Robert Frohl
5ef74a9805
fix build with gcc15 + sshguard-gcc15.patch OBS-URL: https://build.opensuse.org/package/show/security/sshguard?expand=0&rev=53
341 lines
13 KiB
Plaintext
341 lines
13 KiB
Plaintext
-------------------------------------------------------------------
|
|
Fri Feb 28 15:29:45 UTC 2025 - pgajdos@suse.com
|
|
|
|
- added patches
|
|
fix build with gcc15
|
|
+ sshguard-gcc15.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Oct 2 07:24:19 UTC 2023 - Andrea Manzini <andrea.manzini@suse.com>
|
|
|
|
- update to version 2.4.3:
|
|
* Add signature for BIND
|
|
* Add signature for Gitea
|
|
* Add signature for Microsoft SQL Server for Linux
|
|
* Add signature for OpenVPN Portshare
|
|
* Add signature for user-defined HTTP attacks
|
|
* Update signatures for Dovecot
|
|
* Update signatures for Postfix
|
|
* Fixed Fix memset off-by-one
|
|
* Fixed Resolve DNS names in capability mode using casper
|
|
|
|
- removed patch sshguard-overflow.patch as fixed in upstream
|
|
- clean up .spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Aug 30 15:19:17 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
|
|
|
- sshguard-overflow.patch: fixed 1 byte 0x00 overwrite in a memset
|
|
(bsc#1202944)
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 24 21:22:20 UTC 2022 - Joop Boonen <joop.boonen@opensuse.org>
|
|
|
|
- Corrected the BACKEND in /etc/sshguard.conf
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 20 14:57:19 UTC 2022 - Joop Boonen <joop.boonen@opensuse.org>
|
|
|
|
- Deleted the iptables entries from sshguard.service as firewalld is used
|
|
- Added BACKEND="/usr/libexec/sshg-fw-firewalld" in stead of
|
|
BACKEND="/usr/libexec/sshg-fw-iptables" as firewalld is used
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 23 15:32:07 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
|
|
|
|
- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
|
|
* harden_sshguard.service.patch
|
|
Modified:
|
|
* sshguard.service
|
|
|
|
-------------------------------------------------------------------
|
|
Sun May 16 12:39:45 UTC 2021 - Enrico Belleri <idesmi@protonmail.com>
|
|
|
|
- Changed 'BACKEND' to "/usr/libexec/sshg-fw-iptables" from incorrect syntax
|
|
|
|
-------------------------------------------------------------------
|
|
Wed May 12 00:04:22 UTC 2021 - Ferdinand Thiessen <rpm@fthiessen.de>
|
|
|
|
- Update to version 2.4.2
|
|
* Recognize rejections from Postfix's postscreen daemon
|
|
* The parser can now be changed using the 'PARSER' and
|
|
'POST_PARSER' options
|
|
* Remove some false positive attack signatures for SSH and Cyrus
|
|
* Adjust log verbosity of some log messages
|
|
* The *firewalld* backend now uses *firewall-cmd* instead of
|
|
'iptables' to flush block lists
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 26 18:03:00 UTC 2020 - Joop Boonen <joop.boonen@opensuse.org>
|
|
|
|
- Build version 2.4.1
|
|
* Recognize RFC 5424 syslog banners
|
|
* Recognize busybox syslog -S banners
|
|
* Recognize rsyslog banners
|
|
* Recognize web services TYPO3, Contao, and Joomla
|
|
* Update signatures for Dovecot
|
|
* Update signatures for OpenSSH
|
|
* Whitelist entire 127.0.0.0/8 and ::1 block
|
|
* Whitelist file allows inline comments
|
|
* Fix FILES and LOGREADER configuration file options
|
|
- boo#1124121
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Jun 11 09:27:06 UTC 2019 - Joop Boonen <joop.boonen@opensuse.org>
|
|
|
|
- Build version 2.4.0
|
|
* Match "Failed authentication attempt" for Gitea
|
|
* Log human-readable service names instead of service code
|
|
* Correctly terminate child processes when sshguard is killed
|
|
* No longer accept logs given via standard input
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 6 11:39:18 UTC 2019 - joop.boonen@opensuse.org
|
|
|
|
- Removed not needed files and service files
|
|
as sshguard can now parse journal files
|
|
- /etc/sysconfig/sshguard is not used any more
|
|
as sshguard uses it's own config file
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Feb 4 22:47:20 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
- Use noun phrase in summary.
|
|
- Join %service_* to reduce generated boilerplate.
