diff options
| author | Renato Botelho <renato@netgate.com> | 2018-08-30 14:51:10 -0300 |
|---|---|---|
| committer | Renato Botelho <renato@netgate.com> | 2018-08-30 14:51:10 -0300 |
| commit | b89270b73ed38daab2f0fe7f93b13d2811203485 (patch) | |
| tree | 55d19c1fa3bc7b9f4b06896ab0428be236c481a1 | |
| parent | 880107d21f5e69201ba810d553d948ca9009f70d (diff) | |
| download | pfsense-b89270b73ed38daab2f0fe7f93b13d2811203485.zip pfsense-b89270b73ed38daab2f0fe7f93b13d2811203485.tar.gz | |
Fix #7694: Replace sshlockout_pf by sshguard
| -rw-r--r-- | src/conf.default/config.xml | 2 | ||||
| -rw-r--r-- | src/etc/inc/filter.inc | 8 | ||||
| -rw-r--r-- | src/etc/inc/globals.inc | 2 | ||||
| -rw-r--r-- | src/etc/inc/service-utils.inc | 4 | ||||
| -rw-r--r-- | src/etc/inc/system.inc | 10 | ||||
| -rw-r--r-- | src/etc/inc/upgrade_config.inc | 23 | ||||
| -rw-r--r-- | src/usr/local/www/diag_tables.php | 2 | ||||
| -rw-r--r-- | src/usr/local/www/guiconfig.inc | 2 | ||||
| -rw-r--r-- | src/usr/local/www/system_advanced_firewall.php | 2 |
9 files changed, 41 insertions, 14 deletions
diff --git a/src/conf.default/config.xml b/src/conf.default/config.xml index bcb5ed1..b10a927 100644 --- a/src/conf.default/config.xml +++ b/src/conf.default/config.xml @@ -178,7 +178,7 @@ <month>*</month> <wday>*</wday> <who>root</who> - <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout</command> + <command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshguard</command> </item> <item> <minute>*/60</minute> diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc index eb42dd5..b7d9c3a 100644 --- a/src/etc/inc/filter.inc +++ b/src/etc/inc/filter.inc @@ -750,7 +750,7 @@ function filter_generate_aliases() { } $aliases .= "\n#SSH Lockout Table\n"; - $aliases .= "table <sshlockout> persist\n"; + $aliases .= "table <sshguard> persist\n"; $aliases .= "table <webConfiguratorlockout> persist\n"; $aliases .= "#Snort tables\n"; @@ -3335,9 +3335,9 @@ EOD; $ipfrules .= "\n# SSH lockout\n"; if (is_array($config['system']['ssh']) && !empty($config['system']['ssh']['port'])) { - $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port "; + $ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port "; $ipfrules .= $config['system']['ssh']['port']; - $ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; + $ipfrules .= " tracker {$increment_tracker($tracker)} label \"sshguard\"\n"; } else { if ($config['system']['ssh']['port'] <> "") { $sshport = $config['system']['ssh']['port']; @@ -3345,7 +3345,7 @@ EOD; $sshport = 22; } if ($sshport) { - $ipfrules .= "block in {$log['block']} quick proto tcp from <sshlockout> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshlockout\"\n"; + $ipfrules .= "block in {$log['block']} quick proto tcp from <sshguard> to (self) port {$sshport} tracker {$increment_tracker($tracker)} label \"sshguard\"\n"; } } diff --git a/src/etc/inc/globals.inc b/src/etc/inc/globals.inc index 70ba85b..cac2639 100644 --- a/src/etc/inc/globals.inc +++ b/src/etc/inc/globals.inc @@ -69,7 +69,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "18.7", + "latest_config" => "18.8", "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", "wan_interface_name" => "wan", diff --git a/src/etc/inc/service-utils.inc b/src/etc/inc/service-utils.inc index 544b8e1..59515dc 100644 --- a/src/etc/inc/service-utils.inc +++ b/src/etc/inc/service-utils.inc @@ -738,8 +738,8 @@ function service_control_stop($name, $extras) { sigkillbypid("{$g['varrun_path']}/syslog.pid", "KILL"); usleep(100000); } - /* Make sure sshlockout_pf stops as well */ - sigkillbyname("sshlockout_pf", "TERM"); + /* Make sure sshguard stops as well */ + sigkillbyname("sshguard", "TERM"); break; default: stop_service($name); diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc index 031f13e..792dfba 100644 --- a/src/etc/inc/system.inc +++ b/src/etc/inc/system.inc @@ -1059,7 +1059,7 @@ local4.