From 1b961970e45412d6c6f7d063d5f331e8f0f6eb5b023b317ae5fc7175ac9bf877 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Wed, 1 Jul 2015 19:56:17 +0000 Subject: [PATCH] Accepting request 314731 from home:weberho:branches:security Major update to version 0.9.2 OBS-URL: https://build.opensuse.org/request/show/314731 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=59 --- 0.8.14.tar.gz | 3 - fail2ban-0.9.2.tar.gz | 3 + fail2ban-exclude-dev-log-tests.patch | 58 ++++++ fail2ban-issue_906-strptime.patch | 12 -- fail2ban-opensuse-locations.patch | 270 +++------------------------ fail2ban-opensuse-service.patch | 18 ++ fail2ban-rpmlintrc | 3 + fail2ban.changes | 71 +++++++ fail2ban.init | 114 ----------- fail2ban.service | 15 -- fail2ban.spec | 221 ++++++++++++++-------- paths-opensuse.conf | 36 ++++ 12 files changed, 352 insertions(+), 472 deletions(-) delete mode 100644 0.8.14.tar.gz create mode 100644 fail2ban-0.9.2.tar.gz create mode 100644 fail2ban-exclude-dev-log-tests.patch delete mode 100644 fail2ban-issue_906-strptime.patch create mode 100644 fail2ban-opensuse-service.patch create mode 100644 fail2ban-rpmlintrc delete mode 100644 fail2ban.init delete mode 100644 fail2ban.service create mode 100644 paths-opensuse.conf diff --git a/0.8.14.tar.gz b/0.8.14.tar.gz deleted file mode 100644 index 9bdd071..0000000 --- a/0.8.14.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2d579d9f403eb95064781ffb28aca2b258ca55d7a2ba056a8fa2b3e6b79721f2 -size 228121 diff --git a/fail2ban-0.9.2.tar.gz b/fail2ban-0.9.2.tar.gz new file mode 100644 index 0000000..522ae5c --- /dev/null +++ b/fail2ban-0.9.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:476687098303bdee8d6b69e05f190ab150e39e64d56ce158d29bbc5924b06f89 +size 314902 diff --git a/fail2ban-exclude-dev-log-tests.patch b/fail2ban-exclude-dev-log-tests.patch new file mode 100644 index 0000000..0555634 --- /dev/null +++ b/fail2ban-exclude-dev-log-tests.patch @@ -0,0 +1,58 @@ +diff -ur fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py fail2ban-0.9.2/fail2ban/tests/servertestcase.py +--- fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py 2015-04-29 05:52:48.000000000 +0200 ++++ fail2ban-0.9.2/fail2ban/tests/servertestcase.py 2015-05-08 15:57:57.021437562 +0200 +@@ -778,32 +778,32 @@ + self.setGetTest("logtarget", "STDOUT") + self.setGetTest("logtarget", "STDERR") + +- def testLogTargetSYSLOG(self): +- if not os.path.exists("/dev/log") and sys.version_info >= (2, 7): +- raise unittest.SkipTest("'/dev/log' not present") +- elif not os.path.exists("/dev/log"): +- return +- self.assertTrue(self.server.getSyslogSocket(), "auto") +- self.setGetTest("logtarget", "SYSLOG") +- self.assertTrue(self.server.getSyslogSocket(), "/dev/log") ++# def testLogTargetSYSLOG(self): ++# if not os.path.exists("/dev/log") and sys.version_info >= (2, 7): ++# raise unittest.SkipTest("'/dev/log' not present") ++# elif not os.path.exists("/dev/log"): ++# return ++# self.assertTrue(self.server.getSyslogSocket(), "auto") ++# self.setGetTest("logtarget", "SYSLOG") ++# self.assertTrue(self.server.getSyslogSocket(), "/dev/log") + + def testSyslogSocket(self): + self.setGetTest("syslogsocket", "/dev/log/NEW/PATH") + +- def testSyslogSocketNOK(self): +- self.setGetTest("syslogsocket", "/this/path/should/not/exist") +- self.setGetTestNOK("logtarget", "SYSLOG") +- # set back for other tests +- self.setGetTest("syslogsocket", "/dev/log") +- self.setGetTest("logtarget", "SYSLOG", +- **{True: {}, # should work on Linux +- False: dict( # expect to fail otherwise +- outCode=1, +- outValue=Exception('Failed to change log target'), +- repr_=True # Exceptions are not comparable apparently +- ) +- }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] +- ) ++# def testSyslogSocketNOK(self): ++# self.setGetTest("syslogsocket", "/this/path/should/not/exist") ++# self.setGetTestNOK("logtarget", "SYSLOG") ++# # set