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Jan 24 08:19:29 UTC 2019 - liedke@rz.uni-mannheim.de
|
|
|
|
- Build version 2.3.1
|
|
* Fix OpenSSH "Did not receive identification string"
|
|
* Fix syslog banner detection on macOS
|
|
|
|
- Build version 2.3.0
|
|
* Add signatures for Courier IMAP/POP and OpenVPN
|
|
* Add signatures for TLS failures against Cyrus IMAP
|
|
* Match more attacks against SSHD, Cockpit, and Dovecot
|
|
* Update SSH invalid user signature for macOS
|
|
* Add to and remove from ipfw table quietly
|
|
* Reduce "Connection closed... [preauth]" score to 2
|
|
* Switch ipsets to hash:net
|
|
* Don't recreate existing ipsets
|
|
* Match more log banners (Fix greedy SYSLOG_BANNER)
|
|
|
|
- Build version 2.2.0
|
|
* Add '--disable-maintainer-mode' in configure for package maintainers
|
|
* BusyBox log banner detection
|
|
* Match Exim "auth mechanism not supported"
|
|
* Match Exim "auth when not advertised"
|
|
* Match Postfix greylist early retry
|
|
* OpenSMTPD monitoring support
|
|
* Recognize IPv6 addresses with interface name
|
|
* Ignore CR in addition to LF
|
|
* Only log attacks if not already blocked or whitelisted
|
|
* Use correct signal names in driver shell script
|
|
|
|
- Build version 2.1.0
|
|
* Add nftables backend
|
|
* Add monitoring support for new service: Cockpit, Linux server dashboard
|
|
* Match "maximum authentication attempts" for SSH
|
|
* Match Debian-style "Failed password for invalid user" for SSH
|
|
* Add monitoring support for new service: Common webserver probes, in
|
|
Common Log Format
|
|
* Match 'Disconnecting invalid user' for SSH
|
|
* Add monitoring support for new service: WordPress, in Common Log Format
|
|
* Add monitoring support for new service: SSHGuard
|
|
* Firewall backends now support blocking subnets.
|
|
* Add new IPV6_SUBNET and IPV4_SUBNET configuration options. Defaults
|
|
to traditional single-address blocking.
|
|
* Add monitoring support for new service: OpenSMTPD
|
|
* Log whitelist matches with higher priority
|
|
* Match port number in "invalid user" attack
|
|
* FirewallD backend reloads firewall configuration less often.
|
|
|
|
- Build version 2.0.0
|
|
* Add firewalld backend
|
|
* Add ipset backend
|
|
* Annotate logs using -a flag to sshg-parser
|
|
* Match "no matching cipher" for SSH
|
|
* Preliminary support for Capsicum and pledge()
|
|
* Resurrect ipfilter backend
|
|
* Support reading from os_log on macOS 10.12 and systemd journal
|
|
* Add warning when reading from standard input
|
|
* Build and install all backends by default
|
|
* Improve log messages and tweak logging priorities
|
|
* Runtime flags now configurable in the configuration file
|
|
* SSHGuard requires a configuration file to start
|
|
* Remove process validation (-f option)
|
|
* Fix ipfw backend on FreeBSD 11
|
|
* Fix initial block time
|
|
* Update Dovecot pattern for macOS
|
|
* Use standard score for Sendmail auth attack
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 8 18:28:49 UTC 2018 - joop.boonen@opensuse.org
|
|
|
|
- Corrected the service scripts, start after network.target
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Nov 23 13:44:30 UTC 2017 - rbrown@suse.com
|
|
|
|
- Replace references to /var/adm/fillup-templates with new
|
|
%_fillupdir macro (boo#1069468)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 1 08:15:47 UTC 2017 - joop.boonen@opensuse.org
|
|
|
|
- Add a systemd journal tail so sshguard can parse this file
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Dec 29 12:27:02 UTC 2016 - joop.boonen@opensuse.org
|
|
|
|
- Build version 1.7.1
|
|
- Add sample Mac OS X 10.12 style launchd.plist
|
|
- Allow multiple forward slashes in process name
|
|
- Log released addresses only when debugging
|
|
- Process validation (``-f`` option) is deprecated
|
|
- Adjust TIMESTAMP_ISO8601 for Mac OS X 10.12
|
|
- Fix build error in hosts backend
|
|
- Fix empty functions in firewall scripts causing errors with Bash
|
|
- Flush stdout after every line in sshg-parser
|
|
- Add *sshg-logtail*
|
|
- Add *sshg-parser*
|
|
- Control firewall using *sshg-fw*
|
|
- Match "no matching key exchange method" for SSH
|
|
- Hosts backend is deprecated
|
|
- Logsuck (``-l`` option) is deprecated, use *sshg-logtail* instead
|
|
- Process validation (``-f`` option) is deprecated
|
|
- Remove external hooks (``-e`` option)
|
|
- Remove support for genfilt and ipfilter backends
|
|
- Accept socklog messages without a timestamp
|
|
- Fix excessive logging causing endless looping in logsuck
|
|
- Fix undefined assignment of initial inode number
|
|
- Match Postfix pre-authentication disconnects
|
|
- Fix bashisms in iptables backend
|
|
- Fix size argument in inet_ntop() call
|
|
- Remove excessive logging when polling from files
|
|
- Keep looking for unreadable files while polling
|
|
- Update Dovecot signature for POP3
|
|
- Match "Connection reset" message for SSH
|
|
- Resurrect PID file option by popular demand
|
|
- Adjust default abuse threshold
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Feb 19 13:18:55 UTC 2016 - joop.boonen@opensuse.org
|
|
|
|
- Added a corrected attack treshold value (40 default)
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 18 10:07:08 UTC 2016 - eshmarnev@suse.com
|
|
|
|
- Build version 1.6.3
|
|
- Disable blacklisting by default
|
|
- Implement logging as wrappers around syslog(2)
|
|
- Improve log and error messages
|
|
- Match sendmail authentication failures
|
|
- Remove PID file option
|
|
- Remove SIGTSTP and SIGCONT handler
|
|
- Remove reverse mapping attack signature
|
|
- Remove safe_fgets() and exit on interrupt
|
|
- Terminate state entries for hosts blocked with pf
|
|
- Update and shorten command-line usage
|
|
- Use 'configure' to set feature-test macros
|
|
- Updated patch file for new version of sshguard
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Jan 11 15:14:38 UTC 2016 - joop.boonen@opensuse.org
|
|
|
|
- Added ip6tables support handles via init and service files
|
|
|
|
-------------------------------------------------------------------
|
|
Fri Oct 16 12:15:24 UTC 2015 - joop.boonen@opensuse.org
|
|
|
|
- Corrected a iptables error, that prevented sshguard
|
|
from functioning correctly
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 15 13:51:15 UTC 2015 - joop.boonen@opensuse.org
|
|
|
|
- Moved blacklist.db to /var/lib/sshguard/db/blacklist.db analog
|
|
most SUSE packages
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Oct 15 07:52:48 UTC 2015 - joop.boonen@opensuse.org
|
|
|
|
- Corrected the blacklist as it's auto generated
|
|
- Improved sysconfig
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 14 11:56:49 UTC 2015 - joop.boonen@opensuse.org
|
|
|
|
- Build version 1.6.2
|
|
+ Make '-w' option backwards-compatible for iptables (James Harris)
|
|
+ Remove support for ip6fw and 'ipfw-range' option
|
|
+ Rewrite ipfw backend using command framework
|
|
- The white and black list now initially reside in files
|
|
/etc/sshguard/whitelist|blacklist
|
|
|
|
-------------------------------------------------------------------
|
|
Mon Sep 28 13:48:45 UTC 2015 - joop.boonen@opensuse.org
|
|
|
|
- Build version 1.6.1
|
|
- Added sshguard-gcc5.patch so it also builds via gcc5
|
|
- Created a sshguard.service file so it'll run on systemd
|
|
systems
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 27 13:45:46 UTC 2013 - joop.boonen@opensuse.org
|
|
|
|
- Reformated the spec file to the openSUSE standard
|
|
so it can be submitted to Factory
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Feb 19 11:42:03 UTC 2011 - lars@linux-schulserver.de
|
|
|
|
- update to 1.5:
|
|
+ logsucker: sshguard polls multiple log files at once
|
|
+ recognize syslog's "last message repeated N times" contextually
|
|
and per-source
|
|
+ attackers now gauged with attack *dangerousness* instead of
|
|
count (adjust your -a !)
|
|
+ improve IPv6 support
|
|
+ add detection for: Exim, vsftpd, Sendmail, Cucipop
|
|
+ improve logging granularity and descriptiveness
|
|
+ add -i command line option for saving PID file as an aid for
|
|
startup scripts
|
|
+ update some attack signatures
|
|
- cleanup specfile via spec-cleaner
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 1 06:53:29 UTC 2010 - wr@rosenauer.org
|
|
|
|
- fix typo in macro
|
|
- revert a bit of cleanup to make it backwards compatible
|
|
(%_initddir)
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 2 12:30:46 UTC 2010 - prusnak@opensuse.org
|
|
|
|
- cleanup spec file
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Sep 29 13:13:03 CEST 2010 - wr@rosenauer.org
|
|
|
|
- update to version 1.5rc4
|
|
|
|
-------------------------------------------------------------------
|
|
Sun Apr 4 20:43:08 CEST 2010 - wr@rosenauer.org
|
|
|
|
- update to version 1.5rc1
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Feb 11 14:54:46 CET 2010 - wr@rosenauer.org
|
|
|
|
- added init script and sysconfig
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Feb 10 10:33:49 CET 2010 - wr@rosenauer.org
|
|
|
|
- initial openSUSE package
|
|
|