4 files changed, 50 insertions, 17 deletions

diff --git a/UPDATING b/UPDATING
index 1fda45191868..1b73f14b9eef 100644
--- a/UPDATING
+++ b/UPDATING
@@ -5,6 +5,23 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20170721:
+  AFFECTS: users of security/sshguard*
+  AUTHOR: dan.mcgregir@usask.ca
+
+  security/sshguard was updated to 2.0.0, and security/sshguard-pf,
+  security/sshguard-ipfw, and security/sshguard-null have been merged into
+  security/sshguard.
+
+  Configuration of the service is now handled in ${PREFIX}/etc/sshguard.conf.
+  Please select the desired backend, -null is selected by default.
+
+  In order to upgrade from 1.7.1 change the origin to security/sshguard
+
+  # pkg set -o security/sshguard-ipfw:security/sshguard
+  # pkg set -o security/sshguard-null:security/sshguard
+  # pkg set -o security/sshguard-pf:security/sshguard
+
 20170717:
   AFFECTS: users of devel/p5-Log-Any and devel/p5-Log-Any-Adapter-Syslog
   AUTHOR: eugen@FreeBSD.org
diff --git a/security/sshguard/Makefile b/security/sshguard/Makefile
index 0ffc54e8b405..df17ee6dd507 100644
--- a/security/sshguard/Makefile
+++ b/security/sshguard/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	sshguard
 PORTVERSION=	2.0.0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/${PORTVERSION}
 
@@ -21,6 +22,7 @@ SUB_FILES=	pkg-message
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|%PREFIX%|${PREFIX}|' ${WRKSRC}/doc/sshguard.8.rst
+	@${REINPLACE_CMD} -e 's|/usr/local|${PREFIX}|' ${WRKSRC}/examples/sshguard.conf.sample
 
 post-install:
 	${INSTALL} -d ${STAGEDIR}${PREFIX}/etc
diff --git a/security/sshguard/files/patch-examples-sshguard.conf.sample b/security/sshguard/files/patch-examples-sshguard.conf.sample
index 65428e87047f..314631c06043 100644
--- a/security/sshguard/files/patch-examples-sshguard.conf.sample
+++ b/security/sshguard/files/patch-examples-sshguard.conf.sample
@@ -14,7 +14,7 @@ index d881e51..87b7acc 100644
  # Space-separated list of log files to monitor. Ignored if LOGREADER is set.
  # (optional, no default)
 -#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
-+#FILES="/var/log/auth.log /var/log/maillog"
++FILES="/var/log/auth.log /var/log/maillog"
  
  # Shell command that provides logs on standard output. Takes precedence over
  # FILES. (optional, no default)
diff --git a/security/sshguard/files/sshguard.in b/security/sshguard/files/sshguard.in
index 71431e95a202..fb81d592b030 100644
--- a/security/sshguard/files/sshguard.in
+++ b/security/sshguard/files/sshguard.in
@@ -40,24 +40,21 @@
 # sshguard_pidfile (str):	Path to PID file.
 #				Set to "/var/run/sshguard.pid" by default
 # sshguard_watch_logs (str):	Colon splitted list of logs to watch.
-#				Set to "/var/log/auth.log:/var/log/maillog"
-#				by default.
+#				Unset by default. Overrides the configuration file.
 # The following options directly maps to their command line options,
-# please read manual page sshguard(8) for detailed information:
+# and override the configuration file, so most are unset by default.
+# Please read manual page sshguard(8) for detailed information:
 # sshguard_blacklist (str):	[thr:]/path/to/blacklist.
 #				Set to "30:/var/db/sshguard/blacklist.db"
 #				by default.
-# sshguard_danger_thresh (int):	Danger threshold.  Set to "30" by default.
+# sshguard_danger_thresh (int):	Danger threshold.
 # sshguard_release_interval (int):
 #				Minimum interval an address remains
-#				blocked.  Set to "120" by default.
+#				blocked.
 # sshguard_reset_interval (int):
 #				Interval before a suspected attack is
 #				forgotten and danger is reset to 0.
-#				Set to "1800" by default.
 # sshguard_whitelistfile (str):	Path to the whitelist.
-#				Set to "%%PREFIX%%/etc/sshguard.whitelist"
-#				by default.
 # sshguard_flags (str):		Set additional command line arguments.
 #
 
@@ -71,11 +68,11 @@ load_rc_config sshguard
 
 : ${sshguard_enable:=NO}
 : ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
-: ${sshguard_danger_thresh=30}
-: ${sshguard_release_interval=120}
-: ${sshguard_reset_interval=1800}
-: ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"}
-: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}
+: ${sshguard_danger_thresh=}
+: ${sshguard_release_interval=}
+: ${sshguard_reset_interval=}
+: ${sshguard_whitelistfile=}
+: ${sshguard_watch_logs=}
 
 pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
 
@@ -83,7 +80,7 @@ command=/usr/sbin/daemon
 actual_command="%%PREFIX%%/sbin/sshguard"
 procname="%%PREFIX%%/libexec/sshg-blocker"
 start_precmd=sshguard_prestart
-command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
+command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} \${sshguard_danger_params} \${sshguard_release_params} \${sshguard_reset_params} \${sshguard_whitelist_params} -i ${pidfile}"
 
 sshguard_prestart()
 {
@@ -96,9 +93,26 @@ sshguard_prestart()
 	    sshguard_blacklist_params="-b ${sshguard_blacklist}"
 	fi
 
-	[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
+	if [ ! -z ${sshguard_whitelistfile} ]; then
+		[ -e "${sshguard_whitelistfile}" ] || touch ${sshguard_whitelistfile}
+		sshguard_whitelist_params="-w ${sshguard_whitelistfile}"
+	fi
+
+	if [ ! -z ${sshguard_danger_thresh} ]; then
+		sshguard_danger_params="-a ${sshguard_danger_thresh}"
+	fi
+
+	if [ ! -z ${sshguard_release_interval} ]; then
+		sshguard_release_params="-p ${sshguard_release_interval}"
+	fi
 
-	sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
+	if [ ! -z ${sshguard_reset_interval} ]; then
+		sshguard_reset_params="-s ${sshguard_reset_interval}"
+	fi
+
+	if [ ! -z "${sshguard_watch_logs}" ]; then
+		sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
+	fi
 }
 
 run_rc_command "$1"