From 8f487f616581747788ca42ab879ff9c67a49b374 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 17 Mar 2014 18:03:52 -0600 Subject: [PATCH] Update to 0.9 --- .gitignore | 1 + fail2ban-import.patch | 75 -------------- fail2ban-init.patch | 11 -- fail2ban-log2syslog.patch | 12 --- fail2ban-logfiles.patch | 211 -------------------------------------- fail2ban-logrotate | 9 -- fail2ban-utf8.patch | 18 ---- fail2ban.spec | 40 +++----- sources | 2 +- 9 files changed, 15 insertions(+), 364 deletions(-) delete mode 100644 fail2ban-import.patch delete mode 100644 fail2ban-init.patch delete mode 100644 fail2ban-log2syslog.patch delete mode 100644 fail2ban-logfiles.patch delete mode 100644 fail2ban-logrotate delete mode 100644 fail2ban-utf8.patch diff --git a/.gitignore b/.gitignore index f421bcf..8d98bf2 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.8.10.tar.gz /fail2ban-0.9-d529151.tar.xz /fail2ban-0.9-1f1a561.tar.xz +/fail2ban-0.9.tar.gz diff --git a/fail2ban-import.patch b/fail2ban-import.patch deleted file mode 100644 index c4a2836..0000000 --- a/fail2ban-import.patch +++ /dev/null @@ -1,75 +0,0 @@ -commit d561a4c2bbc336db70d5923cf630813bc51dc3ee -Author: Yaroslav Halchenko -Date: Mon Jan 28 09:54:08 2013 -0500 - - BF: do not rely on scripts being under /usr -- might differ eg on Fedora -- rely on import of common.version (Closes gh-112) - - This is also not ideal, since if there happens to be some systemwide common.version -- we are doomed - - but otherwise, we cannot keep extending comparison check to /bin, /sbin whatelse - -diff --git a/fail2ban-client b/fail2ban-client -index 1d8eb15..13d018e 100755 ---- a/fail2ban-client -+++ b/fail2ban-client -@@ -27,12 +27,13 @@ import getopt, time, shlex, socket - - # Inserts our own modules path first in the list - # fix for bug #343821 --if os.path.abspath(__file__).startswith('/usr/'): -- # makes sense to use system-wide library iff -client is also under /usr/ -+try: -+ from common.version import version -+except ImportError, e: - sys.path.insert(1, "/usr/share/fail2ban") -+ from common.version import version - --# Now we can import our modules --from common.version import version -+# Now we can import the rest of modules - from common.protocol import printFormatted - from client.csocket import CSocket - from client.configurator import Configurator -diff --git a/fail2ban-regex b/fail2ban-regex -index a42ed96..f9bc72c 100755 ---- a/fail2ban-regex -+++ b/fail2ban-regex -@@ -26,13 +26,14 @@ import getopt, sys, time, logging, os - - # Inserts our own modules path first in the list - # fix for bug #343821 --if os.path.abspath(__file__).startswith('/usr/'): -- # makes sense to use system-wide library iff -regex is also under /usr/ -- sys.path.insert(1, "/usr/share/fail2ban") -+try: -+ from common.version import version -+except ImportError, e: -+ sys.path.insert(1, "/usr/share/fail2ban") -+ from common.version import version - - from client.configparserinc import SafeConfigParserWithIncludes - from ConfigParser import NoOptionError, NoSectionError, MissingSectionHeaderError --from common.version import version - from server.filter import Filter - from server.failregex import RegexException - -diff --git a/fail2ban-server b/fail2ban-server -index bd86e6c..0f3410c 100755 ---- a/fail2ban-server -+++ b/fail2ban-server -@@ -26,11 +26,12 @@ import getopt, sys, logging, os - - # Inserts our own modules path first in the list - # fix for bug #343821 --if os.path.abspath(__file__).startswith('/usr/'): -- # makes sense to use system-wide library iff -server is also under /usr/ -+try: -+ from common.version import version -+except ImportError, e: - sys.path.insert(1, "/usr/share/fail2ban") -+ from common.version import version - --from common.version import version - from server.server import Server - - # Gets the instance of the logger. diff --git a/fail2ban-init.patch b/fail2ban-init.patch deleted file mode 100644 index 03b0016..0000000 --- a/fail2ban-init.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up fail2ban-0.9-1f1a561/files/redhat-initd.init fail2ban-0.9-1f1a561/files/redhat-initd ---- fail2ban-0.9-1f1a561/files/redhat-initd.init 2013-09-24 16:57:09.515712728 -0600 -+++ fail2ban-0.9-1f1a561/files/redhat-initd 2013-09-24 16:57:52.435590284 -0600 -@@ -1,6 +1,6 @@ - #!/bin/bash - # --# chkconfig: 345 92 08 -+# chkconfig: - 92 08 - # processname: fail2ban-server - # config: /etc/fail2ban/fail2ban.conf - # pidfile: /var/run/fail2ban/fail2ban.pid diff --git a/fail2ban-log2syslog.patch b/fail2ban-log2syslog.patch deleted file mode 100644 index 49c220d..0000000 --- a/fail2ban-log2syslog.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up fail2ban-0.8.10/config/fail2ban.conf.log2syslog fail2ban-0.8.10/config/fail2ban.conf ---- fail2ban-0.8.10/config/fail2ban.conf.log2syslog 2013-06-12 11:21:12.000000000 -0600 -+++ fail2ban-0.8.10/config/fail2ban.conf 2013-06-12 16:12:48.233512068 -0600 -@@ -30,7 +30,7 @@ loglevel = 3 - # (e.g. /etc/logrotate.d/fail2ban on Debian systems) - # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log - # --logtarget = /var/log/fail2ban.log -+logtarget = SYSLOG - - # Option: socket - # Notes.: Set the socket file. This is used to communicate with the daemon. Do diff --git a/fail2ban-logfiles.patch b/fail2ban-logfiles.patch deleted file mode 100644 index a6082da..0000000 --- a/fail2ban-logfiles.patch +++ /dev/null @@ -1,211 +0,0 @@ -diff -up fail2ban-0.9-1f1a561/config/jail.conf.logfiles fail2ban-0.9-1f1a561/config/jail.conf ---- fail2ban-0.9-1f1a561/config/jail.conf.logfiles 2013-09-08 05:02:35.000000000 -0600 -+++ fail2ban-0.9-1f1a561/config/jail.conf 2013-09-24 17:01:40.264930006 -0600 -@@ -152,20 +152,18 @@ action = %(action_)s - [sshd] - - port = ssh --logpath = /var/log/auth.log -- /var/log/sshd.log -+logpath = /var/log/secure - - [sshd-ddos] - - port = ssh --logpath = /var/log/auth.log -- /var/log/sshd.log -+logpath = /var/log/secure - - [dropbear] - - port = ssh - filter = sshd --logpath = /var/log/dropbear -+logpath = /var/log/secure - - - # Generic filter for PAM. Has to be used with action which bans all -@@ -175,12 +173,12 @@ logpath = /var/log/dropbear - - # pam-generic filter can be customized to monitor specific subset of 'tty's - banaction = iptables-allports --logpath = /var/log/auth.log -+logpath = /var/log/secure - - [xinetd-fail] - - banaction = iptables-multiport-log --logpath = /var/log/daemon.log -+logpath = /var/log/messages - maxretry = 2 - - # .. custom jails -@@ -194,7 +192,7 @@ filter = sshd - action = hostsdeny[daemon_list=sshd] - sendmail-whois[name=SSH, dest=you@example.com] - ignoreregex = for myuser from --logpath = /var/log/sshd.log -+logpath = /var/log/secure - - # Here we use blackhole routes for not requiring any additional kernel support - # to store large volumes of banned IPs -@@ -203,7 +201,7 @@ logpath = /var/log/sshd.log - - filter = sshd - action = route --logpath = /var/log/sshd.log -+logpath = /var/log/secure - - # Here we use a combination of Netfilter/Iptables and IPsets - # for storing large volumes of banned IPs -@@ -214,13 +212,13 @@ logpath = /var/log/sshd.log - - filter = sshd - action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] --logpath = /var/log/sshd.log -+logpath = /var/log/secure - - [sshd-iptables-ipset6] - - filter = sshd - action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] --logpath = /var/log/sshd.log -+logpath = /var/log/secure - - # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" - # option is overridden in this jail. Moreover, the action "mail-whois" defines -@@ -231,7 +229,7 @@ logpath = /var/log/sshd.log - filter = sshd - action = ipfw[localhost=192.168.0.1] - sendmail-whois[name="SSH,IPFW", dest=you@example.com] --logpath = /var/log/auth.log -+logpath = /var/log/secure - - # bsd-ipfw is ipfw used by BSD. It uses ipfw tables. - # table number must be unique. -@@ -243,14 +241,14 @@ logpath = /var/log/auth.log - - filter = sshd - action = bsd-ipfw[port=ssh,table=1] --logpath = /var/log/auth.log -+logpath = /var/log/secure - - # PF is a BSD based firewall - [ssh-pf] - - filter = sshd - action = pf --logpath = /var/log/sshd.log -+logpath = /var/log/secure - maxretry= 5 - - # -@@ -260,7 +258,7 @@ maxretry= 5 - [apache-auth] - - port = http,https --logpath = /var/log/apache*/*error.log -+logpath = /var/log/httpd/*error_log - - # Ban hosts which agent identifies spammer robots crawling the web - # for email addresses. The mail outputs are buffered. -@@ -268,21 +266,20 @@ logpath = /var/log/apache*/*error.log - [apache-badbots] - - port = http,https --logpath = /var/log/apache*/*access.log -- /var/www/*/logs/access_log -+logpath = /var/log/httpd/*access_log - bantime = 172800 - maxretry = 1 - - [apache-noscript] - - port = http,https --logpath = /var/log/apache*/*error.log -+logpath = /var/log/httpd/*error_log - maxretry = 6 - - [apache-overflows] - - port = http,https --logpath = /var/log/apache*/*error.log -+logpath = /var/log/httpd/*error_log - maxretry = 2 - - # Ban attackers that try to use PHP's URL-fopen() functionality -@@ -292,7 +289,7 @@ maxretry = 2 - [php-url-fopen] - - port = http,https --logpath = /var/www/*/logs/access_log -+logpath = /var/log/httpd/*access_log - - [suhosin] - -@@ -325,7 +322,7 @@ logpath = /var/log/sogo/sogo.log - - filter = apache-auth - action = hostsdeny --logpath = /var/log/apache*/*error.log -+logpath = /var/log/httpd/*error_log - maxretry = 6 - - [3proxy] -@@ -347,7 +344,7 @@ logpath = /var/log/proftpd/proftpd.log - [pure-ftpd] - - port = ftp,ftp-data,ftps,ftps-data --logpath = /var/log/auth.log -+logpath = /var/log/secure - maxretry = 6 - - [vsftpd] -@@ -355,7 +352,7 @@ maxretry = 6 - port = ftp,ftp-data,ftps,ftps-data - logpath = /var/log/vsftpd.log - # or overwrite it in jails.local to be --# logpath = /var/log/auth.log -+# logpath = /var/log/secure - # if you want to rely on PAM failed login attempts - # vsftpd's failregex should match both of those formats - -@@ -390,12 +387,12 @@ logpath = /root/path/to/assp/logs/maill - [courier-smtp] - - port = smtp,ssmtp,submission --logpath = /var/log/mail.log -+logpath = /var/log/maillog - - [postfix] - - port = smtp,ssmtp,submission --logpath = /var/log/mail.log -+logpath = /var/log/maillog - - # The hosts.deny path can be defined with the "file" argument if it is - # not in /etc. -@@ -427,7 +424,7 @@ logpath = /var/log/exim/mainlog - [courier-auth] - - port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s --logpath = /var/log/mail.log -+logpath = /var/log/maillog - - - [sasl] -@@ -436,12 +433,12 @@ port = smtp,ssmtp,submission,imap2,i - # You might consider monitoring /var/log/mail.warn instead if you are - # running postfix since it would provide the same log lines at the - # "warn" level but overall at the smaller filesize. --logpath = /var/log/mail.log -+logpath = /var/log/maillog - - [dovecot] - - port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s --logpath = /var/log/mail.log -+logpath = /var/log/maillog - - [perdition] - diff --git a/fail2ban-logrotate b/fail2ban-logrotate deleted file mode 100644 index 4d7a6c9..0000000 --- a/fail2ban-logrotate +++ /dev/null @@ -1,9 +0,0 @@ -/var/log/fail2ban.log { - missingok - notifempty - size 30k - create 0600 root root - postrotate - /usr/bin/fail2ban-client set logtarget SYSLOG 2> /dev/null || true - endscript -} diff --git a/fail2ban-utf8.patch b/fail2ban-utf8.patch deleted file mode 100644 index d0013e7..0000000 --- a/fail2ban-utf8.patch +++ /dev/null @@ -1,18 +0,0 @@ -commit f8983872ad4297ddb3017f4818edd08892dd2129 -Author: Yaroslav Halchenko -Date: Fri Feb 1 16:07:00 2013 -0500 - - BF: return str(host) to avoid spurious characters in the logs (Close gh-113) - - thanks to opoplawski@github - -diff --git a/server/failregex.py b/server/failregex.py -index 8ce9597..b194d47 100644 ---- a/server/failregex.py -+++ b/server/failregex.py -@@ -130,4 +130,4 @@ class FailRegex(Regex): - s = self._matchCache.string - r = self._matchCache.re - raise RegexException("No 'host' found in '%s' using '%s'" % (s, r)) -- return host -+ return str(host) diff --git a/fail2ban.spec b/fail2ban.spec index 3ad6df0..04ce99a 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,19 +1,13 @@ Summary: Ban IPs that make too many password failures Name: fail2ban Version: 0.9 -Release: 0.3.git1f1a561%{?dist} +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ -#Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz -Source0: %{name}-%{version}-1f1a561.tar.xz -Source1: fail2ban-logrotate -Patch0: fail2ban-init.patch -# Fix logfile paths in jail.conf -Patch1: fail2ban-logfiles.patch -Patch6: fail2ban-log2syslog.patch +Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root -BuildRequires: python-devel >= 2.3 +BuildRequires: python-devel # For testcases BuildRequires: python-inotify BuildArch: noarch @@ -44,10 +38,7 @@ and shorewall respectively. %prep -%setup -q -n %{name}-%{version}-1f1a561 -%patch0 -p1 -b .init -%patch1 -p1 -b .logfiles -%patch6 -p1 -b .log2syslog +%setup -q %build python setup.py build @@ -66,7 +57,7 @@ mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d -install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban +install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d @@ -75,11 +66,9 @@ install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfi rm -r %{buildroot}%{_docdir}/%{name} # Testcases need network access -#%check -#./fail2ban-testcases +%check +./fail2ban-testcases-all --no-network -%clean -rm -rf %{buildroot} %post %if 0%{?fedora} >= 19 @@ -119,20 +108,17 @@ fi %endif %{_mandir}/man1/fail2ban*.1* %{_mandir}/man5/*.5* -%dir %{_sysconfdir}/fail2ban -%dir %{_sysconfdir}/fail2ban/action.d -%dir %{_sysconfdir}/fail2ban/filter.d -%dir %{_sysconfdir}/fail2ban/jail.d -%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf -%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf -%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf -%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf +%config(noreplace) %{_sysconfdir}/fail2ban %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban -%dir %{_localstatedir}/run/fail2ban/ %config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf %dir %{_localstatedir}/lib/fail2ban/ +%dir %{_localstatedir}/run/fail2ban/ + %changelog +* Mon Mar 17 2014 Orion Poplawski - 0.9-1 +- Update to 0.9 + * Tue Sep 24 2013 Orion Poplawski - 0.9-0.3.git1f1a561 - Update to current 0.9 git branch - Rebase init patch, drop jail.d and notmp patch applied upstream diff --git a/sources b/sources index 9e9d22b..78e6b89 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -6c8a581bc46712be597f3a949d036217 fail2ban-0.9-1f1a561.tar.xz +02de1ff774f3c16d23450a3ad1c43137 fail2ban-0.9.tar.gz