* {$log_directive}{$g['varlog_path']}/portalauth.log local5.* {$log_directive}{$g['varlog_path']}/nginx.log local7.* {$log_directive}{$g['varlog_path']}/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info {$log_directive}{$g['varlog_path']}/system.log -auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15 +auth.info;authpriv.info |exec /usr/local/sbin/sshguard *.emerg * EOD; @@ -1141,8 +1141,14 @@ EOD; $sighup = false; } + $sshguard_config = array(); + $sshguard_config[] = 'BACKEND="/usr/local/libexec/sshg-fw-pf"' . "\n"; + /* XXX Add a GUI option to user to define it? */ + $sshguard_config[] = 'DETECTION_TIME=3600' . "\n"; + file_put_contents("/usr/local/etc/sshguard.conf", $sshguard_config); + if (!$sighup) { - sigkillbyname("sshlockout_pf", "TERM"); + sigkillbyname("sshguard", "TERM"); if (isvalidpid("{$g['varrun_path']}/syslog.pid")) { sigkillbypid("{$g['varrun_path']}/syslog.pid", "TERM"); usleep(100000); // syslogd often doesn't respond to a TERM quickly enough for the starting of syslogd below to be successful diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc index 79535b2..fb86785 100644 --- a/src/etc/inc/upgrade_config.inc +++ b/src/etc/inc/upgrade_config.inc @@ -463,7 +463,7 @@ function upgrade_025_to_026() { $cron_item['month'] = "*"; $cron_item['wday'] = "*"; $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout"; + $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshguard"; $config['cron']['item'][] = $cron_item; @@ -5898,6 +5898,27 @@ function upgrade_186_to_187() { } } +function upgrade_187_to_188() { + global $config; + + $old_cmd = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout"; + $new_cmd = "/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshguard"; + if (!is_array($config['cron'])) { + $config['cron'] = array(); + } + if (!is_array($config['cron']['item'])) { + $config['cron']['item'] = array(); + } + if (is_array($config['cron']['item'])) { + foreach ($config['cron']['item'] as $idx => $entry) { + if ($entry['command'] == $old_cmd) { + $config['cron']['item'][$idx]['command'] = $new_cmd; + break; + } + } + } +} + /* * Special function that is called independent of current config version. It's * a workaround to have config_upgrade running on older versions after next diff --git a/src/usr/local/www/diag_tables.php b/src/usr/local/www/diag_tables.php index df64488..af83215 100644 --- a/src/usr/local/www/diag_tables.php +++ b/src/usr/local/www/diag_tables.php @@ -34,7 +34,7 @@ require_once("guiconfig.inc"); exec("/sbin/pfctl -sT", $tables); // Set default table -$tablename = "sshlockout"; +$tablename = "sshguard"; if ($_REQUEST['type'] && in_array($_REQUEST['type'], $tables)) { $tablename = $_REQUEST['type']; diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index 834abc6..cfab41f 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -87,7 +87,7 @@ $reserved_table_names = array( "bogonsv6", "negate_networks", "snort2c", - "sshlockout", + "sshguard", "tonatsubnets", "virusprot", "vpn_networks", diff --git a/src/usr/local/www/system_advanced_firewall.php b/src/usr/local/www/system_advanced_firewall.php index c8a3750..88fdc0f 100644 --- a/src/usr/local/www/system_advanced_firewall.php +++ b/src/usr/local/www/system_advanced_firewall.php @@ -498,7 +498,7 @@ $section->addInput(new Form_Input( $pconfig['maximumtableentries'], ['placeholder' => pfsense_default_table_entries_size()] ))->setHelp('Maximum number of table entries for systems such as aliases, '. - 'sshlockout, snort, etc, combined.%1$sNote: Leave this blank for the '. + 'sshguard, snort, etc, combined.%1$sNote: Leave this blank for the '. 'default. On this system the default size is: %2$d', '<br/>', pfsense_default_table_entries_size()); |
