security/sshguard: Fix rc script, add UPDATING entry

sshguard usually looks at sshguard.conf for a list of files to monitor,
but lets you override it via the command line using -l arguments.

This change fixes an issue with the previous rc script which was
*always* setting the '-l' arguments even if sshguard_watch_logs wasn't
set in rc.conf.

This change also sets the defaults in the config file to match the
former defaults in the rc script, and adds an UPDATING entry to warn
of the change from default configuration via rc.conf the config file.

PR:		220906
Submitted by:	Dan McGregor (maintainer)
Reported by:	chris@cretaforce.gr

3 files changed, 33 insertions, 17 deletions

diff --git a/security/sshguard/Makefile b/security/sshguard/Makefile
index 0ffc54e8b405..df17ee6dd507 100644
--- a/security/sshguard/Makefile
+++ b/security/sshguard/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	sshguard
 PORTVERSION=	2.0.0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	SF/sshguard/sshguard/${PORTVERSION}
 
@@ -21,6 +22,7 @@ SUB_FILES=	pkg-message
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|%PREFIX%|${PREFIX}|' ${WRKSRC}/doc/sshguard.8.rst
+	@${REINPLACE_CMD} -e 's|/usr/local|${PREFIX}|' ${WRKSRC}/examples/sshguard.conf.sample
 
 post-install:
 	${INSTALL} -d ${STAGEDIR}${PREFIX}/etc
diff --git a/security/sshguard/files/patch-examples-sshguard.conf.sample b/security/sshguard/files/patch-examples-sshguard.conf.sample
index 65428e87047f..314631c06043 100644
--- a/security/sshguard/files/patch-examples-sshguard.conf.sample
+++ b/security/sshguard/files/patch-examples-sshguard.conf.sample
@@ -14,7 +14,7 @@ index d881e51..87b7acc 100644
  # Space-separated list of log files to monitor. Ignored if LOGREADER is set.
  # (optional, no default)
 -#FILES="/var/log/auth.log /var/log/authlog /var/log/maillog"
-+#FILES="/var/log/auth.log /var/log/maillog"
++FILES="/var/log/auth.log /var/log/maillog"
  
  # Shell command that provides logs on standard output. Takes precedence over
  # FILES. (optional, no default)
diff --git a/security/sshguard/files/sshguard.in b/security/sshguard/files/sshguard.in
index 71431e95a202..fb81d592b030 100644
--- a/security/sshguard/files/sshguard.in
+++ b/security/sshguard/files/sshguard.in
@@ -40,24 +40,21 @@
 # sshguard_pidfile (str):	Path to PID file.
 #				Set to "/var/run/sshguard.pid" by default
 # sshguard_watch_logs (str):	Colon splitted list of logs to watch.
-#				Set to "/var/log/auth.log:/var/log/maillog"
-#				by default.
+#				Unset by default. Overrides the configuration file.
 # The following options directly maps to their command line options,
-# please read manual page sshguard(8) for detailed information:
+# and override the configuration file, so most are unset by default.
+# Please read manual page sshguard(8) for detailed information:
 # sshguard_blacklist (str):	[thr:]/path/to/blacklist.
 #				Set to "30:/var/db/sshguard/blacklist.db"
 #				by default.
-# sshguard_danger_thresh (int):	Danger threshold.  Set to "30" by default.
+# sshguard_danger_thresh (int):	Danger threshold.
 # sshguard_release_interval (int):
 #				Minimum interval an address remains
-#				blocked.  Set to "120" by default.
+#				blocked.
 # sshguard_reset_interval (int):
 #				Interval before a suspected attack is
 #				forgotten and danger is reset to 0.
-#				Set to "1800" by default.
 # sshguard_whitelistfile (str):	Path to the whitelist.
-#				Set to "%%PREFIX%%/etc/sshguard.whitelist"
-#				by default.
 # sshguard_flags (str):		Set additional command line arguments.
 #
 
@@ -71,11 +68,11 @@ load_rc_config sshguard
 
 : ${sshguard_enable:=NO}
 : ${sshguard_blacklist=30:/var/db/sshguard/blacklist.db}
-: ${sshguard_danger_thresh=30}
-: ${sshguard_release_interval=120}
-: ${sshguard_reset_interval=1800}
-: ${sshguard_whitelistfile="%%PREFIX%%/etc/sshguard.whitelist"}
-: ${sshguard_watch_logs=/var/log/auth.log:/var/log/maillog}
+: ${sshguard_danger_thresh=}
+: ${sshguard_release_interval=}
+: ${sshguard_reset_interval=}
+: ${sshguard_whitelistfile=}
+: ${sshguard_watch_logs=}
 
 pidfile=${sshguard_pidfile:="/var/run/sshguard.pid"}
 
@@ -83,7 +80,7 @@ command=/usr/sbin/daemon
 actual_command="%%PREFIX%%/sbin/sshguard"
 procname="%%PREFIX%%/libexec/sshg-blocker"
 start_precmd=sshguard_prestart
-command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} -a ${sshguard_danger_thresh} -p ${sshguard_release_interval} -s ${sshguard_reset_interval} -w ${sshguard_whitelistfile} -i ${pidfile}"
+command_args="-c ${actual_command} \${sshguard_flags} \${sshguard_blacklist_params} \${sshguard_watch_params} \${sshguard_danger_params} \${sshguard_release_params} \${sshguard_reset_params} \${sshguard_whitelist_params} -i ${pidfile}"
 
 sshguard_prestart()
 {
@@ -96,9 +93,26 @@ sshguard_prestart()
 	    sshguard_blacklist_params="-b ${sshguard_blacklist}"
 	fi
 
-	[ -e ${sshguard_whitelistfile} ] || touch ${sshguard_whitelistfile}
+	if [ ! -z ${sshguard_whitelistfile} ]; then
+		[ -e "${sshguard_whitelistfile}" ] || touch ${sshguard_whitelistfile}
+		sshguard_whitelist_params="-w ${sshguard_whitelistfile}"
+	fi
+
+	if [ ! -z ${sshguard_danger_thresh} ]; then
+		sshguard_danger_params="-a ${sshguard_danger_thresh}"
+	fi
+
+	if [ ! -z ${sshguard_release_interval} ]; then
+		sshguard_release_params="-p ${sshguard_release_interval}"
+	fi
 
-	sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
+	if [ ! -z ${sshguard_reset_interval} ]; then
+		sshguard_reset_params="-s ${sshguard_reset_interval}"
+	fi
+
+	if [ ! -z "${sshguard_watch_logs}" ]; then
+		sshguard_watch_params=$(echo ${sshguard_watch_logs} | tr : \\\n | sed -e s/^/-l\ /g | tr \\\n \ )
+	fi
 }
 
 run_rc_command "$1"