From 625535d32aa615aeca780768857a555e5e6855d5 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Fri, 16 Aug 2013 09:12:13 -0600 Subject: [PATCH 01/18] Add upstream patch to fix hostsdeny permission issue --- fail2ban-hostsdeny.patch | 19 +++++++++++++++++++ fail2ban.spec | 11 ++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 fail2ban-hostsdeny.patch diff --git a/fail2ban-hostsdeny.patch b/fail2ban-hostsdeny.patch new file mode 100644 index 0000000..73a771f --- /dev/null +++ b/fail2ban-hostsdeny.patch @@ -0,0 +1,19 @@ +commit aebd24ec5485dacc5146728fa22387340b51099e +Author: Daniel Black +Date: Tue Jul 2 20:09:27 2013 +1000 + + BF: replace with ed so its cross platform, fixes permission problem gh-266, and Yaroslav doesn't revert to perl + +diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf +index 50a4545..36e3494 100644 +--- a/config/action.d/hostsdeny.conf ++++ b/config/action.d/hostsdeny.conf +@@ -39,7 +39,7 @@ actionban = IP= && + # Tags: See jail.conf(5) man page + # Values: CMD + # +-actionunban = IP= && sed /ALL:\ $IP/d > .new && mv .new ++actionunban = echo "/ALL: $/
d
w
q" | ed + + [Init] + diff --git a/fail2ban.spec b/fail2ban.spec index 40164e5..da3978f 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Ban IPs that make too many password failures Name: fail2ban Version: 0.8.10 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ @@ -9,6 +9,10 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-% Source1: fail2ban-logrotate Patch0: fail2ban-0.8.3-init.patch Patch1: fail2ban-0.8.7.1-sshd.patch +# Upstream patch to fix hostsdeny permission issue +# https://github.com/fail2ban/fail2ban/issues/266 +# https://bugzilla.redhat.com/show_bug.cgi?id=997863 +Patch2: fail2ban-hostsdeny.patch Patch6: fail2ban-log2syslog.patch Patch8: fail2ban-notmp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -16,6 +20,7 @@ BuildRequires: python-devel >= 2.3 # For testcases BuildRequires: python-inotify BuildArch: noarch +Requires: ed Requires: iptables Requires: gamin-python Requires: python-inotify @@ -44,6 +49,7 @@ and shorewall respectively. %setup -q %patch0 -p1 -b .init %patch1 -p1 -b .sshd +%patch2 -p1 -b .hostsdeny %patch6 -p1 -b .log2syslog %patch8 -p1 -b .notmp @@ -127,6 +133,9 @@ fi %dir %{_localstatedir}/lib/fail2ban/ %changelog +* Fri Aug 16 2013 Orion Poplawski - 0.8.10-2 +- Add upstream patch to fix hostsdeny permission issue + * Wed Jun 12 2013 Orion Poplawski - 0.8.10-1 - Update to 0.8.10 security release - Use upstream provided systemd files From 1a340b280d50208ac5913c47783eb9fe3eb9af80 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 28 Aug 2013 12:01:35 -0600 Subject: [PATCH 02/18] Add upstream patch to fix mailx argument ordering (bug #998020) --- fail2ban-mailx.patch | 60 ++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 10 +++++++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 fail2ban-mailx.patch diff --git a/fail2ban-mailx.patch b/fail2ban-mailx.patch new file mode 100644 index 0000000..9801c58 --- /dev/null +++ b/fail2ban-mailx.patch @@ -0,0 +1,60 @@ +diff -U0 fail2ban-0.8.10/ChangeLog.mailx fail2ban-0.8.10/ChangeLog +--- fail2ban-0.8.10/ChangeLog.mailx 2013-08-28 11:57:02.631137995 -0600 ++++ fail2ban-0.8.10/ChangeLog 2013-08-28 11:58:10.150945945 -0600 +@@ -23,0 +24,3 @@ ++ Rolf Fokkens ++ * action.d/dshield.conf and complain.conf -- reorder mailx arguements. ++ https://bugzilla.redhat.com/show_bug.cgi?id=998020 +diff -up fail2ban-0.8.10/config/action.d/complain.conf.mailx fail2ban-0.8.10/config/action.d/complain.conf +--- fail2ban-0.8.10/config/action.d/complain.conf.mailx 2013-06-12 11:21:12.000000000 -0600 ++++ fail2ban-0.8.10/config/action.d/complain.conf 2013-08-28 11:57:02.631137995 -0600 +@@ -58,7 +58,7 @@ actioncheck = + actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` + IP= + if [ ! -z "$ADDRESSES" ]; then +- (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '' ) | "Abuse from " $ADDRESSES ++ (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '' ) | "Abuse from " $ADDRESSES + fi + + # Option: actionunban +diff -up fail2ban-0.8.10/config/action.d/dshield.conf.mailx fail2ban-0.8.10/config/action.d/dshield.conf +--- fail2ban-0.8.10/config/action.d/dshield.conf.mailx 2013-06-12 11:21:12.000000000 -0600 ++++ fail2ban-0.8.10/config/action.d/dshield.conf 2013-08-28 11:57:02.632137993 -0600 +@@ -39,7 +39,7 @@ actionstart = + # Values: CMD + # + actionstop = if [ -f .buffer ]; then +- cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" ++ cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" + date +%%s > .lastsent + fi + rm -f .buffer .first +@@ -80,7 +80,7 @@ actionban = TZONE=`date +%%z | sed 's/\( + LASTREPORT=$(($NOW - `cat .lastsent`)) + LINES=$( wc -l .buffer | awk '{ print $1 }' ) + if [ $LINES -ge && $LASTREPORT -gt ] || [ $LOGAGE -gt ]; then +- cat .buffer | "FORMAT DSHIELD USERID TZ $TZONE Fail2Ban" ++ cat .buffer | "FORMAT DSHIELD USERID TZ $TZONE Fail2Ban" + rm -f .buffer .first + echo $NOW > .lastsent + fi +@@ -95,7 +95,7 @@ actionunban = if [ -f .first ]; + NOW=`date +%%s` + LOGAGE=$(($NOW - `cat .first`)) + if [ $LOGAGE -gt ]; then +- cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" ++ cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" + rm -f .buffer .first + echo $NOW > .lastsent + fi +diff -up fail2ban-0.8.10/THANKS.mailx fail2ban-0.8.10/THANKS +--- fail2ban-0.8.10/THANKS.mailx 2013-08-28 11:57:02.631137995 -0600 ++++ fail2ban-0.8.10/THANKS 2013-08-28 11:58:34.542879375 -0600 +@@ -38,6 +38,7 @@ Patrick Börjesson + Raphaël Marichez + René Berber + Robert Edeker ++Rolf Fokkens + Russell Odom + Sireyessire + silviogarbes diff --git a/fail2ban.spec b/fail2ban.spec index da3978f..977830f 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Ban IPs that make too many password failures Name: fail2ban Version: 0.8.10 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ @@ -13,6 +13,10 @@ Patch1: fail2ban-0.8.7.1-sshd.patch # https://github.com/fail2ban/fail2ban/issues/266 # https://bugzilla.redhat.com/show_bug.cgi?id=997863 Patch2: fail2ban-hostsdeny.patch +# Upstream patch to fix mailx argument ordering +# https://github.com/fail2ban/fail2ban/issues/328 +# https://bugzilla.redhat.com/show_bug.cgi?id=998020 +Patch3: fail2ban-mailx.patch Patch6: fail2ban-log2syslog.patch Patch8: fail2ban-notmp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -50,6 +54,7 @@ and shorewall respectively. %patch0 -p1 -b .init %patch1 -p1 -b .sshd %patch2 -p1 -b .hostsdeny +%patch3 -p1 -b .mailx %patch6 -p1 -b .log2syslog %patch8 -p1 -b .notmp @@ -133,6 +138,9 @@ fi %dir %{_localstatedir}/lib/fail2ban/ %changelog +* Wed Aug 28 2013 Orion Poplawski - 0.8.10-3 +- Add upstream patch to fix mailx argument ordering (bug #998020) + * Fri Aug 16 2013 Orion Poplawski - 0.8.10-2 - Add upstream patch to fix hostsdeny permission issue From 49aafa1d0e90f92241409b1d8b4f81c23e1c42e5 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 25 Nov 2013 18:37:59 +0100 Subject: [PATCH 03/18] Update to 0.8.11 (#1034355) - drop part of the fail2ban-0.8.3-init.patch (merged) - fail2ban-hostsdeny.patch has been merged - fail2ban-mailx.patch has been merged - fail2ban-notmp.patch has been merged Signed-off-by: Adam Tkac --- fail2ban-0.8.3-init.patch | 21 ++++--------- fail2ban-0.8.7.1-sshd.patch | 12 ++++---- fail2ban-hostsdeny.patch | 19 ------------ fail2ban-log2syslog.patch | 10 +++---- fail2ban-mailx.patch | 60 ------------------------------------- fail2ban-notmp.patch | 12 -------- fail2ban.spec | 23 ++++++-------- 7 files changed, 26 insertions(+), 131 deletions(-) delete mode 100644 fail2ban-hostsdeny.patch delete mode 100644 fail2ban-mailx.patch delete mode 100644 fail2ban-notmp.patch diff --git a/fail2ban-0.8.3-init.patch b/fail2ban-0.8.3-init.patch index 3ed8609..c40256a 100644 --- a/fail2ban-0.8.3-init.patch +++ b/fail2ban-0.8.3-init.patch @@ -1,20 +1,11 @@ ---- fail2ban-0.8.3/files/redhat-initd.init 2008-03-10 23:36:22.000000000 +0100 -+++ fail2ban-0.8.3/files/redhat-initd 2008-08-24 20:46:01.000000000 +0200 +diff -up fail2ban-0.8.11/files/redhat-initd.init fail2ban-0.8.11/files/redhat-initd +--- fail2ban-0.8.11/files/redhat-initd.init 2013-11-25 18:07:00.191938851 +0100 ++++ fail2ban-0.8.11/files/redhat-initd 2013-11-25 18:07:49.576801893 +0100 @@ -1,6 +1,6 @@ #!/bin/bash # -# chkconfig: 345 92 08 +# chkconfig: - 92 08 - # description: Fail2ban daemon - # http://fail2ban.sourceforge.net/wiki/index.php/Main_Page - # process name: fail2ban-server -@@ -27,8 +27,7 @@ - echo -n $"Starting fail2ban: " - getpid - if [ -z "$pid" ]; then -- rm -rf /var/run/fail2ban/fail2ban.sock # in case of unclean shutdown -- $FAIL2BAN start > /dev/null -+ $FAIL2BAN -x start > /dev/null - RETVAL=$? - fi - if [ $RETVAL -eq 0 ]; then + # processname: fail2ban-server + # config: /etc/fail2ban/fail2ban.conf + # pidfile: /var/run/fail2ban/fail2ban.pid diff --git a/fail2ban-0.8.7.1-sshd.patch b/fail2ban-0.8.7.1-sshd.patch index aa3773e..1d7fe5f 100644 --- a/fail2ban-0.8.7.1-sshd.patch +++ b/fail2ban-0.8.7.1-sshd.patch @@ -1,7 +1,7 @@ -diff -up fail2ban-0.8.7.1/config/jail.conf.sshd fail2ban-0.8.7.1/config/jail.conf ---- fail2ban-0.8.7.1/config/jail.conf.sshd 2012-07-31 19:45:04.000000000 -0600 -+++ fail2ban-0.8.7.1/config/jail.conf 2012-10-11 11:47:33.131451895 -0600 -@@ -62,11 +62,11 @@ usedns = warn +diff -up fail2ban-0.8.11/config/jail.conf.sshd fail2ban-0.8.11/config/jail.conf +--- fail2ban-0.8.11/config/jail.conf.sshd 2013-11-25 18:08:08.034123038 +0100 ++++ fail2ban-0.8.11/config/jail.conf 2013-11-25 18:16:28.107917373 +0100 +@@ -71,11 +71,11 @@ usedns = warn [ssh-iptables] @@ -9,9 +9,9 @@ diff -up fail2ban-0.8.7.1/config/jail.conf.sshd fail2ban-0.8.7.1/config/jail.con +enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] -- sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com] +- sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] -logpath = /var/log/sshd.log -+ sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] ++ sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"] +logpath = /var/log/secure maxretry = 5 diff --git a/fail2ban-hostsdeny.patch b/fail2ban-hostsdeny.patch deleted file mode 100644 index 73a771f..0000000 --- a/fail2ban-hostsdeny.patch +++ /dev/null @@ -1,19 +0,0 @@ -commit aebd24ec5485dacc5146728fa22387340b51099e -Author: Daniel Black -Date: Tue Jul 2 20:09:27 2013 +1000 - - BF: replace with ed so its cross platform, fixes permission problem gh-266, and Yaroslav doesn't revert to perl - -diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf -index 50a4545..36e3494 100644 ---- a/config/action.d/hostsdeny.conf -+++ b/config/action.d/hostsdeny.conf -@@ -39,7 +39,7 @@ actionban = IP= && - # Tags: See jail.conf(5) man page - # Values: CMD - # --actionunban = IP= && sed /ALL:\ $IP/d > .new && mv .new -+actionunban = echo "/ALL: $/
d
w
q" | ed - - [Init] - diff --git a/fail2ban-log2syslog.patch b/fail2ban-log2syslog.patch index 49c220d..3646a8a 100644 --- a/fail2ban-log2syslog.patch +++ b/fail2ban-log2syslog.patch @@ -1,9 +1,9 @@ -diff -up fail2ban-0.8.10/config/fail2ban.conf.log2syslog fail2ban-0.8.10/config/fail2ban.conf ---- fail2ban-0.8.10/config/fail2ban.conf.log2syslog 2013-06-12 11:21:12.000000000 -0600 -+++ fail2ban-0.8.10/config/fail2ban.conf 2013-06-12 16:12:48.233512068 -0600 +diff -up fail2ban-0.8.11/config/fail2ban.conf.log2syslog fail2ban-0.8.11/config/fail2ban.conf +--- fail2ban-0.8.11/config/fail2ban.conf.log2syslog 2013-11-25 18:23:28.627391472 +0100 ++++ fail2ban-0.8.11/config/fail2ban.conf 2013-11-25 18:24:57.633978793 +0100 @@ -30,7 +30,7 @@ loglevel = 3 - # (e.g. /etc/logrotate.d/fail2ban on Debian systems) - # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log + # (e.g. /etc/logrotate.d/fail2ban on Debian systems) + # Values: [ STDOUT | STDERR | SYSLOG | FILE ] Default: STDERR # -logtarget = /var/log/fail2ban.log +logtarget = SYSLOG diff --git a/fail2ban-mailx.patch b/fail2ban-mailx.patch deleted file mode 100644 index 9801c58..0000000 --- a/fail2ban-mailx.patch +++ /dev/null @@ -1,60 +0,0 @@ -diff -U0 fail2ban-0.8.10/ChangeLog.mailx fail2ban-0.8.10/ChangeLog ---- fail2ban-0.8.10/ChangeLog.mailx 2013-08-28 11:57:02.631137995 -0600 -+++ fail2ban-0.8.10/ChangeLog 2013-08-28 11:58:10.150945945 -0600 -@@ -23,0 +24,3 @@ -+ Rolf Fokkens -+ * action.d/dshield.conf and complain.conf -- reorder mailx arguements. -+ https://bugzilla.redhat.com/show_bug.cgi?id=998020 -diff -up fail2ban-0.8.10/config/action.d/complain.conf.mailx fail2ban-0.8.10/config/action.d/complain.conf ---- fail2ban-0.8.10/config/action.d/complain.conf.mailx 2013-06-12 11:21:12.000000000 -0600 -+++ fail2ban-0.8.10/config/action.d/complain.conf 2013-08-28 11:57:02.631137995 -0600 -@@ -58,7 +58,7 @@ actioncheck = - actionban = ADDRESSES=`whois | perl -e 'while () { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` - IP= - if [ ! -z "$ADDRESSES" ]; then -- (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '' ) | "Abuse from " $ADDRESSES -+ (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '' ) | "Abuse from " $ADDRESSES - fi - - # Option: actionunban -diff -up fail2ban-0.8.10/config/action.d/dshield.conf.mailx fail2ban-0.8.10/config/action.d/dshield.conf ---- fail2ban-0.8.10/config/action.d/dshield.conf.mailx 2013-06-12 11:21:12.000000000 -0600 -+++ fail2ban-0.8.10/config/action.d/dshield.conf 2013-08-28 11:57:02.632137993 -0600 -@@ -39,7 +39,7 @@ actionstart = - # Values: CMD - # - actionstop = if [ -f .buffer ]; then -- cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" -+ cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" - date +%%s > .lastsent - fi - rm -f .buffer .first -@@ -80,7 +80,7 @@ actionban = TZONE=`date +%%z | sed 's/\( - LASTREPORT=$(($NOW - `cat .lastsent`)) - LINES=$( wc -l .buffer | awk '{ print $1 }' ) - if [ $LINES -ge && $LASTREPORT -gt ] || [ $LOGAGE -gt ]; then -- cat .buffer | "FORMAT DSHIELD USERID TZ $TZONE Fail2Ban" -+ cat .buffer | "FORMAT DSHIELD USERID TZ $TZONE Fail2Ban" - rm -f .buffer .first - echo $NOW > .lastsent - fi -@@ -95,7 +95,7 @@ actionunban = if [ -f .first ]; - NOW=`date +%%s` - LOGAGE=$(($NOW - `cat .first`)) - if [ $LOGAGE -gt ]; then -- cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" -+ cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" - rm -f .buffer .first - echo $NOW > .lastsent - fi -diff -up fail2ban-0.8.10/THANKS.mailx fail2ban-0.8.10/THANKS ---- fail2ban-0.8.10/THANKS.mailx 2013-08-28 11:57:02.631137995 -0600 -+++ fail2ban-0.8.10/THANKS 2013-08-28 11:58:34.542879375 -0600 -@@ -38,6 +38,7 @@ Patrick Börjesson - Raphaël Marichez - René Berber - Robert Edeker -+Rolf Fokkens - Russell Odom - Sireyessire - silviogarbes diff --git a/fail2ban-notmp.patch b/fail2ban-notmp.patch deleted file mode 100644 index 8799101..0000000 --- a/fail2ban-notmp.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up fail2ban-0.8.10/client/fail2banreader.py.notmp fail2ban-0.8.10/client/fail2banreader.py ---- fail2ban-0.8.10/client/fail2banreader.py.notmp 2013-06-12 11:21:12.000000000 -0600 -+++ fail2ban-0.8.10/client/fail2banreader.py 2013-06-12 16:17:43.820837700 -0600 -@@ -39,7 +39,7 @@ class Fail2banReader(ConfigReader): - ConfigReader.read(self, "fail2ban") - - def getEarlyOptions(self): -- opts = [["string", "socket", "/tmp/fail2ban.sock"], -+ opts = [["string", "socket", "/var/run/fail2ban/fail2ban.sock"], - ["string", "pidfile", "/var/run/fail2ban/fail2ban.pid"]] - return ConfigReader.getOptions(self, "Definition", opts) - diff --git a/fail2ban.spec b/fail2ban.spec index 977830f..0f34d7a 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Ban IPs that make too many password failures Name: fail2ban -Version: 0.8.10 -Release: 3%{?dist} +Version: 0.8.11 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ @@ -9,16 +9,7 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-% Source1: fail2ban-logrotate Patch0: fail2ban-0.8.3-init.patch Patch1: fail2ban-0.8.7.1-sshd.patch -# Upstream patch to fix hostsdeny permission issue -# https://github.com/fail2ban/fail2ban/issues/266 -# https://bugzilla.redhat.com/show_bug.cgi?id=997863 -Patch2: fail2ban-hostsdeny.patch -# Upstream patch to fix mailx argument ordering -# https://github.com/fail2ban/fail2ban/issues/328 -# https://bugzilla.redhat.com/show_bug.cgi?id=998020 -Patch3: fail2ban-mailx.patch Patch6: fail2ban-log2syslog.patch -Patch8: fail2ban-notmp.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: python-devel >= 2.3 # For testcases @@ -53,10 +44,7 @@ and shorewall respectively. %setup -q %patch0 -p1 -b .init %patch1 -p1 -b .sshd -%patch2 -p1 -b .hostsdeny -%patch3 -p1 -b .mailx %patch6 -p1 -b .log2syslog -%patch8 -p1 -b .notmp %build python setup.py build @@ -138,6 +126,13 @@ fi %dir %{_localstatedir}/lib/fail2ban/ %changelog +* Mon Nov 25 2013 Adam Tkac - 0.8.11-1 +- update to 0.8.11 (#1034355) +- drop part of the fail2ban-0.8.3-init.patch (merged) +- fail2ban-hostsdeny.patch has been merged +- fail2ban-mailx.patch has been merged +- fail2ban-notmp.patch has been merged + * Wed Aug 28 2013 Orion Poplawski - 0.8.10-3 - Add upstream patch to fix mailx argument ordering (bug #998020) From 40572929e08ba2793b5b637a13c27860373841fb Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Mon, 25 Nov 2013 18:43:53 +0100 Subject: [PATCH 04/18] Upload 0.8.11 tar.gz Signed-off-by: Adam Tkac --- .gitignore | 1 + sources | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index fa2b88b..2d214e7 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban_0.8.7.1.orig.tar.gz /fail2ban_0.8.8.orig.tar.gz /fail2ban-0.8.10.tar.gz +/fail2ban-0.8.11.tar.gz diff --git a/sources b/sources index 72b95f0..0836756 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -48327ac0f5938dcc2f82c63728fc8918 fail2ban-0.8.10.tar.gz +2182a21c7efd885f373ffc941d11914d fail2ban-0.8.11.tar.gz From 594618426a28507baddee0313989d76b77d3b241 Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 3 Dec 2013 14:10:47 +0100 Subject: [PATCH 05/18] Include post-release patch for apache-auth filter Signed-off-by: Adam Tkac --- ...s-using-error-log-weren-t-matched-wh.patch | 99 +++++++++++++++++++ fail2ban.spec | 7 +- 2 files changed, 105 insertions(+), 1 deletion(-) create mode 100644 0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch diff --git a/0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch b/0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch new file mode 100644 index 0000000..e30916c --- /dev/null +++ b/0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch @@ -0,0 +1,99 @@ +From 284f811c912af2f683c7eb150011337912516934 Mon Sep 17 00:00:00 2001 +From: Daniel Black +Date: Tue, 19 Nov 2013 10:27:55 +1100 +Subject: [PATCH] BF: apache filters using error log weren't matched when + referer existed in HTTP header + +--- + config/filter.d/apache-auth.conf | 26 ++++++++++++++------------ + config/filter.d/apache-noscript.conf | 4 ++-- + config/filter.d/apache-overflows.conf | 2 +- + testcases/files/logs/apache-auth | 3 +++ + 6 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf +index 3df91c1..f421348 100644 +--- a/config/filter.d/apache-auth.conf ++++ b/config/filter.d/apache-auth.conf +@@ -10,19 +10,19 @@ before = apache-common.conf + [Definition] + + +-failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$ +- ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$ +- ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$ +- ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$ ++failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$ ++ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$ + ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ +- ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ +- ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ +- ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$ +- ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$ +- ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$ +- ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$ +- ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$ +- ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$ ++ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$ + + ignoreregex = + +@@ -50,5 +50,7 @@ ignoreregex = + # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ + # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ + # ++# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c ++# + # Author: Cyril Jaquier + # Major edits by Daniel Black +diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf +index f3c6246..7ea257b 100644 +--- a/config/filter.d/apache-noscript.conf ++++ b/config/filter.d/apache-noscript.conf +@@ -9,8 +9,8 @@ before = apache-common.conf + + [Definition] + +-failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ +- ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ ++failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$ ++ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$ + + ignoreregex = + +diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf +index 9255152..74e44b8 100644 +--- a/config/filter.d/apache-overflows.conf ++++ b/config/filter.d/apache-overflows.conf +@@ -8,7 +8,7 @@ before = apache-common.conf + + [Definition] + +-failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)$ ++failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$ + + ignoreregex = + +diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth +index d6c40ac..787d160 100644 +--- a/testcases/files/logs/apache-auth ++++ b/testcases/files/logs/apache-auth +@@ -115,3 +115,6 @@ + + # failJSON: { "time": "2013-06-01T02:17:42", "match": true , "host": "192.168.0.2" } + [Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found ++ ++# failJSON: { "time": "2013-11-18T22:39:33", "match": true , "host": "91.49.82.139" } ++[Mon Nov 18 22:39:33 2013] [error] [client 91.49.82.139] user gg not found: /, referer: http://sj.hopto.org/management.html +-- +1.8.3.1 + diff --git a/fail2ban.spec b/fail2ban.spec index 0f34d7a..73c695d 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Ban IPs that make too many password failures Name: fail2ban Version: 0.8.11 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Daemons URL: http://fail2ban.sourceforge.net/ @@ -10,6 +10,7 @@ Source1: fail2ban-logrotate Patch0: fail2ban-0.8.3-init.patch Patch1: fail2ban-0.8.7.1-sshd.patch Patch6: fail2ban-log2syslog.patch +Patch7: 0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: python-devel >= 2.3 # For testcases @@ -45,6 +46,7 @@ and shorewall respectively. %patch0 -p1 -b .init %patch1 -p1 -b .sshd %patch6 -p1 -b .log2syslog +%patch7 -p1 -b .apache-authfix %build python setup.py build @@ -126,6 +128,9 @@ fi %dir %{_localstatedir}/lib/fail2ban/ %changelog +* Tue Dec 03 2013 Adam Tkac - 0.8.11-2 +- include post-release patch for apache-auth filter + * Mon Nov 25 2013 Adam Tkac - 0.8.11-1 - update to 0.8.11 (#1034355) - drop part of the fail2ban-0.8.3-init.patch (merged) From f903335247ba0310992d454aac90c4c9fef67abe Mon Sep 17 00:00:00 2001 From: Adam Tkac Date: Tue, 3 Dec 2013 16:19:21 +0100 Subject: [PATCH 06/18] Fix firewalld support (#979622, comment 18) Signed-off-by: Adam Tkac --- fail2ban-0.8.11-singlejail.patch | 12 ++++++++++++ fail2ban.spec | 3 +++ 2 files changed, 15 insertions(+) create mode 100644 fail2ban-0.8.11-singlejail.patch diff --git a/fail2ban-0.8.11-singlejail.patch b/fail2ban-0.8.11-singlejail.patch new file mode 100644 index 0000000..9419c83 --- /dev/null +++ b/fail2ban-0.8.11-singlejail.patch @@ -0,0 +1,12 @@ +diff -up fail2ban-0.8.11/config/action.d/firewall-cmd-direct-new.conf.singlejail fail2ban-0.8.11/config/action.d/firewall-cmd-direct-new.conf +--- fail2ban-0.8.11/config/action.d/firewall-cmd-direct-new.conf.singlejail 2013-12-03 16:17:48.282238194 +0100 ++++ fail2ban-0.8.11/config/action.d/firewall-cmd-direct-new.conf 2013-12-03 16:17:57.421402502 +0100 +@@ -20,7 +20,7 @@ actionstop = firewall-cmd --direct --rem + firewall-cmd --direct --remove-rules ipv4 filter fail2ban- + firewall-cmd --direct --remove-chain ipv4 filter fail2ban- + +-actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' ++actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-$|fail2ban- ' + + actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban- 0 -s -j + diff --git a/fail2ban.spec b/fail2ban.spec index 73c695d..8769761 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -11,6 +11,7 @@ Patch0: fail2ban-0.8.3-init.patch Patch1: fail2ban-0.8.7.1-sshd.patch Patch6: fail2ban-log2syslog.patch Patch7: 0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch +Patch8: fail2ban-0.8.11-singlejail.