From cfc0b77c7d97613f6d7b64d451732ab60cc39086 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 19 Mar 2014 21:59:36 -0600 Subject: [PATCH] Split into sub-packages for different components Enable journal filter by default (bug #985567) Enable firewalld action by default (bug #1046816) --- fail2ban.spec | 175 +++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 158 insertions(+), 17 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 16317b3..3272e19 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ -Summary: Ban IPs that make too many password failures +Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.9 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -9,12 +9,34 @@ BuildRequires: python2-devel # For testcases BuildRequires: python-inotify BuildArch: noarch -Requires: ed -Requires: iptables -Requires: gamin-python -Requires: python-inotify %if 0%{?fedora} >= 19 BuildRequires: systemd +%endif +# Default components +Requires: %{name}-firewalld = %{version}-%{release} +Requires: %{name}-sendmail = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-systemd = %{version}-%{release} + +%description +Fail2Ban scans log files and bans IP addresses that makes too many password +failures. It updates firewall rules to reject the IP address. These rules can +be defined by the user. Fail2Ban can read multiple log files such as sshd or +Apache web server ones. + +Fail2Ban is able to reduce the rate of incorrect authentications attempts +however it cannot eliminate the risk that weak authentication presents. +Configure services to use only two factor or public/private authentication +mechanisms if you really want to protect services. + +This is a meta-package that will install the default configuration. Other +sub-packages are available to install support for other actions and +configurations. + + +%package server +Summary: Core server component for Fail2Ban +%if 0%{?fedora} >= 19 Requires: systemd-python Requires(post): systemd Requires(preun): systemd @@ -25,14 +47,90 @@ Requires(post): /sbin/chkconfig Requires(preun): /sbin/chkconfig Requires(preun): /sbin/service %endif +Requires: ipset +Requires: iptables + +%description server +This package contains the core server components for Fail2Ban with minimal +dependencies. You can install this directly if you want to have a small +installation and know what you are doing. + + +%package all +Summary: Install all Fail2Ban packages and dependencies +Requires: %{name}-firewalld = %{version}-%{release} +Requires: %{name}-hostsdeny = %{version}-%{release} +Requires: %{name}-mail = %{version}-%{release} +Requires: %{name}-sendmail = %{version}-%{release} +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-shorewall = %{version}-%{release} +Requires: %{name}-systemd = %{version}-%{release} +Requires: gamin-python +Requires: perl +Requires: python-inotify +Requires: /usr/bin/whois + +%description all +This package installs all of the Fail2Ban packages and dependencies. + + +%package firewalld +Summary: Firewalld support for Fail2Ban +Requires: %{name}-server = %{version}-%{release} +Requires: firewalld + +%description firewalld +This package enables support for manipulating firewalld rules. This is the +default firewall service in Fedora. -%description -Fail2ban scans log files like /var/log/pwdfail or -/var/log/apache/error_log and bans IP that makes too many password -failures. It updates firewall rules to reject the IP address. -To use the hostsdeny and shorewall actions you must install tcp_wrappers -and shorewall respectively. +%package hostsdeny +Summary: Hostsdeny (tcp_wrappers) support for Fail2Ban +Requires: %{name}-server = %{version}-%{release} +Requires: ed +Requires: tcp_wrappers + +%description hostsdeny +This package enables support for manipulating tcp_wrapper's /etc/hosts.deny +files. + + +%package mail +Summary: Mail actions for Fail2Ban +Requires: %{name}-server = %{version}-%{release} +Requires: /usr/bin/mail + +%description mail +This package installs Fail2Ban's mail actions. These are an alternative +to the default sendmail actions. + + +%package sendmail +Summary: Sendmail actions for Fail2Ban +Requires: %{name}-server = %{version}-%{release} +Requires: /usr/sbin/sendmail + +%description sendmail +This package installs Fail2Ban's sendmail actions. This is the default +mail actions for Fail2Ban. + + +%package shorewall +Summary: Shorewall support for Fail2Ban +Requires: %{name}-server = %{version}-%{release} +Requires: shorewall + +%description shorewall +This package enables support for manipulating shoreall rules. + + +%package systemd +Summary: Systemd journal configuration for Fail2Ban +Requires: %{name}-server = %{version}-%{release} + +%description systemd +This package configures Fail2Ban to use the systemd journal for its log input +by default. %prep @@ -63,6 +161,20 @@ install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/ install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf +# Remove non-Linux actions +rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf +rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf +rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf +# firewalld configuration +cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf < %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <= 19 %systemd_post fail2ban.service %else /sbin/chkconfig --add %{name} %endif -%preun +%preun server %if 0%{?fedora} >= 19 %systemd_preun fail2ban.service %else @@ -88,13 +200,12 @@ fi %endif %if 0%{?fedora} >= 19 -%postun +%postun server %systemd_postun_with_restart fail2ban.service %endif -%files +%files server %doc README.md TODO ChangeLog COPYING doc/*.txt -#doc config/fail2ban.conf* %{_bindir}/fail2ban-server %{_bindir}/fail2ban-client %{_bindir}/fail2ban-regex @@ -108,13 +219,43 @@ fi %{_mandir}/man1/fail2ban*.1* %{_mandir}/man5/*.5* %config(noreplace) %{_sysconfdir}/fail2ban +%exclude %{_sysconfdir}/fail2ban/action.d/complain.conf +%exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-*.conf +%exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf +%exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf +%exclude %{_sysconfdir}/fail2ban/jail.d/*.conf %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban %config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf %dir %{_localstatedir}/lib/fail2ban/ %dir %{_localstatedir}/run/fail2ban/ +%files firewalld +%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-firewalld.conf + +%files hostsdeny +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf + +%files mail +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-*.conf + +%files sendmail +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf + +%files shorewall +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/shorewall.conf + +%files systemd +%config(noreplace) %{_sysconfdir}/fail2ban/jail.d/00-systemd.conf + %changelog +* Wed Mar 19 2014 Orion Poplawski - 0.9-3 +- Split into sub-packages for different components +- Enable journal filter by default (bug #985567) +- Enable firewalld action by default (bug #1046816) + * Tue Mar 18 2014 Orion Poplawski - 0.9-2 - Use Fedora paths - Start after firewalld (bug #1067147)