Fix several minor bugs, and move to using inotify instead of gamin.

14 years ago · af90cd27ed
parent 4e465e580b
commit af90cd27ed
5 changed files with 1612 additions and 9 deletions
--- a/fail2ban-0.8.4-examplemail.patch
+++ b/fail2ban-0.8.4-examplemail.patch
@ -0,0 +1,110 @@
+--- fail2ban-0.8.4/config/jail.conf.bak	2011-04-09 17:53:27.022210040 +0200
+++ fail2ban-0.8.4/config/jail.conf	2011-04-09 18:22:35.075335264 +0200
+@@ -45,7 +45,7 @@
+ enabled  = true
+ filter   = sshd
+ action   = iptables[name=SSH, port=ssh, protocol=tcp]
+-           sendmail-whois[name=SSH, dest=root, sender=fail2ban@mail.com]
+           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]
+ logpath  = /var/log/secure
+ maxretry = 5
+ 
+@@ -54,7 +54,7 @@
+ enabled  = false
+ filter   = proftpd
+ action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
+-           sendmail-whois[name=ProFTPD, dest=you@mail.com]
+           sendmail-whois[name=ProFTPD, dest=you@example.com]
+ logpath  = /var/log/proftpd/proftpd.log
+ maxretry = 6
+ 
+@@ -66,7 +66,7 @@
+ filter   = sasl
+ backend  = polling
+ action   = iptables[name=sasl, port=smtp, protocol=tcp]
+-           sendmail-whois[name=sasl, dest=you@mail.com]
+           sendmail-whois[name=sasl, dest=you@example.com]
+ logpath  = /var/log/mail.log
+ 
+ # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
+@@ -77,7 +77,7 @@
+ enabled     = false
+ filter      = sshd
+ action      = hostsdeny
+-              sendmail-whois[name=SSH, dest=you@mail.com]
+              sendmail-whois[name=SSH, dest=you@example.com]
+ ignoreregex = for myuser from
+ logpath     = /var/log/sshd.log
+ 
+@@ -101,7 +101,7 @@
+ enabled  = false
+ filter   = postfix
+ action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
+-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=you@example.com]
+ logpath  = /var/log/postfix.log
+ bantime  = 300
+ 
+@@ -112,7 +112,7 @@
+ 
+ enabled  = false
+ filter   = vsftpd
+-action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
+action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
+ logpath  = /var/log/vsftpd.log
+ maxretry = 5
+ bantime  = 1800
+@@ -124,7 +124,7 @@
+ enabled  = false
+ filter   = vsftpd
+ action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
+-           sendmail-whois[name=VSFTPD, dest=you@mail.com]
+           sendmail-whois[name=VSFTPD, dest=you@example.com]
+ logpath  = /var/log/vsftpd.log
+ maxretry = 5
+ bantime  = 1800
+@@ -137,7 +137,7 @@
+ enabled  = false
+ filter   = apache-badbots
+ action   = iptables-multiport[name=BadBots, port="http,https"]
+-           sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
+           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
+ logpath  = /var/www/*/logs/access_log
+ bantime  = 172800
+ maxretry = 1
+@@ -149,7 +149,7 @@
+ enabled  = false
+ filter   = apache-noscript
+ action   = shorewall
+-           sendmail[name=Postfix, dest=you@mail.com]
+           sendmail[name=Postfix, dest=you@example.com]
+ logpath  = /var/log/apache2/error_log
+ 
+ # Ban attackers that try to use PHP's URL-fopen() functionality
+@@ -190,7 +190,7 @@
+ enabled  = false
+ filter   = sshd
+ action   = ipfw[localhost=192.168.0.1]
+-           sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
+           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
+ logpath  = /var/log/auth.log
+ ignoreip = 168.192.0.1
+ 
+@@ -216,7 +216,7 @@
+ enabled  = false
+ filter   = named-refused
+ action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+-           sendmail-whois[name=Named, dest=you@mail.com]
+           sendmail-whois[name=Named, dest=you@example.com]
+ logpath  = /var/log/named/security.log
+ ignoreip = 168.192.0.1
+ 
+@@ -227,7 +227,7 @@
+ enabled  = false
+ filter   = named-refused
+ action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
+-           sendmail-whois[name=Named, dest=you@mail.com]
