Add new "sshguard" package:

Sshguard is a small program that monitors services running on your
machine from the log files. When it detects that someone is doing
something bad to a service, sshguard blocks the IP address of the bad
guy with a firewall rule.

Sshguard was started in 2006 to mitigate the growing brute force
attacks to SSH servers. Because of the generality of its infrastructure,
however, it was soon extended to monitor and protect more and more services.

7 files changed, 198 insertions, 0 deletions

diff --git a/security/sshguard/DESCR b/security/sshguard/DESCR
new file mode 100644
index 00000000000..a80493c7321
--- /dev/null
+++ b/security/sshguard/DESCR
@@ -0,0 +1,8 @@
+Sshguard is a small program that monitors services running on your
+machine from the log files. When it detects that someone is doing
+something bad to a service, sshguard blocks the IP address of the bad
+guy with a firewall rule.
+
+Sshguard was started in 2006 to mitigate the growing brute force
+attacks to SSH servers. Because of the generality of its infrastructure,
+however, it was soon extended to monitor and protect more and more services.
diff --git a/security/sshguard/Makefile b/security/sshguard/Makefile
new file mode 100644
index 00000000000..6f04503515d
--- /dev/null
+++ b/security/sshguard/Makefile
@@ -0,0 +1,25 @@
+# $NetBSD: Makefile,v 1.1 2014/07/26 19:57:44 tron Exp $
+
+DISTNAME=	sshguard-1.5
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=sshguard/}
+EXTRACT_SUFX=	.tar.bz2
+
+MAINTAINER=	tron@NetBSD.org
+HOMEPAGE=	http://www.sshguard.net/
+COMMENT=	Protect networked hosts from brute force attacks
+LICENSE=	modified-bsd
+
+GNU_CONFIGURE=	yes
+
+RCD_SCRIPTS=	sshguard
+
+.include "options.mk"
+
+# Claiming to be an X/Open applications hides inet_pton(3) under NetBSD
+# which this application needs.
+.if ${OPSYS} == "NetBSD"
+BUILDLINK_TRANSFORM+=	rm:-D_XOPEN_SOURCE
+.endif
+
+.include "../../mk/bsd.pkg.mk"
diff --git a/security/sshguard/PLIST b/security/sshguard/PLIST
new file mode 100644
index 00000000000..241d05674fe
--- /dev/null
+++ b/security/sshguard/PLIST
@@ -0,0 +1,3 @@
+@comment $NetBSD: PLIST,v 1.1 2014/07/26 19:57:44 tron Exp $
+man/man8/sshguard.8
+sbin/sshguard
diff --git a/security/sshguard/distinfo b/security/sshguard/distinfo
new file mode 100644
index 00000000000..ef2d14d3cde
--- /dev/null
+++ b/security/sshguard/distinfo
@@ -0,0 +1,6 @@
+$NetBSD: distinfo,v 1.1 2014/07/26 19:57:44 tron Exp $
+
+SHA1 (sshguard-1.5.tar.bz2) = f8f713bfb3f5c9877b34f6821426a22a7eec8df3
+RMD160 (sshguard-1.5.tar.bz2) = 7b4625b3b2e0cf974bc935d868b89bd0d8c189e8
+Size (sshguard-1.5.tar.bz2) = 303767 bytes
+SHA1 (patch-man_sshguard.8) = f907d23f5fe3db16dd44128c821f2fe6f94fcb03
diff --git a/security/sshguard/files/sshguard.sh b/security/sshguard/files/sshguard.sh
new file mode 100644
index 00000000000..34dcc3428fe
--- /dev/null
+++ b/security/sshguard/files/sshguard.sh
@@ -0,0 +1,59 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: sshguard.sh,v 1.1 2014/07/26 19:57:44 tron Exp $
+#
+# PROVIDE: sshguard
+# REQUIRE: DAEMON
+
+if [ -f /etc/rc.subr ]
+then
+	. /etc/rc.subr
+fi
+
+name=sshguard
+rcvar=$name
+command="@PREFIX@/sbin/${name}"
+pidfile="@VARBASE@/run/${name}.pid"
+sshguard_flags="-f 100:@VARBASE@/run/sshd.pid -l /var/log/authlog"
+command_args="-i $pidfile"
+start_cmd=sshguard_start
+
+sshguard_start()
+{
+	@ECHO@ "Starting ${name}."
+	nohup ${command} ${sshguard_flags} ${command_args} </dev/null >/dev/null 2>&1 &
+}
+
+if [ -f /etc/rc.subr -a -f /etc/rc.conf -a -f /etc/rc.d/DAEMON ]
+then
+	load_rc_config $name
+	run_rc_command "$1"
+else
+	case ${1:-start} in
+	start)
+		sshguard_start
+		;;
+	stop)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "Stopping ${name}."
+			kill -TERM ${pid}
+		else
