date" warnings due to inconsistent weekday,
|
|
by assuming the date is correct and changing the weekday.
|
|
|
|
* Sun Mar 14 2021 Jean-Philippe Pialasse <tests@pialasse.com> 3.1-11.sme
|
|
- First release for SME10 [SME: 11459]
|
|
imported from opensuse, reworked spec file to build it on CentOS 7 / SME 10
|
|
- remove systemd pre post scriptlet, do not have macros, and we use SME to register service
|
|
|
|
* Sat Aug 11 2018 javier@opensuse.org
|
|
- Update to 3.1
|
|
+ Fixes a bug when moving between Python 2 and Python 3
|
|
environments
|
|
+ A new check has been added to confirm IP addresses retrieved
|
|
from the security log are valid
|
|
+ DenyHosts will now (optionally) check for break-in attacks
|
|
against IMAP services such as Dovecot.
|
|
+ A new dependency has been added, the Python ipaddr library
|
|
is now a run-time requirement
|
|
* Mon Jul 2 2018 javier@opensuse.org
|
|
- Fix path to binary in service file
|
|
* Mon Mar 12 2018 lars@linux-schulserver.de
|
|
- update to 3.0
|
|
+ Initial translation of code from Python 2 to Python 3. DenyHosts
|
|
can now be run as either a Python 2 or a Python 3 program. The new
|
|
code has been tested with Pyhton 2.7 and Python 3.4. If you require
|
|
an older version of Python, please continue to use DenyHosts 2.10
|
|
and let us know of your requirements.
|
|
+ Added patch from Fedora to fix initial sync issue and insure info
|
|
logging stream is active. (Provided by Jason Tibbitts.)
|
|
+ Added "import logging" to denyhosts.py to avoid errors when setting
|
|
up logging. (See above change.)
|
|
+ Added option PF_TABLE_FILE to the configuration file. When this option
|
|
is enabled it causes DenyHosts to write blocked IP addresses to a text
|
|
file.
|
|
The default location is /etc/blacklist. This text file should correspond
|
|
to a PF firewall table.
|
|
+ At start-up, try to create the file specified by HOSTS_DENY. That
|
|
way we avoid errors later if the file does not exists. Can be a
|
|
problem on operating systems where /etc/hosts.deny does not exist
|
|
in the default configuration.
|
|
+ Added regex pattern to detect invalid user accounts. This blocks
|
|
connections from remote hosts who are attempting to login with
|
|
accounts not found on the local system. While these connections to
|
|
non-existent accounts are relatively harmless, they are usually used
|
|
as part of a brute force attack and filtering them before they
|
|
reach OpenSSH is a good idea.
|
|
+ Finally, Jan-Pascal has created a sync server for DenyHosts which
|
|
will allow DenyHosts services to coordinate lists of banned IP addresses.
|
|
The new sync server is open source (GPLv3) and can be set up on
|
|
private servers, networks and VPS. We plan to set up our own sync
|
|
server in the near future. When a sync server is created it will
|
|
be announced at http://denyhost.sourceforge.net/news.php
|
|
- require rsyslog to fix the not existing systemd journal support
|
|
(https://github.com/denyhosts/denyhosts/issues/14) - this resolves
|
|
boo#960856 until upstream implemented the feature
|
|
- use provided systemd service on newer distributions
|
|
- use upstream configuration file instead of own one
|
|
- removed ALL patches
|
|
* Wed Jan 5 2011 tejas.guruswamy@opensuse.org
|
|
- Make package noarch on > 11.2
|
|
- Run spec-cleaner
|
|
* Thu Apr 15 2010 lars@linux-schulserver.de
|
|
- fix dh_reenable as mentioned in bnc #596354
|
|
(thanks to Patrick Shanahan for the patch!)
|
|
* Sun Dec 28 2008 lars@linux-schulserver.de
|
|
- added some Debian patches
|
|
- enhanced init script
|
|
- adapted default denyhosts.conf (which is now located in /etc)
|
|
- added README.SuSE
|
|
- fix some rpmlint warnings
|
|
* Wed Dec 20 2006 lars@linux-schulserver.de
|
|
- initial package 2.6
|
|
Thanks to Craig Millar for the logrotate and initial init file.
|