back for other tests ++# self.setGetTest("syslogsocket", "/dev/log") ++# self.setGetTest("logtarget", "SYSLOG", ++# **{True: {}, # should work on Linux ++# False: dict( # expect to fail otherwise ++# outCode=1, ++# outValue=Exception('Failed to change log target'), ++# repr_=True # Exceptions are not comparable apparently ++# ) ++# }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] ++# ) + + def testLogLevel(self): + self.setGetTest("loglevel", "HEAVYDEBUG") diff --git a/fail2ban-issue_906-strptime.patch b/fail2ban-issue_906-strptime.patch deleted file mode 100644 index baee8b4..0000000 --- a/fail2ban-issue_906-strptime.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ur fail2ban-0.8.14.orig/common/__init__.py fail2ban-0.8.14/common/__init__.py ---- fail2ban-0.8.14.orig/common/__init__.py 2014-08-19 22:23:33.000000000 +0200 -+++ fail2ban-0.8.14/common/__init__.py 2015-01-21 21:51:13.425141175 +0100 -@@ -28,3 +28,7 @@ - - # Custom debug level - logging.HEAVYDEBUG = 5 -+ -+from time import strptime -+# strptime thread safety hack-around - http://bugs.python.org/issue7980 -+strptime("2012", "%Y") - diff --git a/fail2ban-opensuse-locations.patch b/fail2ban-opensuse-locations.patch index 532ef37..7358b72 100644 --- a/fail2ban-opensuse-locations.patch +++ b/fail2ban-opensuse-locations.patch @@ -1,256 +1,30 @@ -diff -ur fail2ban-0.8.14.orig/config/jail.conf fail2ban-0.8.14/config/jail.conf ---- fail2ban-0.8.14.orig/config/jail.conf 2014-08-19 22:23:33.000000000 +0200 -+++ fail2ban-0.8.14/config/jail.conf 2014-08-20 17:39:21.428256837 +0200 -@@ -80,7 +80,7 @@ - enabled = false - filter = pam-generic - action = iptables-allports[name=pam,protocol=all] --logpath = /var/log/secure -+logpath = /var/log/messages +diff -ur fail2ban-0.9.2-orig/config/jail.conf fail2ban-0.9.2/config/jail.conf +--- fail2ban-0.9.2-orig/config/jail.conf 2015-04-29 05:52:48.000000000 +0200 ++++ fail2ban-0.9.2/config/jail.conf 2015-05-08 17:03:32.377375630 +0200 +@@ -344,7 +344,7 @@ + [roundcube-auth] + + port = http,https +-logpath = /var/log/roundcube/userlogins ++logpath = /srv/www/roundcubemail/logs/errors - [xinetd-fail] -@@ -97,7 +97,7 @@ - filter = sshd - action = iptables[name=SSH, port=ssh, protocol=tcp] - sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 5 + [openwebmail] +@@ -617,7 +617,7 @@ + # filter = named-refused + # port = domain,953 + # protocol = udp +-# logpath = /var/log/named/security.log ++# logpath = /var/lib/named/log/security.log + # IMPORTANT: see filter.d/named-refused for instructions to enable logging + # This jail blocks TCP traffic for DNS requests. +@@ -625,7 +625,7 @@ + [named-refused] -@@ -106,7 +106,7 @@ - enabled = false - filter = sshd-ddos - action = iptables[name=SSHDDOS, port=ssh, protocol=tcp] --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 2 - - -@@ -135,7 +135,7 @@ - filter = gssftpd - action = iptables[name=GSSFTPd, port=ftp, protocol=tcp] - sendmail-whois[name=GSSFTPd, dest=you@example.com] --logpath = /var/log/daemon.log -+logpath = /var/log/messages - maxretry = 6 - - -@@ -144,7 +144,7 @@ - enabled = false - filter = pure-ftpd - action = iptables[name=pureftpd, port=ftp, protocol=tcp] --logpath = /var/log/pureftpd.log -+logpath = /var/log/messages - maxretry = 6 - - -@@ -153,7 +153,7 @@ - enabled = false - filter = wuftpd - action = iptables[name=wuftpd, port=ftp, protocol=tcp] --logpath = /var/log/daemon.log -+logpath = /var/log/messages - maxretry = 6 - - -@@ -162,7 +162,7 @@ - enabled = false - filter = sendmail-auth - action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] --logpath = /var/log/mail.log -+logpath = /var/log/mail - - - [sendmail-reject] -@@ -170,7 +170,7 @@ - enabled = false - filter = sendmail-reject - action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] --logpath = /var/log/mail.log -+logpath = /var/log/mail - - - # This jail forces the backend to "polling". -@@ -181,7 +181,7 @@ - backend = polling - action = iptables[name=sasl, port=smtp, protocol=tcp] - sendmail-whois[name=sasl, dest=you@example.com] --logpath = /var/log/mail.log -+logpath = /var/log/mail - - - # ASSP SMTP Proxy Jail -@@ -202,7 +202,7 @@ - action = hostsdeny[daemon_list=sshd] - sendmail-whois[name=SSH, dest=you@example.com] - ignoreregex = for myuser from --logpath = /var/log/sshd.log -+logpath = /var/log/messages - - - # Here we use blackhole routes for not requiring any additional kernel support -@@ -212,7 +212,7 @@ - enabled = false - filter = sshd - action = route --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 5 - - -@@ -226,7 +226,7 @@ - enabled = false - filter = sshd - action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 5 - - -@@ -235,7 +235,7 @@ - enabled = false - filter = sshd - action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 5 - - -@@ -329,7 +329,7 @@ - enabled = false - filter = cyrus-imap - action = iptables-multiport[name=cyrus-imap,port="143,993"] --logpath = /var/log/mail*log -+logpath = /var/log/mail - - - [courierlogin] -@@ -337,7 +337,7 @@ - enabled = false - filter = courierlogin - action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"] --logpath = /var/log/mail*log -+logpath = /var/log/mail - - - [couriersmtp] -@@ -345,7 +345,7 @@ - enabled = false - filter = couriersmtp - action = iptables-multiport[name=couriersmtp,port="25,465,587"] --logpath = /var/log/mail*log -+logpath = /var/log/mail - - - [qmail-rbl] -@@ -361,7 +361,7 @@ - enabled = false - filter = sieve - action = iptables-multiport[name=sieve,port="25,465,587"] --logpath = /var/log/mail*log -+logpath = /var/log/mail - - - # Do not ban anybody. Just report information about the remote host. -@@ -396,7 +396,8 @@ - filter = apache-badbots - action = iptables-multiport[name=BadBots, port="http,https"] - sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] --logpath = /var/www/*/logs/access_log -+logpath = /var/log/apache/access_log -+ /var/log/apache2/*/access_log - bantime = 172800 - maxretry = 1 - -@@ -466,7 +467,7 @@ - enabled = false - action = iptables-multiport[name=php-url-open, port="http,https"] - filter = php-url-fopen --logpath = /var/www/*/logs/access_log -+logpath = /var/log/apache/access_log - maxretry = 1 - - -@@ -500,7 +501,7 @@ - filter = sshd - action = ipfw[localhost=192.168.0.1] - sendmail-whois[name="SSH,IPFW", dest=you@example.com] --logpath = /var/log/auth.log -+logpath = /var/log/messages - ignoreip = 168.192.0.1 - - -@@ -531,7 +532,7 @@ - filter = named-refused - action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] - sendmail-whois[name=Named, dest=you@example.com] + port = domain,953 -logpath = /var/log/named/security.log +logpath = /var/lib/named/log/security.log - ignoreip = 168.192.0.1 - - -@@ -601,7 +602,7 @@ - filter = mysqld-auth - action = iptables[name=mysql, port=3306, protocol=tcp] - sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] --logpath = /var/log/mysqld.log -+logpath = /var/log/mysql/mysqld.log - maxretry = 5 - - -@@ -610,7 +611,7 @@ - enabled = false - filter = mysqld-auth - action = iptables[name=mysql, port=3306, protocol=tcp] --logpath = /var/log/daemon.log -+logpath = /var/log/mysql/mysqld.log - maxretry = 5 - - -@@ -637,7 +638,7 @@ - enabled = false - filter = sshd - action = pf --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 5 - - -@@ -723,7 +724,7 @@ - enabled = false - filter = dovecot - action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] --logpath = /var/log/mail.log -+logpath = /var/log/mail - - - [dovecot-auth] -@@ -731,7 +732,7 @@ - enabled = false - filter = dovecot - action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] --logpath = /var/log/secure -+logpath = /var/log/mail - - - [solid-pop3d] -@@ -739,7 +740,7 @@ - enabled = false - filter = solid-pop3d - action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp] --logpath = /var/log/mail.log -+logpath = /var/log/mail - - - [selinux-ssh] -@@ -761,7 +762,7 @@ - action = iptables[name=SSH, port=ssh, protocol=tcp] - sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] - blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] --logpath = /var/log/sshd.log -+logpath = /var/log/messages - maxretry = 20 + [nsd] diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch new file mode 100644 index 0000000..d9276aa --- /dev/null +++ b/fail2ban-opensuse-service.patch @@ -0,0 +1,18 @@ +diff -ur fail2ban-0.9.2-orig/files/fail2ban.service fail2ban-0.9.2/files/fail2ban.service +--- fail2ban-0.9.2-orig/files/fail2ban.service 2015-04-29 05:52:48.000000000 +0200 ++++ fail2ban-0.9.2/files/fail2ban.service 2015-05-07 10:52:04.187045581 +0200 +@@ -1,11 +1,12 @@ + [Unit] + Description=Fail2Ban Service + Documentation=man:fail2ban(1) +-After=network.target iptables.service firewalld.service ++After=network.target SuSEfirewall2.service + + [Service] + Type=forking +-ExecStart=/usr/bin/fail2ban-client -x start ++EnvironmentFile=-/etc/sysconfig/fail2ban ++ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start + ExecStop=/usr/bin/fail2ban-client stop + ExecReload=/usr/bin/fail2ban-client reload + PIDFile=/var/run/fail2ban/fail2ban.pid diff --git a/fail2ban-rpmlintrc b/fail2ban-rpmlintrc new file mode 100644 index 0000000..8995e09 --- /dev/null +++ b/fail2ban-rpmlintrc @@ -0,0 +1,3 @@ +addFilter("W: htaccess-file .*tests.*") +addFilter("W: hidden-file-or-dir .*tests.*") +addFilter("W: no-manual-page-for-binary fail2ban-testcases") diff --git a/fail2ban.changes b/fail2ban.changes index a1081b9..687e007 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,74 @@ +------------------------------------------------------------------- +Mon Jun 8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at + +- Removed "backend" setting from paths-opensuse.conf + +------------------------------------------------------------------- +Fri May 8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at + +- Update to version 0.9.2 (requested in boo#917818) + + Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog + + Here are some notes to be read when updating existing installations: + + The default log-backend for openssue 13.2+ is now systemd + + * jail.conf was heavily refactored and now is similar to how it looked on + Debian systems: + - default action could be configured once for all jails + - jails definitions only provide customizations (port, logpath) + - no need to specify 'filter' if name matches jail name + + * Added fail2ban persistent database + - default location at /var/lib/fail2ban/fail2ban.sqlite3 + - allows active bans to be reinstated on restart + - log files read from last position after restart + + * Added systemd journal backend + - Dependency on python-systemd + - New "journalmatch" option added to filter configs files + - New "systemd-journal" option added to fail2ban-regex + + * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. + Enhanced existing date/time have been updated patterns to support these. + ISO8601 now defaults to localtime unless specified otherwise. Some filters + have been change as required to capture these elements in the right + timezone correctly. + + * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. + + * Optionally can read log files starting from "head" or "tail". See "logpath" + option in jail.conf(5) man page. + + * Can now set log encoding for files per jail.Default uses systemd locale. + + * iptables-common.conf replaced iptables-blocktype.conf + (iptables-blocktype.local should still be read) and now also provides + defaults for the chain, port, protocol and name tags + +- Require whois + +- Whereever possible, path-definitions have been moved