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: python-devel >= 2.3 # For testcases @@ -47,6 +48,7 @@ and shorewall respectively. %patch1 -p1 -b .sshd %patch6 -p1 -b .log2syslog %patch7 -p1 -b .apache-authfix +%patch8 -p1 -b .singlejail %build python setup.py build @@ -130,6 +132,7 @@ fi %changelog * Tue Dec 03 2013 Adam Tkac - 0.8.11-2 - include post-release patch for apache-auth filter +- fix firewalld support (#979622, comment 18) * Mon Nov 25 2013 Adam Tkac - 0.8.11-1 - update to 0.8.11 (#1034355) From 1e5fef520eacf80463ffaf1feefa4ad70d7f6d5a Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 9 Mar 2016 12:02:13 -0700 Subject: [PATCH 07/18] Revert "Use python3 (bug #1282498)" This reverts commit 3454a2012a174aea6aa8ef1a64b9773f86ff0334. Conflicts: fail2ban.spec --- fail2ban.spec | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index d7024c0..ab85ba6 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -13,11 +13,9 @@ Patch0: fail2ban-test.patch # https://github.com/fail2ban/fail2ban/issues/1354 Patch1: fail2ban-mysql.patch -BuildRequires: python3-devel -# For 2to3 -BuildRequires: python2-tools +BuildRequires: python-devel # For testcases -BuildRequires: python3-inotify +BuildRequires: python-inotify BuildArch: noarch %if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: systemd @@ -48,7 +46,7 @@ configurations. %package server Summary: Core server component for Fail2Ban %if 0%{?fedora} || 0%{?rhel} >= 7 -Requires: python3-systemd +Requires: systemd-python Requires(post): systemd Requires(preun): systemd Requires(postun): systemd @@ -75,12 +73,10 @@ Requires: %{name}-mail = %{version}-%{release} Requires: %{name}-sendmail = %{version}-%{release} Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} -# Currently this breaks jails that don't log to the journal #Requires: %{name}-systemd = %{version}-%{release} -# No python3 support for gamin -#Requires: gamin-python +Requires: gamin-python Requires: perl -Requires: python3-inotify +Requires: python-inotify Requires: /usr/bin/whois %description all @@ -154,13 +150,12 @@ by default. sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf # Start after firewalld (https://bugzilla.redhat.com/show_bug.cgi?id=1067147) sed -i -e '/^After=/s/$/ firewalld.service/' files/fail2ban.service -2to3 --write --nobackups . %build -%py3_build +%py_build %install -%py3_install +%py_install %if 0%{?fedora} || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} @@ -205,7 +200,7 @@ rm -r %{buildroot}%{_docdir}/%{name} %check # Need a UTF-8 locale to work export LANG=en_US.UTF-8 -./fail2ban-testcases-all-python3 --no-network +./fail2ban-testcases-all --no-network %post server %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -237,7 +232,7 @@ fi %{_bindir}/fail2ban-client %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-testcases -%{python3_sitelib}/* +%{python_sitelib}/* %if 0%{?fedora} || 0%{?rhel} >= 7 %{_unitdir}/fail2ban.service %else @@ -284,9 +279,6 @@ fi - Update to 0.9.4 - Use mariadb log path by default -* Tue Feb 23 2016 Orion Poplawski - 0.9.3-3 -- Use python3 (bug #1282498) - * Wed Feb 03 2016 Fedora Release Engineering - 0.9.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild From cc9d6fbb2c266583fd251d86483d6382bb49ad7d Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 9 Mar 2016 14:27:16 -0700 Subject: [PATCH 08/18] No longer need to add After=firewalld.service (bug #1301910) Conflicts: fail2ban.spec --- fail2ban.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 946077a..90e01a5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.9.4 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -148,8 +148,6 @@ by default. %patch1 -p1 -b .mysql # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf -# Start after firewalld (https://bugzilla.redhat.com/show_bug.cgi?id=1067147) -sed -i -e '/^After=/s/$/ firewalld.service/' files/fail2ban.service %build %py_build @@ -275,6 +273,9 @@ fi %changelog +* Wed Mar 9 2016 Orion Poplawski - 0.9.4-3 +- No longer need to add After=firewalld.service (bug #1301910) + * Wed Mar 9 2016 Orion Poplawski - 0.9.4-2 - Fix mariadb/mysql log handling From 04c18b4f10ff4d616e344a27bde8029cdfca4faa Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Sun, 27 Mar 2016 11:28:56 -0600 Subject: [PATCH 09/18] Use %{_tmpfilesdir} for systemd tmpfile config --- fail2ban.spec | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 90e01a5..adbe7e6 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.9.4 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -169,8 +169,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ -mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d -install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf +mkdir -p %{buildroot}%{_tmpfilesdir} +install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf @@ -246,7 +246,7 @@ fi %exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf %exclude %{_sysconfdir}/fail2ban/jail.d/*.conf %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban -%config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf +%{_tmpfilesdir}/fail2ban.conf %dir %{_localstatedir}/lib/fail2ban/ %dir %{_localstatedir}/run/fail2ban/ @@ -273,6 +273,9 @@ fi %changelog +* Sun Mar 27 2016 Orion Poplawski - 0.9.4-4 +- Use %%{_tmpfilesdir} for systemd tmpfile config + * Wed Mar 9 2016 Orion Poplawski - 0.9.4-3 - No longer need to add After=firewalld.service (bug #1301910) From a0b29d90581cf0b1a3d72036c499b318553b81ef Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Sun, 25 Sep 2016 09:47:36 -0600 Subject: [PATCH 10/18] Update to 0.9.5 - Drop mysql patch applied upstream Conflicts: fail2ban.spec --- .gitignore | 1 + fail2ban-mysql.patch | 19 ------------------- fail2ban.spec | 12 ++++++------ sources | 2 +- 4 files changed, 8 insertions(+), 26 deletions(-) delete mode 100644 fail2ban-mysql.patch diff --git a/.gitignore b/.gitignore index fc9ed14..ffc3ada 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.9.2.tar.gz /fail2ban-0.9.3.tar.gz /fail2ban-0.9.4.tar.gz +/fail2ban-0.9.5.tar.gz diff --git a/fail2ban-mysql.patch b/fail2ban-mysql.patch deleted file mode 100644 index 4eb52a3..0000000 --- a/fail2ban-mysql.