Split into sub-packages for different components

Enable journal filter by default (bug #985567) Enable firewalld action by default (bug #1046816)
11 years ago · cfc0b77c7d
parent 909f71303d
commit cfc0b77c7d
1 changed files with 158 additions and 17 deletions
--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -1,7 +1,7 @@
-Summary: Ban IPs that make too many password failures
+Summary: Daemon to ban hosts that cause multiple authentication errors
 Name: fail2ban
 Version: 0.9
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 URL: http://fail2ban.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
@ -9,12 +9,34 @@ BuildRequires: python2-devel
 # For testcases
 BuildRequires: python-inotify
 BuildArch: noarch
-Requires: ed
-Requires: iptables
-Requires: gamin-python
-Requires: python-inotify
 %if 0%{?fedora} >= 19
 BuildRequires: systemd
+%endif
+# Default components
+Requires: %{name}-firewalld = %{version}-%{release}
+Requires: %{name}-sendmail = %{version}-%{release}
+Requires: %{name}-server = %{version}-%{release}
+Requires: %{name}-systemd = %{version}-%{release}
+
+%description
+Fail2Ban scans log files and bans IP addresses that makes too many password
+failures. It updates firewall rules to reject the IP address. These rules can
+be defined by the user. Fail2Ban can read multiple log files such as sshd or
+Apache web server ones.
+
+Fail2Ban is able to reduce the rate of incorrect authentications attempts
+however it cannot eliminate the risk that weak authentication presents.
+Configure services to use only two factor or public/private authentication
+mechanisms if you really want to protect services.
+
+This is a meta-package that will install the default configuration.  Other
+sub-packages are available to install support for other actions and
+configurations.
+
+
+%package server
+Summary: Core server component for Fail2Ban
+%if 0%{?fedora} >= 19
 Requires: systemd-python
 Requires(post): systemd
 Requires(preun): systemd
@ -25,14 +47,90 @@ Requires(post): /sbin/chkconfig
 Requires(preun): /sbin/chkconfig
 Requires(preun): /sbin/service
 %endif
+Requires: ipset
+Requires: iptables
+
+%description server
+This package contains the core server components for Fail2Ban with minimal
+dependencies.  You can install this directly if you want to have a small
+installation and know what you are doing.
+
+
+%package all
+Summary: Install all Fail2Ban packages and dependencies
+Requires: %{name}-firewalld = %{version}-%{release}
+Requires: %{name}-hostsdeny = %{version}-%{release}
+Requires: %{name}-mail = %{version}-%{release}
+Requires: %{name}-sendmail = %{version}-%{release}
+Requires: %{name}-server = %{version}-%{release}
+Requires: %{name}-shorewall = %{version}-%{release}
+Requires: %{name}-systemd = %{version}-%{release}
+Requires: gamin-python
+Requires: perl
+Requires: python-inotify
+Requires: /usr/bin/whois
+
+%description all
+This package installs all of the Fail2Ban packages and dependencies.
+
+
+%package firewalld
+Summary: Firewalld support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: firewalld
+
+%description firewalld
+This package enables support for manipulating firewalld rules.  This is the
+default firewall service in Fedora.

-%description
-Fail2ban scans log files like /var/log/pwdfail or
-/var/log/apache/error_log and bans IP that makes too many password
-failures. It updates firewall rules to reject the IP address.

-To use the hostsdeny and shorewall actions you must install tcp_wrappers
-and shorewall respectively.
+%package hostsdeny
+Summary: Hostsdeny (tcp_wrappers) support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: ed
+Requires: tcp_wrappers
+
+%description hostsdeny
+This package enables support for manipulating tcp_wrapper's /etc/hosts.deny
+files.
+
+
+%package mail
+Summary: Mail actions for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: /usr/bin/mail
+
+%description mail
+This package installs Fail2Ban's mail actions.  These are an alternative
+to the default sendmail actions.
+
+
+%package sendmail
+Summary: Sendmail actions for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: /usr/sbin/sendmail
+
+%description sendmail
+This package installs Fail2Ban's sendmail actions.  This is the default
+mail actions for Fail2Ban.
+
+
+%package shorewall
+Summary: Shorewall support for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+Requires: shorewall
+
+%description shorewall
+This package enables support for manipulating shoreall rules.
+
+
+%package systemd
+Summary: Systemd journal configuration for Fail2Ban
+Requires: %{name}-server = %{version}-%{release}
+
+%description systemd
+This package configures Fail2Ban to use the systemd journal for its log input
+by default.


 %prep
@ -63,6 +161,20 @@ install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf
+# Remove non-Linux actions
+rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
+rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
+rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
+# firewalld configuration
+cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
+[DEFAULT]
+banaction = firewallcmd-ipset
+EOF
+# systemd journal configuration
+cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
+[DEFAULT]
+backend=systemd
+EOF
 # Remove installed doc, use doc macro instead
 rm -r %{buildroot}%{_docdir}/%{name}

@ -70,14 +182,14 @@ rm -r %{buildroot}%{_docdir}/%{name}
 # Testcases still pulling in network tests, wants /dev/log
 #./fail2ban-testcases-all --no-network

-%post
+%post server
 %if 0%{?fedora} >= 19
 %systemd_post fail2ban.service
 %else
 /sbin/chkconfig --add %{name}
 %endif

-%preun
+%preun server
 %if 0%{?fedora} >= 19
 %systemd_preun fail2ban.service
 %else
@ -88,13 +200,12 @@ fi
 %endif

 %if 0%{?fedora} >= 19
-%postun
+%postun server
 %systemd_postun_with_restart fail2ban.service
 %endif

-%files
+%files server
 %doc README.md TODO ChangeLog COPYING doc/*.txt
-#doc config/fail2ban.conf*
 %{_bindir}/fail2ban-server
 %{_bindir}/fail2ban-client
 %{_bindir}/fail2ban-regex
@ -108,13 +219,43 @@ fi
 %{_mandir}/man1/fail2ban*.1*
 %{_mandir}/man5/*.5*
 %config(noreplace) %{_sysconfdir}/fail2ban
+%exclude %{_sysconfdir}/fail2ban/action.d/complain.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/mail-*.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
+%exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf
+%exclude %{_sysconfdir}/fail2ban/jail.d/*.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
 %config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf
 %dir %{_localstatedir}/lib/fail2ban/
 %dir %{_localstatedir}/run/fail2ban/

+%files firewalld
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-firewalld.conf
+
+%files hostsdeny
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf
+
+%files mail
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-*.conf
+
+%files sendmail
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf
+
+%files shorewall
+%config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf
+
+%files systemd
+%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf
+

 %changelog
+* Wed Mar 19 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-3
+- Split into sub-packages for different components
+- Enable journal filter by default (bug #985567)
+- Enable firewalld action by default (bug #1046816)
+
 * Tue Mar 18 2014 Orion Poplawski <orion@cora.nwra.com> - 0.9-2
 - Use Fedora paths
 - Start after firewalld (bug #1067147)