archive repository

Because pandoc is relatively small, we now create man page output on the
fly on building, which makes pandoc a required build time dependency.

.gitignore

@@ -16,3 +16,4 @@ tallow-*/
 tallow.service
 *~
 DEADJOE
+man/*.[0-9]

Makefile.am

@@ -25,18 +25,23 @@ EXTRA_DIST = \
 	data/tallow.service.in \
 	data/sshd.json \
 	man/tallow.conf.5.md \
+	man/tallow.patterns.5.md \
 	man/tallow.1.md
 
-dist_man_MANS = man/tallow.1 man/tallow.conf.5
-
 dist_doc_DATA = tallow.conf
 
 DISTCHECK_CONFIGURE_FLAGS = \
 	--with-systemdsystemunitdir=$(DESTDIR)$(SYSTEMDSYSTEMUNITDIR)
 
-docs: $(dist_man_MANS)
+man_MANS = man/tallow.1 man/tallow.conf.5 man/tallow.patterns.5
+clean-local:
+	rm -f $(man_MANS)
+
 man/%.5: man/%.5.md
-	ronn -r $< --pipe > $@
+	@mkdir -p $$(dirname $@)
+	pandoc -s -f markdown -t man $< --output $@
 
 man/%.1: man/%.1.md
-	ronn -r $< --pipe > $@
+	@mkdir -p $$(dirname $@)
+	pandoc -s -f markdown -t man $< --output $@
+

README.md

@@ -1,3 +1,10 @@
+## DISCONTINUATION OF PROJECT. 
+
+This project will no longer be maintained by Intel. 
+
+Intel will not provide or guarantee development of or support for this project, including but not limited to, maintenance, bug fixes, new releases or updates. Patches to this project are no longer accepted by Intel. If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the community, please create your own fork of the project.
+
+Contact: webadmin@linux.intel.com  
 
 tallow
 ======

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.64])
-AC_INIT([tallow], [20], [auke-jan.h.kok@intel.com])
+AC_INIT([tallow], [21], [auke-jan.h.kok@intel.com])
 AM_INIT_AUTOMAKE([foreign -Wall -Werror -Wno-portability silent-rules subdir-objects color-tests
 	no-dist-gzip dist-xz])
 AC_CONFIG_FILES([Makefile])
@@ -11,6 +11,11 @@ AC_CONFIG_FILES([Makefile])
 AC_PROG_CC
 AC_PROG_INSTALL
 
+AC_CHECK_PROG([PANDOC],[pandoc],yes)
+if test x"${PANDOC}" != x"yes" ; then
+    AC_MSG_ERROR([Pandoc is required to create manual pages.])
+fi
+
 PKG_CHECK_MODULES(PCRE, libpcre)
 PKG_CHECK_MODULES(JSON_C, json-c)
 PKG_CHECK_MODULES(LIBSYSTEMD, libsystemd,, [PKG_CHECK_MODULES(LIBSYSTEMD, libsystemd-journal)])