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/config/paths-fedora.conf b/config/paths-fedora.conf -index b3c978c..d13645b 100644 ---- a/config/paths-fedora.conf -+++ b/config/paths-fedora.conf -@@ -34,7 +34,8 @@ apache_access_log = /var/log/httpd/*access_log - - exim_main_log = /var/log/exim/main.log - --mysql_log = /var/lib/mysql/mysqld.log -+mysql_log = /var/log/mariadb/mariadb.log -+ /var/log/mysqld.log - - roundcube_errors_log = /var/log/roundcubemail/errors - -@@ -48,4 +49,3 @@ pureftpd_backend = systemd - wuftpd_backend = systemd - postfix_backend = systemd - dovecot_backend = systemd --mysql_backend = systemd diff --git a/fail2ban.spec b/fail2ban.spec index adbe7e6..ba82b17 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban -Version: 0.9.4 -Release: 4%{?dist} +Version: 0.9.5 +Release: 1%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -9,9 +9,6 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-% # Fix failing test # https://github.com/fail2ban/fail2ban/issues/1353 Patch0: fail2ban-test.patch -# Fix mysql log path -# https://github.com/fail2ban/fail2ban/issues/1354 -Patch1: fail2ban-mysql.patch BuildRequires: python-devel # For testcases @@ -145,7 +142,6 @@ by default. %prep %setup -q %patch0 -p1 -b .test -%patch1 -p1 -b .mysql # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -273,6 +269,10 @@ fi %changelog +* Sun Sep 25 2016 Orion Poplawski - 0.9.5-1 +- Update to 0.9.5 +- Drop mysql patch applied upstream + * Sun Mar 27 2016 Orion Poplawski - 0.9.4-4 - Use %%{_tmpfilesdir} for systemd tmpfile config diff --git a/sources b/sources index 6113bd9..7cb27dc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2dc93dff03c4da9fb95d4695e07b65d8 fail2ban-0.9.4.tar.gz +1b59fc84a40b790e3f959257d64ab313 fail2ban-0.9.5.tar.gz From cca1cc057181b390e01e96fbf189f2ff26dd8fab Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 3 Oct 2016 12:14:07 -0600 Subject: [PATCH 11/18] Add patch to fix failing test --- ...e12f701807a8d89bfe57c9f7f492375a0a53.patch | 60 +++++++++++++++++++ fail2ban.spec | 7 +++ 2 files changed, 67 insertions(+) create mode 100644 c49fe12f701807a8d89bfe57c9f7f492375a0a53.patch diff --git a/c49fe12f701807a8d89bfe57c9f7f492375a0a53.patch b/c49fe12f701807a8d89bfe57c9f7f492375a0a53.patch new file mode 100644 index 0000000..848ef2a --- /dev/null +++ b/c49fe12f701807a8d89bfe57c9f7f492375a0a53.patch @@ -0,0 +1,60 @@ +From c49fe12f701807a8d89bfe57c9f7f492375a0a53 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Mon, 15 Aug 2016 12:53:40 +0200 +Subject: [PATCH] fix fail2banregextestcase using setUpMyTime/tearDownMyTime: + always use correct static time as base-time (using mock up MyTime), correct + datetimes inside test + +--- + fail2ban/tests/fail2banregextestcase.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/fail2ban/tests/fail2banregextestcase.py b/fail2ban/tests/fail2banregextestcase.py +index 3321ffd..1119efd 100644 +--- a/fail2ban/tests/fail2banregextestcase.py ++++ b/fail2ban/tests/fail2banregextestcase.py +@@ -39,7 +39,7 @@ + + from ..client import fail2banregex + from ..client.fail2banregex import Fail2banRegex, get_opt_parser, output +-from .utils import LogCaptureTestCase, logSys ++from .utils import setUpMyTime, tearDownMyTime, LogCaptureTestCase, logSys + from .utils import CONFIG_DIR + + +@@ -70,10 +70,12 @@ class Fail2banRegexTest(LogCaptureTestCase): + def setUp(self): + """Call before every test case.""" + LogCaptureTestCase.setUp(self) ++ setUpMyTime() + + def tearDown(self): + """Call after every test case.""" + LogCaptureTestCase.tearDown(self) ++ tearDownMyTime() + + def testWrongRE(self): + (opts, args, fail2banRegex) = _Fail2banRegex( +@@ -159,8 +161,8 @@ def testVerbose(self): + self.assertTrue(fail2banRegex.start(opts, args)) + self.assertLogged('Lines: 13 lines, 0 ignored, 5 matched, 8 missed') + +- self.assertLogged('141.3.81.106 Fri Aug 14 11:53:59 2015') +- self.assertLogged('141.3.81.106 Fri Aug 14 11:54:59 2015') ++ self.assertLogged('141.3.81.106 Sun Aug 14 11:53:59 2005') ++ self.assertLogged('141.3.81.106 Sun Aug 14 11:54:59 2005') + + def testWronChar(self): + (opts, args, fail2banRegex) = _Fail2banRegex( +@@ -169,9 +171,8 @@ def testWronChar(self): + self.assertTrue(fail2banRegex.start(opts, args)) + self.assertLogged('Lines: 4 lines, 0 ignored, 2 matched, 2 missed') + +- self.assertLogged('Error decoding line'); +- self.assertLogged('Continuing to process line ignoring invalid characters:', '2015-01-14 20:00:58 user '); +- self.assertLogged('Continuing to process line ignoring invalid characters:', '2015-01-14 20:00:59 user '); ++ self.assertLogged('Error decoding line') ++ self.assertLogged('Continuing to process line ignoring invalid characters:') + + self.assertLogged('Nov 8 00:16:12 main sshd[32548]: input_userauth_request: invalid user llinco') + self.assertLogged('Nov 8 00:16:12 main sshd[32547]: pam_succeed_if(sshd:auth): error retrieving information about user llinco') diff --git a/fail2ban.spec b/fail2ban.spec index ba82b17..4522f9e 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -9,6 +9,9 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-% # Fix failing test # https://github.com/fail2ban/fail2ban/issues/1353 Patch0: fail2ban-test.patch +# Upstream patch to fix failing tests +# https://github.com/fail2ban/fail2ban/commit/c49fe12f701807a8d89bfe57c9f7f492375a0a53 +Patch1: https://github.com/fail2ban/fail2ban/commit/c49fe12f701807a8d89bfe57c9f7f492375a0a53.patch BuildRequires: python-devel # For testcases @@ -142,6 +145,7 @@ by default. %prep %setup -q %patch0 -p1 -b .test +%patch1 -p1 # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf @@ -269,6 +273,9 @@ fi %changelog +* Mon Oct 3 2016 Orion Poplawski - 0.9.5-1 +- Add patch to fix failing test + * Sun Sep 25 2016 Orion Poplawski - 0.9.5-1 - Update to 0.9.5 - Drop mysql patch applied upstream From 7a716eded05f657b4f077038c6c2e83b09fdb541 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 3 Oct 2016 13:32:37 -0600 Subject: [PATCH 12/18] Remove old patch --- ...s-using-error-log-weren-t-matched-wh.patch | 99 ------------------- 1 file changed, 99 deletions(-) delete mode 100644 0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch diff --git a/0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch b/0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch deleted file mode 100644 index e30916c..0000000 --- a/0001-BF-apache-filters-using-error-log-weren-t-matched-wh.