From 087a1f6b5fe5a5e1dc6ec95934f0931e32cf6b27 Mon Sep 17 00:00:00 2001
From: Renato Botelho <renato@netgate.com>
Date: Wed, 31 Oct 2018 09:19:26 -0300
Subject: [PATCH 1/2] Fix #8864: Let users modify sshguard parameters and
 whitelist

---
 src/etc/inc/system.inc                      |  28 ++++-
 src/usr/local/www/system_advanced_admin.php | 114 ++++++++++++++++++++
 2 files changed, 140 insertions(+), 2 deletions(-)

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 16ae584e123..2abd91b67f7 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -1145,10 +1145,34 @@ EOD;
 		$sighup = false;
 	}
 
+	$sshguard_whitelist = array();
+	if (!empty($config['system']['sshguard_whitelist'])) {
+		$sshguard_whitelist = explode(' ',
+		    $config['system']['sshguard_whitelist']);
+	}
+
 	$sshguard_config = array();
 	$sshguard_config[] = 'BACKEND="/usr/local/libexec/sshg-fw-pf"' . "\n";
-	/* XXX Add a GUI option to user to define it? */
-	$sshguard_config[] = 'DETECTION_TIME=3600' . "\n";
+	if (!empty($config['system']['sshguard_threshold'])) {
+		$sshguard_config[] = 'THRESHOLD=' .
+		    $config['system']['sshguard_threshold'] . "\n";
+	}
+	if (!empty($config['system']['sshguard_blocktime'])) {
+		$sshguard_config[] = 'BLOCK_TIME=' .
+		    $config['system']['sshguard_blocktime'] . "\n";
+	}
+	if (!empty($config['system']['sshguard_detection_time'])) {
+		$sshguard_config[] = 'DETECTION_TIME=' .
+		    $config['system']['sshguard_detection_time'] . "\n";
+	}
+	if (!empty($sshguard_whitelist)) {
+		@file_put_contents("/usr/local/etc/sshguard.whitelist",
+		    implode(PHP_EOL, $sshguard_whitelist));
+		$sshguard_config[] =
+		    'WHITELIST_FILE=/usr/local/etc/sshguard.whitelist' . "\n";
+	} else {
+		unlink_if_exists("/usr/local/etc/sshguard.whitelist");
+	}
 	file_put_contents("/usr/local/etc/sshguard.conf", $sshguard_config);
 
 	if (!$sighup) {
diff --git a/src/usr/local/www/system_advanced_admin.php b/src/usr/local/www/system_advanced_admin.php
index b2f35f7a69e..1ecf744344f 100644
--- a/src/usr/local/www/system_advanced_admin.php
+++ b/src/usr/local/www/system_advanced_admin.php
@@ -61,6 +61,10 @@
 $pconfig['sshdkeyonly'] = $config['system']['ssh']['sshdkeyonly'];
 $pconfig['sshdagentforwarding'] = isset($config['system']['ssh']['sshdagentforwarding']);
 $pconfig['quietlogin'] = isset($config['system']['webgui']['quietlogin']);
+$pconfig['sshguard_threshold'] = $config['system']['sshguard_threshold'] ?? '';
+$pconfig['sshguard_blocktime'] = $config['system']['sshguard_blocktime'] ?? '';
+$pconfig['sshguard_detection_time'] = $config['system']['sshguard_detection_time'] ?? '';
+$pconfig['sshguard_whitelist'] = $config['system']['sshguard_whitelist'] ?? '';
 
 $a_cert =& $config['cert'];
 $certs_available = false;
@@ -108,6 +112,26 @@
 		}
 	}
 
+	$whitelist_addresses = array();
+	for ($i = 0; isset($_POST['address' . $i]); $i++) {
+		/* Ignore blank fields */
+		if (empty($_POST['address' . $i])) {
+			continue;
+		}
+
+		$whitelist_address = $_POST['address' . $i] . '/' .
+		    $_POST['address_subnet'. $i];
+
+		if (!is_subnet($whitelist_address)) {
+			$input_errors[] = sprintf(gettext(
+			    "Invalid subnet '%s' added to Login Protection Whitelist"),
+			    $whitelist_address);
+			break;
+		}
+		$whitelist_addresses[] = $whitelist_address;
+	}
+	$pconfig['sshguard_whitelist'] = implode(' ', $whitelist_addresses);
+
 	ob_flush();
 	flush();
 
@@ -299,11 +323,36 @@
 			}
 		}
 
+		$restart_sshguard = false;
+		if (update_if_changed("login protection threshold",
+		    $config['system']['sshguard_threshold'],
+		    $pconfig['sshguard_threshold'])) {
+			$restart_sshguard = true;
+		}
+		if (update_if_changed("login protection blocktime",
+		    $config['system']['sshguard_blocktime'],
+		    $pconfig['sshguard_blocktime'])) {
+			$restart_sshguard = true;
+		}
+		if (update_if_changed("login protection detection_time",
+		    $config['system']['sshguard_detection_time'],
+		    $pconfig['sshguard_detection_time'])) {
+			$restart_sshguard = true;
+		}
+		if (update_if_changed("login protection whitelist",
+		    $config['system']['sshguard_whitelist'],
+		    $pconfig['sshguard_whitelist'])) {
+			$restart_sshguard = true;
+		}
+
 		write_config();
 
 		$changes_applied = true;
 		$retval = 0;
 		$retval |= filter_configure();
+		if ($restart_sshguard) {
+			$retval |= system_syslogd_start(true);
+		}
 
 		if ($restart_webgui) {
 			$extra_save_msg = sprintf("<br />" . gettext("One moment...redirecting to %s in 20 seconds."), $url);
@@ -542,6 +591,71 @@
 	['min' => 1, 'max' => 65535, 'placeholder' => 22]
 ))->setHelp('Note: Leave this blank for the default of 22.');
 
+$form->add($section);
+$section = new Form_Section('Login Protection');
+
+$section->addinput(new form_input(
+	'sshguard_threshold',
+	'Threshold',
+	'number',
+	$pconfig['sshguard_threshold'],
+	['min' => 10, 'step' => 10, 'placeholder' => 30]
+))->setHelp('Block attackers when their cumulative attack score exceeds '.
+	'threshold.  Most attacks have a score of 10.');
+
+$section->addinput(new form_input(
+	'sshguard_blocktime',
+	'Blocktime',
+	'number',
+	$pconfig['sshguard_blocktime'],
+	['min' => 10, 'step' => 10, 'placeholder' => 120]
+))->setHelp('Block attackers for initially blocktime seconds after exceeding '.
+	'threshold. Subsequent blocks increase by a factor of 1.5.%s'.
+	'Attacks are unblocked at random intervals, so actual block '.
+	'times will be longer.', '<br />');
+
+$section->addinput(new form_input(
+	'sshguard_detection_time',
+	'Detection time',
+	'number',
+	$pconfig['sshguard_detection_time'],
+	['min' => 10, 'step' => 10, 'placeholder' => 1800]
+))->setHelp('Remember potential attackers for up to detection_time seconds '.
+	'before resetting their score.');
+
+$counter = 0;
+$addresses = explode(' ', $pconfig['sshguard_whitelist']);
+
+while ($counter < count($addresses)) {
+	list($address, $address_subnet) = explode("/", $addresses[$counter]);
+
+	$group = new Form_Group($counter == 0 ? 'Whitelist' : '');
+	$group->addClass('repeatable');
+
+	$group->add(new Form_IpAddress(
+		'address' . $counter,
+		'Address',
+		$address,
+		'BOTH'
+	))->addMask('address_subnet' . $counter, $address_subnet)->setWidth(4);
+
+	$group->add(new Form_Button(
+		'deleterow' . $counter,
+		'Delete',
+		null,
+		'fa-trash'
+	))->addClass('btn-warning');
+
+	$section->add($group);
+	$counter++;
+}
+
+$section->addInput(new Form_Button(
+	'addrow',
+	'Add whitelist',
+	null,
+	'fa-plus'
+))->addClass('btn-success addbtn');
 
 $form->add($section);
 $section = new Form_Section('Serial Communications');

From 1f7ea9ce2c18cc61060508fe0d27d089249be204 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@netgate.com>
Date: Wed, 31 Oct 2018 12:59:03 -0400
Subject: [PATCH 2/2] Skip empty IPsec P1 during upgrade to 17.5. Fixes #9083

(cherry picked from commit 024e5de242661219bb8a62f183b1601cec44aa3c)
---
 src/etc/inc/upgrade_config.inc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/etc/inc/upgrade_config.inc b/src/etc/inc/upgrade_config.inc
index f8e2500c1ab..0f227949224 100644
--- a/src/etc/inc/upgrade_config.inc
+++ b/src/etc/inc/upgrade_config.inc
@@ -5489,9 +5489,13 @@ function upgrade_173_to_174() {
  */
 function upgrade_174_to_175() {
 	global $config;
+	init_config_arr(array('ipsec', 'phase1'));
 	if (is_array($config['ipsec']['phase1'])) {
 		$a_phase1 = &$config['ipsec']['phase1'];
 		foreach($a_phase1 as &$phase1) {
+			if (empty($phase1)) {
+				continue;
+			}
 			$item = array();
 			$item['encryption-algorithm'] = $phase1['encryption-algorithm'];
 			$item['hash-algorithm'] = $phase1['hash-algorithm'];