paths-opensuse.conf + which has been submittet upstream + +- Use default fail2ban.service including fail2ban-opensuse-service.patch + +- Use default suse-initd from upstream + +- Run test-cases during build + +- run fdupes + +- Tests have been moved to a seperate page + +- Added rpmlintrc file to ignore some hidden files in the test package + +- Must build arch-depended packages for SLES 11 + +- Removed two tests which can't run on the build server with openSUSE + before 13.3: fail2ban-exclude-dev-log-tests.patch + ------------------------------------------------------------------- Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com diff --git a/fail2ban.init b/fail2ban.init deleted file mode 100644 index 7e81f57..0000000 --- a/fail2ban.init +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/sh -# -### BEGIN INIT INFO -# Provides: fail2ban -# Required-Start: $remote_fs $local_fs -# Should-Start: $syslog $time $network iptables -# Required-Stop: $remote_fs $local_fs -# Should-Stop: $syslog $time $network iptables -# Default-Start: 3 5 -# Default-Stop: 0 1 2 6 -# Pidfile: /var/run/fail2ban/fail2ban.pid -# Short-Description: Bans IPs with too many authentication failures -# Description: Start fail2ban to scan logfiles and ban IP addresses -# which make too many logfiles failures, and/or sent e-mails about -### END INIT INFO - -# Check for missing binaries (stale symlinks should not happen) -FAIL2BAN_CLI=/usr/bin/fail2ban-client -test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed"; - if [ "$1" = "stop" ]; then exit 0; - else exit 5; fi; } -FAIL2BAN_SRV=/usr/bin/fail2ban-server -test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed"; - if [ "$1" = "stop" ]; then exit 0; - else exit 5; fi; } - -FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban" -FAIL2BAN_SOCKET_DIR="/var/run/fail2ban" -FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock" -FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid" - -if [ -e $FAIL2BAN_CONFIG ]; then - . $FAIL2BAN_CONFIG -fi - -. /etc/rc.status -rc_reset - -case "$1" in - start) - echo -n "Starting fail2ban " - - if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then - mkdir -p $FAIL2BAN_SOCKET_DIR - fi - - if [ -e $FAIL2BAN_SOCKET ]; then - if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then - rm $FAIL2BAN_SOCKET - fi - fi - $FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1 - - rc_status -v - ;; - stop) - echo -n "Shutting down fail2ban " - ## Stop daemon with built-in functionality 'stop' - /sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1 - - if [ -f $FAIL2BAN_SOCKET ] - then - echo "$FAIL2BAN_SOCKET not removed .. removing .." - rm $FAIL2BAN_SOCKET - fi - if [ -f $FAIL2BAN_PID ] - then - echo "$FAIL2BAN_PID not removed .. removing .." - rm $FAIL2BAN_PID - fi - - - rc_status -v - ;; - try-restart|condrestart) - $0 status - if test $? = 0; then - $0 restart - else - rc_reset # Not running is not a failure. - fi - rc_status - ;; - restart) - $0 stop - i=60 - while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do - sleep 1 - i=$[$i-1] - echo -n "." - done - $0 start - - rc_status - ;; - reload|force-reload) - echo -n "Reload service Fail2ban " - /sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1 - - rc_status -v - ;; - status) - echo -n "Checking for service fail2ban " - /sbin/checkproc $FAIL2BAN_SRV - - rc_status -v - ;; - *) - echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" - exit 1 - ;; -esac -rc_exit - diff --git a/fail2ban.service b/fail2ban.service deleted file mode 100644 index 3c4b18a..0000000 --- a/fail2ban.service +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Bans IPs with too many authentication failures -After=network.target SuSEfirewall2.service - -[Service] -Type=forking -EnvironmentFile=-/etc/sysconfig/fail2ban -PIDFile=/run/fail2ban/fail2ban.pid -ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start -ExecReload=/usr/bin/fail2ban-client reload -ExecStop=/usr/bin/fail2ban-client stop - -[Install] -WantedBy=multi-user.target - diff --git a/fail2ban.spec b/fail2ban.spec index 37c72e4..8109e6d 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -17,44 +17,56 @@ Name: fail2ban -Version: 0.8.14 +Version: 0.9.2 Release: 0 -Url: http://www.fail2ban.org/ Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security - -Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz -%if 0%{?suse_version} < 1230 -# the init-script requires lsof -Requires: lsof -Source1: %{name}.init -%endif +Url: http://www.fail2ban.org/ +Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source2: %{name}.sysconfig Source3: %{name}.logrotate -Source4: %{name}.service Source5: %{name}.tmpfiles Source6: sfw-fail2ban.conf Source7: f2b-restart.conf +# Path definitions have been submitted to upstream +Source8: paths-opensuse.conf +# ignore some rpm-lint messages +Source200: %{name}-rpmlintrc # PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles Patch100: fail2ban-opensuse-locations.patch -# PATCH-FIX-UPSTREAM fail2ban-issue_906-strptime.patch bnc#914075, gh#fail2ban/fail2ban#906 jweberhofer@weberhofer.at -- Fix strptime thread safety issue -Patch101: fail2ban-issue_906-strptime.patch -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch -%if 0%{?suse_version} >= 1230 -%{?systemd_requires} -BuildRequires: systemd -%endif +# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file +Patch101: fail2ban-opensuse-service.patch +BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python-devel +# timezone package is required to run the tests +BuildRequires: timezone Requires: cron Requires: ed Requires: iptables Requires: logrotate Requires: python >= 2.5 +Requires: whois +BuildRoot: %{_tmppath}/%{name}-%{version}-build +%if 0%{?suse_version} < 1321 +# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3 +Patch102: fail2ban-exclude-dev-log-tests.patch +%endif +%if 0%{?suse_version} != 1110 +BuildArch: noarch +%endif +%if 0%{?suse_version} < 1230 +# the init-script requires lsof +Requires: lsof Requires: syslog -%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 +%else +BuildRequires: systemd +Requires: systemd +%{?systemd_requires} +%endif +%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 +BuildRequires: python-pyinotify Requires: python-pyinotify %endif %if 0%{?suse_version} >= 1220 @@ -62,29 +74,35 @@ Requires: python-gamin %endif %description -Fail2ban scans log files like /var/log/messages and bans IP addresses -that makes too many password failures. It updates firewall rules to -reject the IP address, can send e-mails, or set host.deny entries. -These rules can be defined by the user. Fail2Ban can read multiple log -files such as sshd or Apache web server ones. +Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP +addresses that makes too many password failures. It updates firewall rules to +reject the IP address, can send e-mails, or set host.deny entries. These rules +can be defined by the user. Fail2Ban can read multiple log files such as sshd +or Apache web server ones. + +%package tests +Summary: Test-cases for fail2ban +Group: System/Monitoring + +%description tests +This package contains fail2ban's testcases %package -n SuSEfirewall2-fail2ban Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd Group: Productivity/Networking/Security -BuildArch: noarch -Recommends: packageand(SuSEfirewall2:fail2ban) Requires: SuSEfirewall2 Requires: fail2ban +Recommends: packageand(SuSEfirewall2:fail2ban) %description -n SuSEfirewall2-fail2ban -This package ships systemd files which will cause fail2ban to be ordered -in relation to SuSEfirewall2 such that the two can be run concurrently -within reason, i.e. SFW will always run first because it does a table flush. +This package ships