man/tallow.1

@@ -1,40 +0,0 @@
-.\" generated with Ronn/v0.7.3
-.\" http://github.com/rtomayko/ronn/tree/0.7.3
-.
-.TH "TALLOW" "1" "February 2020" "" ""
-.
-.SH "NAME"
-\fBtallow\fR
-.
-.SH "tallow"
-Reduce log clutter due to ssh login attempts\.
-.
-.SH "SYNOPSIS"
-\fB/usr/sbin/tallow\fR
-.
-.SH "DESCRIPTION"
-\fBtallow\fR is a daemon that watches the systemd journal for messages from the \fBsshd\fR service\. It parses the messages and looks for attempted random logins such as failed logins to the root account and failed logins to invalid user accounts, and various other obviously malicious login attempts that try things as forcing old protocols, or weak key systems\.
-.
-.P
-If such logins were detected, the offending IP address is stored in a list\. Items from this list are regularly purged, but if the amount of times that a specific IP address is seen exceeds a threshold, an ipset(1) entry is inserted in the \fBtallow\fR or \fBtallow6\fR ipset, and further packets from that ip address will be blocked by an \fBiptables(1)\fR or \fBip6tables(1)\fR rule that tallow creates at startup\. Additionally, certain types of login failure will trigger a short term ban of further packets from the offending IP address immediately\.
-.
-.P
-The system administrator needs to assure that the tallow and tallow6 ipsets are left alone and that the inserted iptables rules are properly matching on packets\.
-.
-.P
-Care should be taken to assure that legitimate users are not blocked inadvertently\. You may wish to list any valid IP address with the whitelist option in tallow\.conf(5)\. Multiple addresses can be whitelisted\.
-.
-.SH "OPTIONS"
-The \fBtallow\fR daemon itself has no runtime configuration\. All configuration is done through the tallow\.conf(5) config file\.
-.
-.SH "SIGNALS"
-The \fBUSR1\fR signal causes \fBtallow\fR to print out it\'s internal tracking table of IP addresses\. This requires that tallow is compiled with the \fB\-DDEBUG=1\fR symbol passed to the compiler\.
-.
-.SH "SEE ALSO"
-systemd\-journald(1), iptables(1), ipset(1), tallow\.conf(5), tallow\.patterns(5)
-.
-.SH "BUGS"
-\fBtallow\fR is \fBNOT A SECURITY SOLUTION\fR, nor does it protect against random password logins\. A attacker may still be able to logon to your systems if you allow password logins\.
-.
-.SH "AUTHOR"
-Auke Kok \fIauke\-jan\.h\.kok@intel\.com\fR

man/tallow.1.md

@@ -1,13 +1,15 @@
+% TALLOW(1)
+% Auke Kok `<auke-jan.h.kok@intel.com>`
 
-## tallow 
+# tallow
 
 Reduce log clutter due to ssh login attempts.
 
-## SYNOPSIS
+# SYNOPSIS
 
 `/usr/sbin/tallow`
 
-## DESCRIPTION
+# DESCRIPTION
 
 `tallow` is a daemon that watches the systemd journal for messages
 from the `sshd` service. It parses the messages and looks for
@@ -35,27 +37,23 @@ blocked inadvertently. You may wish to list any valid IP address
 with the whitelist option in tallow.conf(5). Multiple addresses can
 be whitelisted.
 
-## OPTIONS
+# OPTIONS
 
 The `tallow` daemon itself has no runtime configuration. All
 configuration is done through the tallow.conf(5) config file.
 
-## SIGNALS
+# SIGNALS
 
 The `USR1` signal causes `tallow` to print out it's internal tracking
 table of IP addresses. This requires that tallow is compiled with
 the `-DDEBUG=1` symbol passed to the compiler.
 
-## SEE ALSO
+# SEE ALSO
 
 systemd-journald(1), iptables(1), ipset(1), tallow.conf(5), tallow.patterns(5)
 
-## BUGS
+# BUGS
 
 `tallow` is `NOT A SECURITY SOLUTION`, nor does it protect against
 random password logins. A attacker may still be able to logon to your
 systems if you allow password logins.
-
-## AUTHOR
-
-Auke Kok <auke-jan.h.kok@intel.com>