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 284f811c912af2f683c7eb150011337912516934 Mon Sep 17 00:00:00 2001 -From: Daniel Black -Date: Tue, 19 Nov 2013 10:27:55 +1100 -Subject: [PATCH] BF: apache filters using error log weren't matched when - referer existed in HTTP header - ---- - config/filter.d/apache-auth.conf | 26 ++++++++++++++------------ - config/filter.d/apache-noscript.conf | 4 ++-- - config/filter.d/apache-overflows.conf | 2 +- - testcases/files/logs/apache-auth | 3 +++ - 6 files changed, 22 insertions(+), 15 deletions(-) - -diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf -index 3df91c1..f421348 100644 ---- a/config/filter.d/apache-auth.conf -+++ b/config/filter.d/apache-auth.conf -@@ -10,19 +10,19 @@ before = apache-common.conf - [Definition] - - --failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*\s*$ -- ^%(_apache_error_client)s (AH01617: )?user .* authentication failure for "\S*": Password Mismatch$ -- ^%(_apache_error_client)s (AH01618: )?user .* not found(: )?\S*\s*$ -- ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*\s*$ -+failregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$ -+ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$ - ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ -- ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*: password mismatch: \S*\s*$ -- ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*' in realm `.+' (not found|denied by provider): \S*\s*$ -- ^%(_apache_error_client)s (AH01631: )?user .*: authorization failure for "\S*":\s*$ -- ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+\s*$ -- ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*' but expected `.+'\s*$ -- ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*' received: \S*\s*$ -- ^%(_apache_error_client)s (AH01793: )?invalid qop `.*' received: \S*\s*$ -- ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .* received - user attempted time travel\s*$ -+ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$ - - ignoreregex = - -@@ -50,5 +50,7 @@ ignoreregex = - # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ - # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ - # -+# referer is always in error log messages if it exists added as per the log_error_core function in server/log.c -+# - # Author: Cyril Jaquier - # Major edits by Daniel Black -diff --git a/config/filter.d/apache-noscript.conf b/config/filter.d/apache-noscript.conf -index f3c6246..7ea257b 100644 ---- a/config/filter.d/apache-noscript.conf -+++ b/config/filter.d/apache-noscript.conf -@@ -9,8 +9,8 @@ before = apache-common.conf - - [Definition] - --failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)\s*$ -- ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ -+failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(\.php|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$ -+ ^%(_apache_error_client)s script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$ - - ignoreregex = - -diff --git a/config/filter.d/apache-overflows.conf b/config/filter.d/apache-overflows.conf -index 9255152..74e44b8 100644 ---- a/config/filter.d/apache-overflows.conf -+++ b/config/filter.d/apache-overflows.conf -@@ -8,7 +8,7 @@ before = apache-common.conf - - [Definition] - --failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)$ -+failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$ - - ignoreregex = - -diff --git a/testcases/files/logs/apache-auth b/testcases/files/logs/apache-auth -index d6c40ac..787d160 100644 ---- a/testcases/files/logs/apache-auth -+++ b/testcases/files/logs/apache-auth -@@ -115,3 +115,6 @@ - - # failJSON: { "time": "2013-06-01T02:17:42", "match": true , "host": "192.168.0.2" } - [Sat Jun 01 02:17:42 2013] [error] [client 192.168.0.2] user root not found -+ -+# failJSON: { "time": "2013-11-18T22:39:33", "match": true , "host": "91.49.82.139" } -+[Mon Nov 18 22:39:33 2013] [error] [client 91.49.82.139] user gg not found: /, referer: http://sj.hopto.org/management.html --- -1.8.3.1 - From 3250c55db619c1f1407cce9f637f79b397dbbf32 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 15 Feb 2017 11:18:40 -0700 Subject: [PATCH 13/18] Properly handle /run/fail2ban (bug #1422500) Conflicts: fail2ban.spec --- fail2ban.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index dbe0a24..c5645a1 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.9.6 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -181,6 +181,7 @@ install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban install -d -m 0755 %{buildroot}/run/fail2ban/ +install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_tmpfilesdir} install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf @@ -265,7 +266,8 @@ fi %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban %{_tmpfilesdir}/fail2ban.conf %dir %{_localstatedir}/lib/fail2ban/ -%ghost %dir /run/fail2ban/ +%dir /run/%{name}/ +%verify(not size mtime md5) /run/%{name}.pid %files all @@ -295,6 +297,9 @@ fi %changelog +* Wed Feb 15 2017 Orion Poplawski - 0.9.6-3 +- Properly handle /run/fail2ban (bug #1422500) + * Tue Jan 10 2017 Orion Poplawski - 0.9.6-2 - Add upstream patch to fix fail2ban-regex with journal From 7e05c26c478f18e1068e1c5763033370d921d662 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 15 Feb 2017 11:34:46 -0700 Subject: [PATCH 14/18] %ghost pid file and fix path --- fail2ban.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index c5645a1..56f8973 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -267,7 +267,7 @@ fi %{_tmpfilesdir}/fail2ban.conf %dir %{_localstatedir}/lib/fail2ban/ %dir /run/%{name}/ -%verify(not size mtime md5) /run/%{name}.pid +%ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid %files all From 4eae5e19dade1792f794dfc1fb7785d97502e68c Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Sat, 23 Nov 2019 16:15:18 -0700 Subject: [PATCH 15/18] Add extra blank line for EL6 %autosetup --- fail2ban.