security/sshguard: Fix rc script, add UPDATING entry

sshguard usually looks at sshguard.conf for a list of files to monitor,
but lets you override it via the command line using -l arguments.

This change fixes an issue with the previous rc script which was
*always* setting the '-l' arguments even if sshguard_watch_logs wasn't
set in rc.conf.

This change also sets the defaults in the config file to match the
former defaults in the rc script, and adds an UPDATING entry to warn
of the change from default configuration via rc.conf the config file.

PR:		220906
Submitted by:	Dan McGregor (maintainer)
Reported by:	chris@cretaforce.gr

UPDATING

@@ -5,6 +5,23 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20170721:
+  AFFECTS: users of security/sshguard*
+  AUTHOR: dan.mcgregir@usask.ca
+
+  security/sshguard was updated to 2.0.0, and security/sshguard-pf,
+  security/sshguard-ipfw, and security/sshguard-null have been merged into
+  security/sshguard.
+
+  Configuration of the service is now handled in ${PREFIX}/etc/sshguard.conf.
+  Please select the desired backend, -null is selected by default.
+
+  In order to upgrade from 1.7.1 change the origin to security/sshguard
+
+  # pkg set -o security/sshguard-ipfw:security/sshguard
+  # pkg set -o security/sshguard-null:security/sshguard
+  # pkg set -o security/sshguard-pf:security/sshguard
+
 20170717:
   AFFECTS: users of devel/p5-Log-Any and devel/p5-Log-Any-Adapter-Syslog
   AUTHOR: eugen@FreeBSD.org

security/sshguard/Makefile

@@ -3,6 +3,7 @@
 
 PORTNAME=	sshguard
 PORTVERSION=	2.0.0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/${PORTVERSION}
 
@@ -21,6 +22,7 @@ SUB_FILES=	pkg-message
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|%PREFIX%|${PREFIX}|' ${WRKSRC}/doc/sshguard.8.rst
+	@${REINPLACE_CMD} -e 's|/usr/local|${PREFIX}|' ${WRKSRC}/examples/sshguard.conf.sample
 
 post-install:
 	${INSTALL} -d ${STAGEDIR}${PREFIX}/etc

security/sshguard/files/patch-examples-sshguard.conf.sample

@@ -14,7 +14,7 @@ index d881e51..87b7acc 100644
  # Space-separated list of log files to monitor. Ignored if LOGREADER is set.
  # (optional, no default)
 -#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
-+#FILES="/var/log/auth.log /var/log/maillog"
++FILES="/var/log/auth.log /var/log/maillog"
  
  # Shell command that provides logs on standard output. Takes precedence over
  # FILES. (optional, no default)

security/sshguard/files/sshguard.in

@@ -40,24 +40,21 @@
 # sshguard_pidfile (str):	Path to PID file.
 #				Set to "/var/run/sshguard.pid" by default
 # sshguard_watch_logs (str):	Colon splitted list of logs to watch.
-#				Set to "/var/log/auth.log:/var/log/maillog"
-#				by default.
+#				Unset by default. Overrides the configuration file.
 # The following options directly maps to their command line options,
-# please read manual page sshguard(8) for detailed information:
+# and override the configuration file, so most are unset by default.
+# Please read manual page sshguard(8) for detailed information:
 # sshguard_blacklist (str):	[thr:]/path/to/blacklist.
 #				Set to "30:/var/db/sshguard/blacklist.db"
 #				by default.
-# sshguard_danger_thresh (int):	Danger threshold.  Set to "30" by default.
+# sshguard_danger_thresh (int):	Danger threshold.
 # sshguard_release_interval (int):
 #				Minimum interval an address remains
-#				blocked.  Set to "120" by default.
+#				blocked.
 # sshguard_reset_interval (int):
 #				Interval before a suspected attack is
 #				forgotten and danger is reset to 0.
-#				Set to "1800" by default.
 # sshguard_whitelistfile (str):	Path to the whitelist.
-#				Set to "%%PREFIX%%/etc/sshguard.whitelist"
-#				by default.
 # sshguard_flags (str):		Set additional command line arguments.
 #
 
@@ -71,11 +68,11 @@ load_rc_config sshguard
 
 : ${sshguard_enable:=NO}
 : ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
-: ${sshguard_danger_thresh=30}
-: ${sshguard_release_interval=120}
-: ${sshguard_reset_interval=1800}
-: ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"}
-: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}
+: ${sshguard_danger_thresh=}
+: ${sshguard_release_interval=}
+: ${sshguard_reset_interval=}
+: ${sshguard_whitelistfile=}
+: ${sshguard_watch_logs=}
 
 pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
 
@@ -83,7 +80,7 @@ command=/usr/sbin/daemon
 actual_command="%%PREFIX%%/sbin/sshguard"
 procname="%%PREFIX%%/libexec/sshg-blocker"
 start_precmd=sshguard_prestart
-command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
+command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} \${sshguard_danger_params} \${sshguard_release_params} \${sshguard_reset_params} \${sshguard_whitelist_params} -i ${pidfile}"
 
 sshguard_prestart()
 {
@@ -96,9 +93,26 @@ sshguard_prestart()
 	    sshguard_blacklist_params="-b ${sshguard_blacklist}"
 	fi
 
-	[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
+	if [ ! -z ${sshguard_whitelistfile} ]; then
+		[ -e "${sshguard_whitelistfile}" ] || touch ${sshguard_whitelistfile}
+		sshguard_whitelist_params="-w ${sshguard_whitelistfile}"
+	fi
 
-	sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
+	if [ ! -z ${sshguard_danger_thresh} ]; then
+		sshguard_danger_params="-a ${sshguard_danger_thresh}"
+	fi
+
+	if [ ! -z ${sshguard_release_interval} ]; then
+		sshguard_release_params="-p ${sshguard_release_interval}"
+	fi
+
+	if [ ! -z ${sshguard_reset_interval} ]; then
+		sshguard_reset_params="-s ${sshguard_reset_interval}"
+	fi
+
+	if [ ! -z "${sshguard_watch_logs}" ]; then
+		sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
+	fi
 }
 
 run_rc_command "$1"