systemd files which will cause fail2ban to be ordered in +relation to SuSEfirewall2 such that the two can be run concurrently within +reason, i.e. SFW will always run first because it does a table flush. %package -n nagios-plugins-fail2ban +%define nagios_plugindir %{_libexecdir}/nagios/plugins Summary: Check fail2ban server and how many IPs are currently banned Group: System/Monitoring -%define nagios_plugindir %{_prefix}/lib/nagios/plugins %description -n nagios-plugins-fail2ban This plugin checks if the fail2ban server is running and how many IPs are @@ -96,54 +114,91 @@ How to use Just have to run the following command: $ ./check_fail2ban --help - %prep -%setup +%setup -q +install -m644 %{SOURCE8} config/paths-opensuse.conf + +# Use openSUSE paths +sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf + %patch100 -p1 %patch101 -p1 +%if 0%{?suse_version} < 1321 +%patch102 -p1 +%endif + +rm config/paths-debian.conf \ + config/paths-fedora.conf \ + config/paths-freebsd.conf \ + config/paths-osx.conf # correct doc-path -sed -i -e 's|%{_prefix}/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py +sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py %build -export CFLAGS="$RPM_OPT_FLAGS" +export CFLAGS="%{optflags}" python setup.py build -gzip man/*.1 +gzip man/*.{1,5} %install python setup.py install \ - --root=$RPM_BUILD_ROOT \ + --root=%{buildroot} \ --prefix=%{_prefix} -install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1 -for i in fail2ban-client fail2ban-regex fail2ban-server; do - install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1 -done -install -d -m755 $RPM_BUILD_ROOT/%{_initrddir} -install -d -m755 $RPM_BUILD_ROOT/%{_sbindir} -%if 0%{?suse_version} < 1230 -install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_initrddir}/%{name} -ln -sf %{_initrddir}/%{name} ${RPM_BUILD_ROOT}%{_sbindir}/rc%{name} -%endif -install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates -install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name} -install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d -install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/fail2ban +install -d -m 755 %{buildroot}%{_mandir}/man{1,5} +install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1 +install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5 + +install -d -m 755 %{buildroot}%{_initrddir} +install -d -m 755 %{buildroot}%{_sbindir} %if 0%{?suse_version} >= 1230 -install -d -m755 $RPM_BUILD_ROOT/%{_unitdir} -install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service -install -d -m755 $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/ -install -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf +install -d -m 755 %{buildroot}%{_unitdir} +install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service + +install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ +install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf + +sed -i -e 's/^backend = auto/backend = systemd/' %{buildroot}%{_sysconfdir}/%{name}/paths-opensuse.conf +%else + +install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name} +ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} +install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name} %endif + +install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ + +install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates +install -p -m 644 %{SOURCE2} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} + +install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban + %if 0%{?