+           sendmail-whois[name=Named, dest=you@example.com]
+ logpath  = /var/log/named/security.log
+ ignoreip = 168.192.0.1
+ 
--- a/fail2ban-0.8.4-notmp.patch
+++ b/fail2ban-0.8.4-notmp.patch
@ -0,0 +1,101 @@
+diff -rud fail2ban-0.8.4.org/ChangeLog fail2ban-0.8.4/ChangeLog
+--- fail2ban-0.8.4.org/ChangeLog	2009-09-07 21:11:29.000000000 +0200
+++ fail2ban-0.8.4/ChangeLog	2011-04-09 17:56:51.029085738 +0200
+@@ -353,7 +353,7 @@
+   Thanks to Tom Pike
+ - fail2ban.conf modified for readability. Thanks to Iain Lea
+ - Added an initd script for Gentoo
+-- Changed default PID lock file location from /tmp to /var/run
+- Changed default PID lock file location from /var/lib/fail2ban to /var/run
+ 
+ ver. 0.4.0 (2005/04/24) - stable
+ ----------
+diff -rud fail2ban-0.8.4.org/client/fail2banreader.py fail2ban-0.8.4/client/fail2banreader.py
+--- fail2ban-0.8.4.org/client/fail2banreader.py	2008-02-27 22:44:56.000000000 +0100
+++ fail2ban-0.8.4/client/fail2banreader.py	2011-04-09 17:56:51.027086612 +0200
+@@ -39,7 +39,7 @@
+ 		ConfigReader.read(self, "fail2ban")
+ 	
+ 	def getEarlyOptions(self):
+-		opts = [["string", "socket", "/tmp/fail2ban.sock"]]
+		opts = [["string", "socket", "/var/lib/fail2ban/fail2ban.sock"]]
+ 		return ConfigReader.getOptions(self, "Definition", opts)
+ 	
+ 	def getOptions(self):
+diff -rud fail2ban-0.8.4.org/config/action.d/dshield.conf fail2ban-0.8.4/config/action.d/dshield.conf
+--- fail2ban-0.8.4.org/config/action.d/dshield.conf	2008-07-14 19:13:47.000000000 +0200
+++ fail2ban-0.8.4/config/action.d/dshield.conf	2011-04-09 17:56:51.031085423 +0200
+@@ -204,7 +204,7 @@
+ 
+ # Option:  tmpfile
+ # Notes.:  Base name of temporary files used for buffering
+-# Values:  [ STRING ]  Default: /tmp/fail2ban-dshield
+# Values:  [ STRING ]  Default: /var/lib/fail2ban/fail2ban-dshield
+ #
+-tmpfile = /tmp/fail2ban-dshield
+tmpfile = /var/lib/fail2ban/fail2ban-dshield
+ 
+diff -rud fail2ban-0.8.4.org/config/action.d/mail-buffered.conf fail2ban-0.8.4/config/action.d/mail-buffered.conf
+--- fail2ban-0.8.4.org/config/action.d/mail-buffered.conf	2008-07-16 23:11:43.000000000 +0200
+++ fail2ban-0.8.4/config/action.d/mail-buffered.conf	2011-04-09 17:56:51.031085423 +0200
+@@ -81,7 +81,7 @@
+ 
+ # Default temporary file
+ #
+-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/lib/fail2ban/fail2ban-mail.txt
+ 
+ # Destination/Addressee of the mail
+ #
+diff -rud fail2ban-0.8.4.org/config/action.d/mynetwatchman.conf fail2ban-0.8.4/config/action.d/mynetwatchman.conf
+--- fail2ban-0.8.4.org/config/action.d/mynetwatchman.conf	2008-07-14 19:14:13.000000000 +0200
+++ fail2ban-0.8.4/config/action.d/mynetwatchman.conf	2011-04-09 17:56:51.030086280 +0200
+@@ -139,6 +139,6 @@
+ 
+ # Option:  tmpfile
+ # Notes.:  Base name of temporary files
+-# Values:  [ STRING ]  Default: /tmp/fail2ban-mynetwatchman
+# Values:  [ STRING ]  Default: /var/lib/fail2ban/fail2ban-mynetwatchman
+ #
+-tmpfile = /tmp/fail2ban-mynetwatchman
+tmpfile = /var/lib/fail2ban/fail2ban-mynetwatchman
+diff -rud fail2ban-0.8.4.org/config/action.d/sendmail-buffered.conf fail2ban-0.8.4/config/action.d/sendmail-buffered.conf
+--- fail2ban-0.8.4.org/config/action.d/sendmail-buffered.conf	2008-07-16 23:11:43.000000000 +0200
+++ fail2ban-0.8.4/config/action.d/sendmail-buffered.conf	2011-04-09 17:56:51.029085738 +0200
+@@ -101,5 +101,5 @@
+ 
+ # Default temporary file
+ #
+-tmpfile = /tmp/fail2ban-mail.txt
+tmpfile = /var/lib/fail2ban/fail2ban-mail.txt
+ 
+diff -rud fail2ban-0.8.4.org/files/nagios/f2ban.txt fail2ban-0.8.4/files/nagios/f2ban.txt
+--- fail2ban-0.8.4.org/files/nagios/f2ban.txt	2009-01-27 23:53:40.000000000 +0100
+++ fail2ban-0.8.4/files/nagios/f2ban.txt	2011-04-09 17:56:51.027086612 +0200
+@@ -6,7 +6,7 @@
+ /etc/init.d/fail2ban stop
+ 
+ 2.) delete the socket if avalible
+-rm /tmp/fail2ban.sock
+rm /var/lib/fail2ban/fail2ban.sock
+ 
+ 3.) start the Service 
+ /etc/init.d/fail2ban start
+diff -rud fail2ban-0.8.4.org/testcases/actiontestcase.py fail2ban-0.8.4/testcases/actiontestcase.py
+--- fail2ban-0.8.4.org/testcases/actiontestcase.py	2008-02-27 22:44:54.000000000 +0100
+++ fail2ban-0.8.4/testcases/actiontestcase.py	2011-04-09 17:56:51.027086612 +0200
+@@ -38,10 +38,10 @@
+ 		self.__action.execActionStop()
+ 	
+ 	def testExecuteActionBan(self):
+-		self.__action.setActionStart("touch /tmp/fail2ban.test")
+-		self.__action.setActionStop("rm -f /tmp/fail2ban.test")
+		self.__action.setActionStart("touch /var/lib/fail2ban/fail2ban.test")
+		self.__action.setActionStop("rm -f /var/lib/fail2ban/fail2ban.test")
+ 		self.__action.setActionBan("echo -n")
+-		self.__action.setActionCheck("[ -e /tmp/fail2ban.test ]")
+		self.__action.setActionCheck("[ -e /var/lib/fail2ban/fail2ban.test ]")
+ 		
+ 		self.assertTrue(self.__action.execActionBan(None))
+ 		
+\ No newline at end of file
--- a/fail2ban-tmpfiles.conf
+++ b/fail2ban-tmpfiles.conf
@ -0,0 +1 @@
+D /var/run/fail2ban 0755 root root -
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -4,21 +4,27 @@
 Summary: Ban IPs that make too many password failures
 Name: fail2ban
 Version: 0.8.4
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://fail2ban.sourceforge.net/
 Source0: http://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.bz2
 Source1: fail2ban-logrotate
+Source2: fail2ban-tmpfiles.conf
 Patch0: fail2ban-0.8.3-init.patch
 Patch1: fail2ban-0.8.1-sshd.patch
 Patch3: fail2ban-0.8.2-fd_cloexec.patch
 Patch6: fail2ban-0.8.3-log2syslog.patch
 Patch7: asyncserver.start_selinux.patch
+Patch8: fail2ban-0.8.4-notmp.patch
+Patch9: pyinotify.patch
+Patch10: fail2ban-0.8.4-examplemail.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: python-devel >= 2.3
 BuildArch: noarch
 Requires: iptables, tcp_wrappers, shorewall, gamin-python
+Requires: python-inotify
+Requires: initscripts
 Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig
 Requires(preun): /sbin/service
@ -35,6 +41,9 @@ failures. It updates firewall rules to reject the IP address.
 %patch3 -p1 -b .fd_cloexec
 %patch6 -p1 -b .log2syslog
 %patch7 -p1 -b .fd_cloexec2
+%patch8 -p1 -b .notmp
+%patch9 -p1 -b .inotify
+%patch10 -p1 -b .mail

 %build
 python setup.py build
@ -48,8 +57,10 @@ mkdir -p %{buildroot}%{_mandir}/man1
 install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1
 mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
 install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
-mkdir -p %{buildroot}%{_localstatedir}/run/fail2ban
-chmod 0755 %{buildroot}%{_localstatedir}/run/fail2ban
+install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/
+install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
+mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf

 %clean
 rm -rf %{buildroot}
@ -81,14 +92,15 @@ fi
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf
 %config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
-%dir %{_localstatedir}/run/fail2ban
+%dir %{_localstatedir}/run/fail2ban/
+%config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf
+%dir %{_localstatedir}/lib/fail2ban/

 %changelog
-* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-26
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
-
-* Wed Aug 11 2010 David Malcolm <dmalcolm@redhat.com> - 0.8.4-25
- recompiling .py files against Python 2.7 (rhbz#623295)
+* Sat Apr  9 2011 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-27
+- Move tmp files to /var/lib (suggested by Phil Anderson).
+- Enable inotify support (by Jonathan Underwood).
+- Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584.

 * Sun Feb 14 2010 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-24
 - Patch by Jonathan G. Underwood <jonathan.underwood@gmail.com> to
--- a/pyinotify.patch
+++ b/pyinotify.patch