man/tallow.conf.5

@@ -1,80 +0,0 @@
-.\" generated with Ronn/v0.7.3
-.\" http://github.com/rtomayko/ronn/tree/0.7.3
-.
-.TH "TALLOW" "5" "February 2020" "" ""
-.
-.SH "NAME"
-\fBtallow\fR
-.
-.SH "tallow\.conf"
-The tallow configuration file
-.
-.SH "NAME"
-tallow\.conf \- Tallow daemon configuration file
-.
-.SH "SYNOPSIS"
-\fB/etc/tallow\.conf\fR
-.
-.SH "DESCRIPTION"
-This file is read on startup by the tallow(1) daemon, and can be used to provide options to the tallow daemon\. If not present, tallow will operate with built\-in defaults\.
-.
-.SH "OPTIONS"
-\fBfwcmd_path\fR=\fB<string>\fR Specifies the location of the ipset(1) firewall\-cmd(1) programs\. By default, tallow will look in "/usr/sbin" for them\.
-.
-.P
-\fBipt_path\fR=\fB<string>\fR Specifies the location of the ipset(1) program and iptables(1) or ip6tables(1) programs\. By default, tallow will look in "/usr/sbin" for them\.
-.
-.P
-\fBexpires\fR=\fB<int>\fR The number of seconds that IP addresses are blocked for\. Note that due to the implementation, IP addresses may be blocked for much longer than this period\. If IP addresses are seen, but not blocked within this period, they are also removed from the watch list\. Defaults to 3600s\.
-.
-.P
-\fBwhitelist\fR=\fB<ip address|pattern>\fR Specify an IP address or \fBpattern\fR that should never be blocked\. Multiple IP addresses can be included by repeating the \fBwhitelist\fR option several times\. By default, 127\.0\.0\.1, 192\.168\., and 10\. are whitelisted\. If you create a manual whitelist, you must include these entries if you want to continue them to be whitelisted as well, otherwise they will be omitted from the whitelist\.
-.
-.P
-If the last character of the listed ip adress is a \fB\.\fR or a \fB:\fR, then the matching is only performed on the leftmost characters of an IP address against the whitelist entry\. For instance, if you whitelist \fB10\.\fR then all IP addresses in the \fB10/8\fR subnet mask will match this whitelist entry and never be blocked\.
-.
-.P
-\fBipv6\fR=\fB<0|1>\fR Enable or disable ipv6 (ip6tables) support\. Ipv6 is disabled automatically on systems that do not appear to have ipv6 support and enabled when ipv6 is present\. Use this option to explicitly disable ipv6 support if your system does not have ipv6 or is missing ip6tables\. Even with ipv6 disabled, tallow will track and log ipv6 addresses\.
-.
-.P
-\fBnocreate\fR=\fB<0|1>\fR Disable the creation of firewall rules and ipset sets\. By default, tallow will create new firewall\-cmd(1) or iptables(1) and ip6tables(1) rules when needed automatically\. If set to \fB1\fR, \fBtallow(1)\fR will not create any new firewall DROP rules or ipset sets that are needed work\. You should create them manually before tallow starts up and remove them afterwards using the sets of commands below\.
-.
-.P
-Use the following commands if you\'re using iptables(1):
-.
-.IP "" 4
-.
-.nf
-
-  ipset create tallow hash:ip family inet timeout 3600
-  iptables \-t filter \-I INPUT 1 \-m set \-\-match\-set tallow src \-j DROP
-
-  ipset create tallow6 hash:ip family inet6 timeout 3600
-  ip6tables \-t filter \-I INPUT 1 \-m set \-\-match\-set tallow6 src \-j DROP
-.
-.fi
-.
-.IP "" 0
-.
-.P
-Use the following commands if you\'re using firewalld(1):
-.
-.IP "" 4
-.
-.nf
-
-  firewall\-cmd \-\-permanent \-\-new\-ipset=tallow \-\-type=hash:ip \-\-family=inet \-\-option=timeout=3600
-  firewall\-cmd \-\-permanent \-\-direct \-\-add\-rule ipv4 filter INPUT 1 \-m set \-\-match\-set tallow src \-j DROP
-
-  firewall\-cmd \-\-permanent \-\-new\-ipset=tallow6 \-\-type=hash:ip \-\-family=inet6 \-\-option=timeout=3600
-  firewall\-cmd \-\-permanent \-\-direct \-\-add\-rule ipv6 filter INPUT 1 \-m set \-\-match\-set tallow6 src \-j DROP
-.
-.fi
-.
-.IP "" 0
-.
-.SH "SEE ALSO"
-tallow(1), tallow\.patterns(5)
-.
-.SH "AUTHOR"
-Auke Kok \fIauke\-jan\.h\.kok@intel\.com\fR

man/tallow.conf.5.md

@@ -1,23 +1,25 @@
+% TALLOW.CONF(5)
+% Auke Kok `<auke-jan.h.kok@intel.com>`
 
-## tallow.conf
+# tallow.conf
 
 The tallow configuration file
 
-## NAME
+# NAME
 
 tallow.conf - Tallow daemon configuration file
 
-## SYNOPSIS
+# SYNOPSIS
 
 `/etc/tallow.conf`
 
-## DESCRIPTION
+# DESCRIPTION
 
 This file is read on startup by the tallow(1) daemon, and can
 be used to provide options to the tallow daemon. If not present,
 tallow will operate with built-in defaults.
 