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/fail2ban.spec b/fail2ban.spec index 94f3407..29bdf66 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -155,6 +155,7 @@ by default. %prep %autosetup -p1 + # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf From bc30e2b939e7b2e5f6310f3088f5fbe56a2a20f7 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 20 Jan 2020 21:03:06 -0700 Subject: [PATCH 16/18] Move action.d/mail-whois-common.conf into fail2ban-server --- fail2ban.spec | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 8f3669b..e879428 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.10.5 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -265,7 +265,10 @@ fi %config(noreplace) %{_sysconfdir}/fail2ban %exclude %{_sysconfdir}/fail2ban/action.d/complain.conf %exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf -%exclude %{_sysconfdir}/fail2ban/action.d/mail-*.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf %exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf %exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf %exclude %{_sysconfdir}/fail2ban/jail.d/*.conf @@ -290,7 +293,10 @@ fi %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf -%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-*.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf %files sendmail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf @@ -303,6 +309,9 @@ fi %changelog +* Tue Jan 21 2020 Orion Poplawski - 0.10.5-2 +- Move action.d/mail-whois-common.conf into fail2ban-server + * Tue Jan 14 2020 Orion Poplawski - 0.10.5-1 - Update to 0.10.5 From 5f7bd2d63dfb9edf2adfa66cb0358b65b8a6a4f8 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 24 Jun 2020 10:22:41 -0500 Subject: [PATCH 17/18] In Fedora 32 and EL 8 nftables is the default firewall and does not accept : for port ranges, fixes RHBZ#1850164. --- fail2ban.spec | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fail2ban.spec b/fail2ban.spec index 22f73c2..a3af58a 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -185,6 +185,12 @@ find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3 # SELinux sources cp -p %SOURCE1 %SOURCE2 %SOURCE3 . +# In Fedora 32 and EL 8 nftables is the default firewall and does not accept ":" for port ranges. +# https://bugzilla.redhat.com/show_bug.cgi?id=1850164 +%if 0%{?fedora} >= 32 || 0%{?rhel} >= 8 +sed -i "s/port = 0:65535/port = 0-65535/" config/jail.conf +%endif + %build %py3_build From 9eab35adee855a036c52fa5682499464eb227592 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Mon, 27 Jul 2020 12:34:10 -0500 Subject: [PATCH 18/18] Add conditionals for EL 7 / Python 2. --- fail2ban.spec | 56 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 7abe5b4..3a5e346 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -35,10 +35,16 @@ Patch8: https://github.com/fail2ban/fail2ban/commit/309c8dddd7adc2de140ed5a72088 BuildArch: noarch +%if 0%{?rhel} && 0%{?rhel} < 8 +BuildRequires: python2-devel +# For testcases +BuildRequires: python-inotify +%else BuildRequires: python3-devel BuildRequires: /usr/bin/2to3 # For testcases BuildRequires: python3-inotify +%endif BuildRequires: sqlite BuildRequires: systemd BuildRequires: selinux-policy-devel @@ -79,14 +85,20 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban +%if 0%{?rhel} && 0%{?rhel} < 8 +Requires: python2-systemd +%else Requires: python3-systemd +%endif Requires(post): systemd Requires(preun): systemd Requires(postun): systemd Requires: ipset Requires: iptables +%if 0%{?fedora} Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif %description server This package contains the core server components for Fail2Ban with minimal @@ -104,10 +116,14 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} # Currently this breaks jails that don't log to the journal #Requires: %{name}-systemd = %{version}-%{release} -# No python3 support for gamin -#Requires: gamin-python Requires: perl-interpreter -Requires: python3-inotify +%if 0%{?rhel} && 0%{?rhel} < 8 +Requires: python-inotify +# No python3 support for gamin so epel only +Requires: gamin-python +%else +Requires: python2-inotify +%endif Requires: /usr/bin/whois %description all @@ -186,29 +202,32 @@ by default. # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf +%if 0%{?fedora} || 0%{?rhel} >= 8 2to3 --write --nobackups . find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} + +%endif # SELinux sources cp -p %SOURCE1 %SOURCE2 %SOURCE3 . -# In Fedora 32 and EL 8 nftables is the default firewall and does not accept ":" for port ranges. -# https://bugzilla.redhat.com/show_bug.cgi?id=1850164 -%if 0%{?fedora} >= 32 || 0%{?rhel} >= 8 -sed -i "s/port = 0:65535/port = 0-65535/" config/jail.conf -%endif - - %build +%if 0%{?rhel} && 0%{?rhel} < 8 +%py2_build +%else %py3_build +%endif make -f %SOURCE4 %install -%py3_install - +%if 0%{?rhel} && 0%{?rhel} < 8 +%py2_install # Make symbolic link relative +ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python +%else +%py3_install ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python +%endif mkdir -p %{buildroot}%{_unitdir} cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ @@ -261,7 +280,11 @@ install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{ %check +%if 0%{?rhel} && 0%{?rhel} < 8 +%python2 bin/fail2ban-testcases --verbosity=2 --no-network +%else %python3 bin/fail2ban-testcases --verbosity=2 --no-network +%endif %pre selinux @@ -302,8 +325,13 @@ fi %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server +%if 0%{?rhel} && 0%{?rhel} < 8 +%{python2_sitelib}/* +%exclude %{python2_sitelib}/fail2ban/tests +%else %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests +%endif %{_unitdir}/fail2ban.service %{_mandir}/man1/fail2ban.1* %{_mandir}/man1/fail2ban-client.1* @@ -338,7 +366,11 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* +%if 0%{?rhel} && 0%{?rhel} < 8 +%{python2_sitelib}/fail2ban/tests +%else %{python3_sitelib}/fail2ban/tests +%endif %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf