You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
251 lines
8.2 KiB
251 lines
8.2 KiB
Summary: Ban IPs that make too many password failures
|
|
Name: fail2ban
|
|
Version: 0.8.10
|
|
Release: 2%{?dist}
|
|
License: GPLv2+
|
|
Group: System Environment/Daemons
|
|
URL: http://fail2ban.sourceforge.net/
|
|
Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
|
Source1: fail2ban-logrotate
|
|
Patch0: fail2ban-0.8.3-init.patch
|
|
Patch1: fail2ban-0.8.7.1-sshd.patch
|
|
# Upstream patch to fix hostsdeny permission issue
|
|
# https://github.com/fail2ban/fail2ban/issues/266
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=997863
|
|
Patch2: fail2ban-hostsdeny.patch
|
|
Patch6: fail2ban-log2syslog.patch
|
|
Patch8: fail2ban-notmp.patch
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
|
BuildRequires: python-devel >= 2.3
|
|
# For testcases
|
|
BuildRequires: python-inotify
|
|
BuildArch: noarch
|
|
Requires: ed
|
|
Requires: iptables
|
|
Requires: gamin-python
|
|
Requires: python-inotify
|
|
%if 0%{?fedora} >= 19
|
|
BuildRequires: systemd
|
|
Requires(post): systemd
|
|
Requires(preun): systemd
|
|
Requires(postun): systemd
|
|
%else
|
|
Requires: initscripts
|
|
Requires(post): /sbin/chkconfig
|
|
Requires(preun): /sbin/chkconfig
|
|
Requires(preun): /sbin/service
|
|
%endif
|
|
|
|
%description
|
|
Fail2ban scans log files like /var/log/pwdfail or
|
|
/var/log/apache/error_log and bans IP that makes too many password
|
|
failures. It updates firewall rules to reject the IP address.
|
|
|
|
To use the hostsdeny and shorewall actions you must install tcp_wrappers
|
|
and shorewall respectively.
|
|
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch0 -p1 -b .init
|
|
%patch1 -p1 -b .sshd
|
|
%patch2 -p1 -b .hostsdeny
|
|
%patch6 -p1 -b .log2syslog
|
|
%patch8 -p1 -b .notmp
|
|
|
|
%build
|
|
python setup.py build
|
|
|
|
%install
|
|
rm -rf %{buildroot}
|
|
python setup.py install -O1 --root %{buildroot}
|
|
%if 0%{?fedora} >= 19
|
|
mkdir -p %{buildroot}%{_unitdir}
|
|
cp -p files/fail2ban.service %{buildroot}%{_unitdir}/
|
|
%else
|
|
mkdir -p %{buildroot}%{_initddir}
|
|
install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban
|
|
%endif
|
|
mkdir -p %{buildroot}%{_mandir}/man1
|
|
install -p -m 644 man/fail2ban*.1 %{buildroot}%{_mandir}/man1
|
|
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
|
|
install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
|
|
install -d -m 0755 %{buildroot}%{_localstatedir}/run/fail2ban/
|
|
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
|
|
mkdir -p %{buildroot}%{_sysconfdir}/tmpfiles.d
|
|
install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_sysconfdir}/tmpfiles.d/fail2ban.conf
|
|
# Remove installed doc, use doc macro instead
|
|
rm -r %{buildroot}%{_docdir}/%{name}
|
|
|
|
# Testcases need network access
|
|
#%check
|
|
#./fail2ban-testcases
|
|
|
|
%clean
|
|
rm -rf %{buildroot}
|
|
|
|
%post
|
|
%if 0%{?fedora} >= 19
|
|
%systemd_post fail2ban.service
|
|
%else
|
|
/sbin/chkconfig --add %{name}
|
|
%endif
|
|
|
|
%preun
|
|
%if 0%{?fedora} >= 19
|
|
%systemd_preun fail2ban.service
|
|
%else
|
|
if [ $1 = 0 ]; then
|
|
/sbin/service %{name} stop > /dev/null 2>&1
|
|
/sbin/chkconfig --del %{name}
|
|
fi
|
|
%endif
|
|
|
|
%if 0%{?fedora} >= 19
|
|
%postun
|
|
%systemd_postun_with_restart fail2ban.service
|
|
%endif
|
|
|
|
%files
|
|
%defattr(-,root,root,-)
|
|
%doc README.md TODO ChangeLog COPYING doc/*.txt
|
|
#doc config/fail2ban.conf*
|
|
%{_bindir}/fail2ban-server
|
|
%{_bindir}/fail2ban-client
|
|
%{_bindir}/fail2ban-regex
|
|
%{_datadir}/fail2ban
|
|
%if 0%{?fedora} >= 19
|
|
%{_unitdir}/fail2ban.service
|
|
%else
|
|
%{_initddir}/fail2ban
|
|
%endif
|
|
%{_mandir}/man1/fail2ban*.1*
|
|
%dir %{_sysconfdir}/fail2ban
|
|
%dir %{_sysconfdir}/fail2ban/action.d
|
|
%dir %{_sysconfdir}/fail2ban/filter.d
|
|
%config(noreplace) %{_sysconfdir}/fail2ban/fail2ban.conf
|
|
%config(noreplace) %{_sysconfdir}/fail2ban/jail.conf
|
|
%config(noreplace) %{_sysconfdir}/fail2ban/action.d/*.conf
|
|
%config(noreplace) %{_sysconfdir}/fail2ban/filter.d/*.conf
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
|
|
%dir %{_localstatedir}/run/fail2ban/
|
|
%config(noreplace) %{_sysconfdir}/tmpfiles.d/fail2ban.conf
|
|
%dir %{_localstatedir}/lib/fail2ban/
|
|
|
|
%changelog
|
|
* Fri Aug 16 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-2
|
|
- Add upstream patch to fix hostsdeny permission issue
|
|
|
|
* Wed Jun 12 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.10-1
|
|
- Update to 0.8.10 security release
|
|
- Use upstream provided systemd files
|
|
- Drop upstreamed patches, rebase log2syslog and notmp patches
|
|
|
|
* Fri Mar 15 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-4
|
|
- Use systemd init for Fedora 19+ (bug #883158)
|
|
|
|
* Thu Feb 14 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-3
|
|
- Add patch from upstream to fix module imports (Bug #892365)
|
|
- Add patch from upstream to UTF-8 characters in syslog (Bug #905097)
|
|
- Drop Requires: tcp_wrappers and shorewall (Bug #781341)
|
|
|
|
* Fri Jan 18 2013 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-2
|
|
- Add patch to prevent sshd blocks of successful logins for systems that use
|
|
sssd or ldap
|
|
|
|
* Mon Dec 17 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.8-1
|
|
- Update to 0.8.8 (CVE-2012-5642 Bug #887914)
|
|
|
|
* Thu Oct 11 2012 Orion Poplawski <orion@cora.nwra.com> - 0.8.7.1-1
|
|
- Update to 0.8.7.1
|
|
- Drop fd_cloexec, pyinotify, and examplemail patches fixed upstream
|
|
- Rebase sshd and notmp patches
|
|
- Use _initddir macro
|
|
|
|
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-29
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
|
|
|
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.8.4-28
|
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
|
|
|
|
* Sat Apr 9 2011 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-27
|
|
- Move tmp files to /var/lib (suggested by Phil Anderson).
|
|
- Enable inotify support (by Jonathan Underwood).
|
|
- Fixes RH bugs #669966, #669965, #551895, #552947, #658849, #656584.
|
|
|
|
* Sun Feb 14 2010 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-24
|
|
- Patch by Jonathan G. Underwood <jonathan.underwood@gmail.com> to
|
|
cloexec another fd leak.
|
|
|
|
* Fri Sep 11 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.4-23
|
|
- update to 0.8.4.
|
|
|
|
* Wed Sep 2 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-22
|
|
- Update to a newer svn snapshot to fix python 2.6 issue.
|
|
|
|
* Thu Aug 27 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-21
|
|
- Log to syslog (RH bug #491983). Also deals with RH bug #515116.
|
|
- Check inodes of log files (RH bug #503852).
|
|
|
|
* Sat Feb 14 2009 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-18
|
|
- Fix CVE-2009-0362 (Fedora bugs #485461, #485464, #485465, #485466).
|
|
|
|
* Mon Dec 01 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 0.8.3-17
|
|
- Rebuild for Python 2.6
|
|
|
|
* Sun Aug 24 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.3-16
|
|
- Update to 0.8.3.
|
|
|
|
* Wed May 21 2008 Tom "spot" Callaway <tcallawa@redhat.com> - 0.8.2-15
|
|
- fix license tag
|
|
|
|
* Thu Mar 27 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-14
|
|
- Close on exec fixes by Jonathan Underwood.
|
|
|
|
* Sun Mar 16 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-13
|
|
- Add %%{_localstatedir}/run/fail2ban (David Rees).
|
|
|
|
* Fri Mar 14 2008 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.2-12
|
|
- Update to 0.8.2.
|
|
|
|
* Thu Jan 31 2008 Jonathan G. Underwood <jonathan.underwood@gmail.com> - 0.8.1-11
|
|
- Move socket file from /tmp to /var/run to prevent SElinux from stopping
|
|
fail2ban from starting (BZ #429281)
|
|
- Change logic in init file to start with -x to remove the socket file in case
|
|
of unclean shutdown
|
|
|
|
* Wed Aug 15 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.1-10
|
|
- Update to 0.8.1.
|
|
- Remove patch fixing CVE-2007-4321 (upstream).
|
|
- Remove AllowUsers patch (upstream).
|
|
- Add dependency to gamin-python.
|
|
|
|
* Thu Jun 21 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-9
|
|
- Fix remote log injection (no CVE assignment yet).
|
|
|
|
* Sun Jun 3 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-8
|
|
- Also trigger on non-AllowUsers failures (Jonathan Underwood
|
|
<jonathan.underwood@gmail.com>).
|
|
|
|
* Wed May 23 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-7
|
|
- logrotate should restart fail2ban (Zing <zing@fastmail.fm>).
|
|
- send mail to root; logrotate (Jonathan Underwood
|
|
<jonathan.underwood@gmail.com>)
|
|
|
|
* Sat May 19 2007 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.8.0-4
|
|
- Update to 0.8.0.
|
|
- enable ssh by default, fix log file for ssh scanning, adjust python
|
|
dependency (Jonathan Underwood <jonathan.underwood@gmail.com>)
|
|
|
|
* Sat Dec 30 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-3
|
|
- Remove forgotten condrestart.
|
|
|
|
* Fri Dec 29 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-2
|
|
- Move /usr/lib/fail2ban to %%{_datadir}/fail2ban.
|
|
- Don't default chkconfig to enabled.
|
|
- Add dependencies on service/chkconfig.
|
|
- Use example iptables/ssh config as default config.
|
|
|
|
* Mon Dec 25 2006 Axel Thimm <Axel.Thimm@ATrpms.net> - 0.6.2-1
|
|
- Initial build.
|