rpms
/
fail2ban
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Define banaction_allports for firewalld, update banaction (bz#1775175)

Browse Source 
Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
i9ce
Orion Poplawski 5 years ago
parent 965cbc4d23
commit b9fa37fab6
2 changed files with 108 additions and 5 deletions
Show Stats Download Patch File Download Diff File

96
2388.patch
Unescape View File

@ -0,0 +1,96 @@
From 9e1fa4ff73a1566ae0c381930b6eaae9880b0f29 Mon Sep 17 00:00:00 2001
From: Amir Caspi <cepheid666@users.noreply.github.com>
Date: Fri, 29 Mar 2019 17:38:30 -0600
Subject: [PATCH 1/7] Update sendmail-reject
Added loglines to show TLSMTA and MSA port IDs (RHEL/CentOS sendmail default for ports 465 and 587, respectively)
---
fail2ban/tests/files/logs/sendmail-reject | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
index 44f8eb92f..a76cbf4b6 100644
--- a/fail2ban/tests/files/logs/sendmail-reject
+++ b/fail2ban/tests/files/logs/sendmail-reject
@@ -95,3 +95,8 @@ Nov 3 11:35:30 Microsoft sendmail[26254]: rA37ZTSC026255: from=<anton@domain.co
Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example.org [192.0.2.194] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
# failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
+
+# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
+Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
+# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
+Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
From ffd5d0db78af01afcdf7a2c615dc26b8558ad8f1 Mon Sep 17 00:00:00 2001
From: Amir Caspi <cepheid666@users.noreply.github.com>
Date: Fri, 29 Mar 2019 17:39:27 -0600
Subject: [PATCH 2/7] Update sendmail-reject.conf
On some distros (e.g., CentOS 7), sendmail default config labels port 465 as TLSMTA and port 587 as MSA. Update failregex to reflect. Relevant loglines included in https://github.com/fail2ban/fail2ban/commit/9e1fa4ff73a1566ae0c381930b6eaae9880b0f29
---
config/filter.d/sendmail-reject.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
index 985eac8b1..dd58f3e75 100644
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
mdre-normal =
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$
+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
mdre-aggressive = %(mdre-extra)s
From 76816285e886eee0a53ba5c64c50101fbd87a760 Mon Sep 17 00:00:00 2001
From: Amir Caspi <cepheid666@users.noreply.github.com>
Date: Fri, 29 Mar 2019 18:21:47 -0600
Subject: [PATCH 5/7] Update sendmail-reject
Fixing timestamps to 2005 (oops)
---
fail2ban/tests/files/logs/sendmail-reject | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fail2ban/tests/files/logs/sendmail-reject b/fail2ban/tests/files/logs/sendmail-reject
index a76cbf4b6..b6911c4df 100644
--- a/fail2ban/tests/files/logs/sendmail-reject
+++ b/fail2ban/tests/files/logs/sendmail-reject
@@ -96,7 +96,7 @@ Mar 6 16:55:28 s192-168-0-1 sm-mta[20949]: v26LtRA0020949: some-host-24.example
# failJSON: { "time": "2005-03-07T15:04:37", "match": true , "host": "192.0.2.195", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSP-mode, (may be forged)" }
Mar 7 15:04:37 s192-168-0-1 sm-mta[18624]: v27K4Vj8018624: some-host-24.example.org [192.0.2.195] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v4
-# failJSON: { "time": "2019-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
+# failJSON: { "time": "2005-03-29T22:33:47", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), TLSMTA-mode" }
Mar 29 22:33:47 kismet sm-mta[23221]: x2TMXH7Y023221: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
-# failJSON: { "time": "2019-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
+# failJSON: { "time": "2005-03-29T22:51:42", "match": true , "host": "104.152.52.29", "desc": "wrong resp. non RFC compiant (ddos prelude?), MSA-mode" }
Mar 29 22:51:42 kismet sm-mta[24202]: x2TMpAlI024202: internettl.org [104.152.52.29] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
From 6c7093c66dce9f695cde24149a78650868083617 Mon Sep 17 00:00:00 2001
From: "Sergey G. Brester" <github@sebres.de>
Date: Thu, 4 Apr 2019 02:28:50 +0200
Subject: [PATCH 6/7] minor amend, refolding branches (SP|SA -> S[PA])
---
config/filter.d/sendmail-reject.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/filter.d/sendmail-reject.conf b/config/filter.d/sendmail-reject.conf
index dd58f3e75..e6814a00c 100644
--- a/config/filter.d/sendmail-reject.conf
+++ b/config/filter.d/sendmail-reject.conf
@@ -32,7 +32,7 @@ cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IP
mdre-normal =
-mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|SP|SA)(?:-\w+)?$
+mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$
mdre-aggressive = %(mdre-extra)s

17
fail2ban.spec
Unescape View File

@ -1,7 +1,7 @@
Summary: Daemon to ban hosts that cause multiple authentication errors Summary: Daemon to ban hosts that cause multiple authentication errors
Name: fail2ban Name: fail2ban
Version: 0.10.4 Version: 0.10.4
Release: 7%{?dist} Release: 8%{?dist}
License: GPLv2+ License: GPLv2+
URL: http://fail2ban.sourceforge.net/ URL: http://fail2ban.sourceforge.net/
Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
@ -9,7 +9,10 @@ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%
# Give up being PartOf iptables and ipset for now # Give up being PartOf iptables and ipset for now
# https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
# https://bugzilla.redhat.com/show_bug.cgi?id=1573185 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185
Patch2: fail2ban-partof.patch Patch0: fail2ban-partof.patch
# Update sendmail-reject with TLSMTA & MSA port IDs
# https://bugzilla.redhat.com/show_bug.cgi?id=1722625
Patch1: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2388.patch
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: /usr/bin/2to3 BuildRequires: /usr/bin/2to3
@ -153,8 +156,7 @@ by default.
%prep %prep
%setup -q %autosetup -p1
%patch2 -p1 -b .partof
# Use Fedora paths # Use Fedora paths
sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
2to3 --write --nobackups . 2to3 --write --nobackups .
@ -195,7 +197,8 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
# the firewalld actions as the default actions. You can remove this package # the firewalld actions as the default actions. You can remove this package
# (along with the empty fail2ban meta-package) if you do not use firewalld # (along with the empty fail2ban meta-package) if you do not use firewalld
[DEFAULT] [DEFAULT]
banaction = firewallcmd-ipset banaction = firewallcmd-ipset[actiontype=<multiport>]
banaction_allports = firewallcmd-ipset[actiontype=<allports>]
EOF EOF
# systemd journal configuration # systemd journal configuration
cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
@ -296,6 +299,10 @@ fi
%changelog %changelog
* Thu Nov 21 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-8
- Define banaction_allports for firewalld, update banaction (bz#1775175)
- Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
* Thu Oct 31 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-7 * Thu Oct 31 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-7
- Remove config files for other distros (bz#1533113) - Remove config files for other distros (bz#1533113)

Write Preview
Loading…
Cancel
Save