Merge branch 'f31' into epel7

Conflicts:
	fail2ban.spec
i9ce
Orion Poplawski 5 years ago
commit 8ebd1bd456

1
.gitignore vendored

@ -19,3 +19,4 @@ fail2ban-0.8.4.tar.bz2
/fail2ban-0.10.2.tar.gz
/fail2ban-0.10.3.1.tar.gz
/fail2ban-0.10.4.tar.gz
/fail2ban-0.10.5.tar.gz

@ -1,96 +0,0 @@
From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001
From: Amir Caspi <cepheid666@users.noreply.github.com>
Date: Fri, 29 Mar 2019 17:38:30 -0600
Subject: [PATCH 1/7] Update sendmail-reject
Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively)
---
fail2ban/tests/files/logs/sendmail-reject | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
index 44f8eb92f..a76cbf4b6 100644
--- a/fail2ban/tests/files/logs/sendmail-reject
+++ b/fail2ban/tests/files/logs/sendmail-reject
@@ -95,3 +95,8 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<anton@domain.co
Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example.org [192.0.2.194] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
# failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
+
+# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
+Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
+# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
+Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
From ffd5d0db78af01afcdf7a2c615dc26b8558ad8f1 Mon Sep 17 00:00:00 2001
From: Amir Caspi <cepheid666@users.noreply.github.com>
Date: Fri, 29 Mar 2019 17:39:27 -0600
Subject: [PATCH 2/7] Update sendmail-reject.conf
On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29
---
config/filter.d/sendmail-reject.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
index 985eac8b1..dd58f3e75 100644
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
mdre-normal =
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$
+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
mdre-aggressive = %(mdre-extra)s
From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001
From: Amir Caspi <cepheid666@users.noreply.github.com>
Date: Fri, 29 Mar 2019 18:21:47 -0600
Subject: [PATCH 5/7] Update sendmail-reject
Fixing timestamps to 2005 (oops)
---
fail2ban/tests/files/logs/sendmail-reject | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
index a76cbf4b6..b6911c4df 100644
--- a/fail2ban/tests/files/logs/sendmail-reject
+++ b/fail2ban/tests/files/logs/sendmail-reject
@@ -96,7 +96,7 @@ Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example
# failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
-# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
+# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
-# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
+# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Thu, 4 Apr 2019 02:28:50 +0200
Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA])
---
config/filter.d/sendmail-reject.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
index dd58f3e75..e6814a00c 100644
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
mdre-normal =
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$
mdre-aggressive = %(mdre-extra)s

@ -0,0 +1,31 @@
From 8694c547285c4030d4bf7661981673038e6e9829 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 14 Jan 2020 11:51:27 +0100
Subject: [PATCH] increase test stack size to 128K (on some platforms min size
is greater then 32K), closes gh-2597
---
fail2ban/tests/fail2banclienttestcase.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fail2ban/tests/fail2banclienttestcase.py b/fail2ban/tests/fail2banclienttestcase.py
index 29adb1220..5caa4dd90 100644
--- a/fail2ban/tests/fail2banclienttestcase.py
+++ b/fail2ban/tests/fail2banclienttestcase.py
@@ -469,14 +469,14 @@ def _testStartForeground(self, tmp, startparams, phase):
@with_foreground_server_thread(startextra={'f2b_local':(
"[Thread]",
- "stacksize = 32"
+ "stacksize = 128"
"",
)})
def testStartForeground(self, tmp, startparams):
# check thread options were set:
self.pruneLog()
self.execCmd(SUCCESS, startparams, "get", "thread")
- self.assertLogged("{'stacksize': 32}")
+ self.assertLogged("{'stacksize': 128}")
# several commands to server:
self.execCmd(SUCCESS, startparams, "ping")
self.execCmd(FAILED, startparams, "~~unknown~cmd~failed~~")

@ -0,0 +1,22 @@
From b158f83aa3795f387c8475ceb48df197a94a37e8 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 13 Jan 2020 12:37:19 +0100
Subject: [PATCH] testIPAddr_CompareDNS: add missing network constraint
(gh-2596)
---
fail2ban/tests/filtertestcase.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/fail2ban/tests/filtertestcase.py b/fail2ban/tests/filtertestcase.py
index d6ad82358..6ca8162bd 100644
--- a/fail2ban/tests/filtertestcase.py
+++ b/fail2ban/tests/filtertestcase.py
@@ -2064,6 +2064,7 @@ def testIPAddr_CIDR_Repr(self):
)
def testIPAddr_CompareDNS(self):
+ unittest.F2B.SkipIfNoNetwork()
ips = IPAddr('example.com')
self.assertTrue(IPAddr("93.184.216.34").isInNet(ips))
self.assertTrue(IPAddr("2606:2800:220:1:248:1893:25c8:1946").isInNet(ips))

@ -0,0 +1,25 @@
From ec37b1942c4da76f7a0f71efe81bea6835466648 Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Tue, 14 Jan 2020 11:39:13 +0100
Subject: [PATCH] action.d/nginx-block-map.conf: fixed backslash substitution
(different echo behavior in some shells, gh-2596)
---
config/action.d/nginx-block-map.conf | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/action.d/nginx-block-map.conf b/config/action.d/nginx-block-map.conf
index 0b6aa0ad7..ee702907e 100644
--- a/config/action.d/nginx-block-map.conf
+++ b/config/action.d/nginx-block-map.conf
@@ -103,6 +103,8 @@ actionstop = %(actionflush)s
actioncheck =
-actionban = echo "\\\\<fid> 1;" >> '%(blck_lst_file)s'; %(blck_lst_reload)s
+_echo_blck_row = printf '\%%s 1;\n' "<fid>"
-actionunban = id=$(echo "<fid>" | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^\\\\$id 1;$/d" %(blck_lst_file)s; %(blck_lst_reload)s
+actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s
+
+actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s

@ -1,11 +1,11 @@
diff -up fail2ban-0.10.3.1/files/fail2ban.service.in.partof fail2ban-0.10.3.1/files/fail2ban.service.in
--- fail2ban-0.10.3.1/files/fail2ban.service.in.partof 2018-06-19 12:10:15.401391081 -0600
+++ fail2ban-0.10.3.1/files/fail2ban.service.in 2018-06-19 12:10:38.892291609 -0600
diff -up fail2ban-0.10.5/files/fail2ban.service.in.partof fail2ban-0.10.5/files/fail2ban.service.in
--- fail2ban-0.10.5/files/fail2ban.service.in.partof 2020-01-10 05:34:46.000000000 -0700
+++ fail2ban-0.10.5/files/fail2ban.service.in 2020-01-11 16:13:53.372316861 -0700
@@ -2,7 +2,7 @@
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service ip6tables.service ipset.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+PartOf=firewalld.service
[Service]

@ -1,18 +1,20 @@
Summary: Daemon to ban hosts that cause multiple authentication errors
Name: fail2ban
Version: 0.10.4
Version: 0.10.5
Release: 1%{?dist}
License: GPLv2+
URL: http://fail2ban.sourceforge.net/
Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
#Source0: https://github.com/sebres/%{name}/archive/f2b-perfom-prepare-716-cs.tar.gz#/%{name}-test.tar.gz
# Give up being PartOf iptables and ipset for now
# https://bugzilla.redhat.com/show_bug.cgi?id=1379141
# https://bugzilla.redhat.com/show_bug.cgi?id=1573185
Patch0: fail2ban-partof.patch
# Update sendmail-reject with TLSMTA & MSA port IDs
# https://bugzilla.redhat.com/show_bug.cgi?id=1722625
Patch1: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2388.patch
# Fix nginx-block-map
Patch1: https://github.com/fail2ban/fail2ban/commit/ec37b1942c4da76f7a0f71efe81bea6835466648.patch
# testIPAddr_CompareDNS: add missing network constraint
Patch2: https://github.com/fail2ban/fail2ban/commit/b158f83aa3795f387c8475ceb48df197a94a37e8.patch
# FIx test thread stack size on aarch64
Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf7661981673038e6e9829.patch
BuildRequires: python-devel
# For testcases
@ -214,7 +216,9 @@ rm -r %{buildroot}%{_docdir}/%{name}
%check
# Need a UTF-8 locale to work
export LANG=en_US.UTF-8
./fail2ban-testcases-all --no-network
# testSampleRegexsSSHD fails for some reason when run alongside all other tests
%python2 bin/fail2ban-testcases --no-network testSampleRegexsSSHD
%python2 bin/fail2ban-testcases --no-network -i testSampleRegexsSSHD
%post server
%if 0%{?fedora} || 0%{?rhel} >= 7
@ -302,6 +306,9 @@ fi
%changelog
* Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.10.5-1
- Update to 0.10.5
* Sat Nov 23 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-1
- Update to 0.10.4
- Define banaction_allports for firewalld, update banaction (bz#1775175)

@ -1 +1 @@
SHA512 (fail2ban-0.10.4.tar.gz) = 3f4af84b7e3332b887240c927c1f706d2b3020217df2a68c64897619d54eb6dfa972992e3153f4ea150d025e2c8a2b537da47cf71a6dfee1df3c8d029a6d5f42
SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6

Loading…
Cancel
Save