+			@ECHO@ "${name} not running?"
+		fi
+		;;
+	restart)
+		$0 stop
+		sleep 1
+		$0 start
+		;;
+	status)
+		if [ -f ${pidfile} ]; then
+			pid=`@HEAD@ -1 ${pidfile}`
+			@ECHO@ "${name} is running as pid ${pid}."
+		else
+			@ECHO@ "${name} is not running."
+		fi
+		;;
+	esac
+fi
diff --git a/security/sshguard/options.mk b/security/sshguard/options.mk
new file mode 100644
index 00000000000..1f0411cef25
--- /dev/null
+++ b/security/sshguard/options.mk
@@ -0,0 +1,55 @@
+# $NetBSD: options.mk,v 1.1 2014/07/26 19:57:44 tron Exp $
+
+PKG_OPTIONS_VAR=		PKG_OPTIONS.sshguard
+PKG_OPTIONS_REQUIRED_GROUPS=	firewall
+PKG_OPTIONS_GROUP.firewall=	sshguard-aix sshguard-hosts sshguard-ipfilter \
+				sshguard-ipfw sshguard-iptables sshguard-null \
+				sshguard-pf
+
+.include "../../mk/bsd.prefs.mk"
+
+# Pick an appropriate default firewall depending on the platform. We however
+# don't restrict the firewall types. You can e.g. use "iptables" under NetBSD
+# to remotely manage a Linux firewall.
+.if ${OPSYS} == "AIX"
+PKG_SUGGESTED_OPTIONS=		sshguard-aix
+.elif ${OPSYS} == "Darwin"
+PKG_SUGGESTED_OPTIONS=		sshguard-ipfw
+.elif ${OPSYS} == "DragonFly"
+PKG_SUGGESTED_OPTIONS=		sshguard-pf
+.elif ${OPSYS} == "Linux"
+PKG_SUGGESTED_OPTIONS=		sshguard-iptables
+.elif ${OPSYS} == "FreeBSD"
+PKG_SUGGESTED_OPTIONS=		sshguard-ipfw
+.elif ${OPSYS} == "NetBSD"
+PKG_SUGGESTED_OPTIONS=		sshguard-ipfilter
+.elif ${OPSYS} == "OpenBSD"
+PKG_SUGGESTED_OPTIONS=		sshguard-pf
+.elif ${OPSYS} == "SunOS"
+PKG_SUGGESTED_OPTIONS=		sshguard-ipfilter
+.else
+PKG_SUGGESTED_OPTIONS=		sshguard-hosts
+.endif
+
+.include "../../mk/bsd.options.mk"
+
+# Pick the desire firewall backend
+.if !empty(PKG_OPTIONS:Msshguard-aix)
+CONFIGURE_ARGS+=	--with-firewall=aix
+.elif !empty(PKG_OPTIONS:Msshguard-hosts)
+CONFIGURE_ARGS+=	--with-firewall=hosts
+.elif !empty(PKG_OPTIONS:Msshguard-ipfilter)
+CONFIGURE_ARGS+=	--with-firewall=ipfilter
+# Set correct location of IPFilter configuration file under NetBSD.
+.  if ${OPSYS} == "NetbSD"
+CONFIGURE_ARGS+=	--with-ipfilterconf=/etc/ipf.conf
+.  endif
+.elif !empty(PKG_OPTIONS:Msshguard-ipfw)
+CONFIGURE_ARGS+=	--with-firewall=ipfw
+.elif !empty(PKG_OPTIONS:Msshguard-iptables)
+CONFIGURE_ARGS+=	--with-firewall=iptables
+.elif !empty(PKG_OPTIONS:Msshguard-null)
+CONFIGURE_ARGS+=	--with-firewall=null
+.elif !empty(PKG_OPTIONS:Msshguard-pf)
+CONFIGURE_ARGS+=	--with-firewall=pf
+.endif
diff --git a/security/sshguard/patches/patch-man_sshguard.8 b/security/sshguard/patches/patch-man_sshguard.8
new file mode 100644
index 00000000000..b6db497e939
--- /dev/null
+++ b/security/sshguard/patches/patch-man_sshguard.8
@@ -0,0 +1,42 @@
+$NetBSD: patch-man_sshguard.8,v 1.1 2014/07/26 19:57:44 tron Exp $
+
+Patches by wizd(8). Without these changes NetBSD's man(1) refuses to
+render this manual page.
+
+--- man/sshguard.8.orig	2011-02-09 12:01:47.000000000 +0000
++++ man/sshguard.8	2014-07-23 23:37:05.000000000 +0100
+@@ -15,6 +15,7 @@
+ .\"
+ .Dd Mar 31, 2010
+ .Dt SSHGUARD 8
++.Os
+ .Sh NAME
+ .Nm sshguard
+ .Nd monitors daemon activity 
+@@ -55,7 +56,7 @@
+ .Pp
+ .Nm
+ supports the following firewalls:
+-.Bl -tag -width
++.Bl -tag -width 20n
+ .It AIX native firewall
+ for IBM AIX operating systems
+ .It netfilter/iptables
+@@ -204,7 +205,7 @@
+ .Fl w
+ command-line option. This option can add explicit addresses, host names and
+ address blocks:
+-.Bl -tag -width
++.Bl -tag -width 30n
+ .It addresses
+ specify the numeric IPv4 or IPv6 address directly, like:
+ .Dl -w 192.168.1.10
+@@ -292,7 +293,7 @@
+ policy (all of their log messages are accepted by default).
+ .Pp
+ PIDs are checked with the following policy:
+-.Bl -enum -width
++.Bl -enum
+ .It
+ the logging service is searched in the list of services configured for
+ validation. If not found, the entry is accepted.