-## OPTIONS
+# OPTIONS
 
 `fwcmd_path`=`<string>`
 Specifies the location of the ipset(1) firewall-cmd(1) programs. By
@@ -79,16 +81,12 @@ Use the following commands if you're using firewalld(1):
 ```
   firewall-cmd --permanent --new-ipset=tallow --type=hash:ip --family=inet --option=timeout=3600
   firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -m set --match-set tallow src -j DROP
-  
+
   firewall-cmd --permanent --new-ipset=tallow6 --type=hash:ip --family=inet6 --option=timeout=3600
   firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -m set --match-set tallow6 src -j DROP
-  
+
   ```
 
-## SEE ALSO
+# SEE ALSO
 
 tallow(1), tallow.patterns(5)
-
-## AUTHOR
-
-Auke Kok <auke-jan.h.kok@intel.com>

man/tallow.patterns.5.md

@@ -1,9 +1,12 @@
-## tallow.patterns
+% TALLOW.PATTERNS(5)
+% Auke Kok `<auke-jan.h.kok@intel.com>`
+
+# tallow.patterns
 
 Tallow pattern matching configuration files.
 
 
-## SYNOPSIS
+# SYNOPSIS
 
 tallow(1) uses regular expressions to match journal entries and extract an IP
 address from them. JSON files are used to configure the patterns and banning
@@ -13,7 +16,7 @@ thresholds used by tallow(1).
 `/usr/share/tallow/*.json`
 
 
-## DESCRIPTION
+# DESCRIPTION
 
 tallow(1) uses regular expressions to match journal entries and extract an IP
 address from them. JSON files are used to configure the patterns and banning
@@ -28,12 +31,12 @@ files under `/etc/tallow`. The default JSON files can be overridden by creating
 the same file under `/etc/tallow`.
 
 
-## FILE FORMAT 
+# FILE FORMAT
 
 Pattern configuration files use the JavaScript Object Notation (JSON) format.
 
 The JSON must be two levels deep and all properties are required. The root
-object is an array containing objects with a `filter` key and an `items` key. 
+object is an array containing objects with a `filter` key and an `items` key.
 
 * `filter` is a string that defines a field for filtering the journal file.
   This helps make sure patterns are only matched to a subset of journal
@@ -50,7 +53,7 @@ object is an array containing objects with a `filter` key and an `items` key.
      of an originating IP address each time a journal entry matches
      the `pattern`. If the combined score is > 1.0, tallow bans the originating
      IP for the default time of 1 hour. The `ban` element value above is not
-     used for bans made due to `score`. 
+     used for bans made due to `score`.
 
    * `pattern` is a string that defines a Perl Compatible Regular Expressions
      (PCRE) to match against the filtered journal entries. The PCRE should
@@ -58,11 +61,10 @@ object is an array containing objects with a `filter` key and an `items` key.
      See systemd.journal-fields(7) for valid journal fields.
 
 
-
-## EXAMPLES
+# EXAMPLES
 
 1. The JSON below is a snippet from one of the default pattern configuration
-   files for blocking certain failed `sshd` connections. 
+   files for blocking certain failed `sshd` connections.
 
    The first pattern will ban an IP address after it fails to login 6 times
    causing it to reach a total score > 1.0.
@@ -119,16 +121,14 @@ object is an array containing objects with a `filter` key and an `items` key.
    ]
    ```
 
-## SEE ALSO
+
+# SEE ALSO
 
 tallow(1), tallow.conf(5)
 
-## BUGS
+
+# BUGS
 
 `tallow` is `NOT A SECURITY SOLUTION`, nor does it protect against random
 password logins. An attacker may still be able to logon to your systems if you
 allow password logins.
-
-## AUTHOR
-
-Auke Kok <auke-jan.h.kok@intel.com>