_unitdir:1} -install -Dm0644 "%_sourcedir/sfw-fail2ban.conf" \ - "%buildroot/%_unitdir/SuSEfirewall2.service.d/fail2ban.conf" -install -Dm0644 "%_sourcedir/f2b-restart.conf" \ - "%buildroot/%_unitdir/fail2ban.service.d/SuSEfirewall2.conf" +install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \ + "%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf" +install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \ + "%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf" +%endif +install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_fail2ban + +# install docs using the macro +rm -r %{buildroot}%{_docdir}/%{name} + +# remove duplicates +%fdupes -s %{buildroot}%{python_sitelib} + +%check +#stat /dev/log +#python -c "import platform; print(platform.system())" +# tests require python-pyinotify to be installed, so don't run them on older versions +%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 +# Need a UTF-8 locale to work +export LANG=en_US.UTF-8 +./fail2ban-testcases-all --no-network %endif -install -Dm755 files/nagios/check_fail2ban %{buildroot}/%{nagios_plugindir}/check_fail2ban %pre %if 0%{?suse_version} >= 1230 @@ -151,9 +206,9 @@ install -Dm755 files/nagios/check_fail2ban %{buildroot}/%{nagios_plugindir}/chec %endif %post -%{fillup_only} +%fillup_only %if 0%{?suse_version} >= 1230 -systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf +systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf %service_add_post %{name}.service %endif @@ -174,46 +229,52 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf %if 0%{?_unitdir:1} %post -n SuSEfirewall2-fail2ban -%_bindir/systemctl daemon-reload >/dev/null 2>&1 || : +%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %postun -n SuSEfirewall2-fail2ban -%_bindir/systemctl daemon-reload >/dev/null 2>&1 || : +%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %endif %files %defattr(-, root, root) -%dir %{_sysconfdir}/%{name} -%dir %{_sysconfdir}/%{name}/action.d -%dir %{_sysconfdir}/%{name}/filter.d -%config(noreplace) %{_sysconfdir}/%{name}/*.conf -%config(noreplace) %{_sysconfdir}/%{name}/action.d/*.conf -%config(noreplace) %{_sysconfdir}/%{name}/filter.d/*.conf +%config(noreplace) %{_sysconfdir}/%{name} %config %{_sysconfdir}/logrotate.d/fail2ban +%dir %{_localstatedir}/lib/fail2ban/ %if 0%{?suse_version} >= 1230 %{_unitdir}/%{name}.service -%{_prefix}/lib/tmpfiles.d/%{name}.conf +%{_libexecdir}/tmpfiles.d/%{name}.conf %else -%{_initrddir}/%{name} +%{_initddir}/%{name} %{_sbindir}/rc%{name} -%dir %ghost /var/run/%{name} +%dir %ghost %{_localstatedir}/run/%{name} %endif -%{_bindir}/%{name}* -%{_datadir}/%{name} -/var/adm/fillup-templates/sysconfig.%{name} -%doc %{_mandir}/man1/* -%doc COPYING ChangeLog DEVELOP README.md TODO files/cacti +%{_bindir}/fail2ban-server +%{_bindir}/fail2ban-client +%{_bindir}/fail2ban-regex +%{python_sitelib}/%{name} +%exclude %{python_sitelib}/%{name}/tests +%{python_sitelib}/%{name}-* +%{_localstatedir}/adm/fillup-templates/sysconfig.%{name} +%{_mandir}/man1/* +%{_mandir}/man5/* +%doc README.md TODO ChangeLog COPYING doc/*.txt %if 0%{?_unitdir:1} %files -n SuSEfirewall2-fail2ban %defattr(-,root,root) -%_unitdir/SuSEfirewall2.service.d -%_unitdir/fail2ban.service.d +%{_unitdir}/SuSEfirewall2.service.d +%{_unitdir}/fail2ban.service.d %endif +%files tests +%defattr(-,root,root) +%{_bindir}/fail2ban-testcases +%{python_sitelib}/%{name}/tests + %files -n nagios-plugins-fail2ban %defattr(-,root,root) %doc files/nagios/README COPYING -%dir %{_prefix}/lib/nagios +%dir %{_libexecdir}/nagios %dir %{nagios_plugindir} %{nagios_plugindir}/check_fail2ban diff --git a/paths-opensuse.conf b/paths-opensuse.conf new file mode 100644 index 0000000..29e543a --- /dev/null +++ b/paths-opensuse.conf @@ -0,0 +1,36 @@ +# openSUSE log-file locations + +[INCLUDES] + +before = paths-common.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_local0 = /var/log/messages + +syslog_mail = /var/log/mail + +syslog_mail_warn = %(syslog_mail)s + +syslog_authpriv = %(syslog_local0)s + +syslog_user = %(syslog_local0)s + +syslog_ftp = %(syslog_local0)s + +syslog_daemon = %(syslog_local0)s + +apache_error_log = /var/log/apache2/*error_log + +apache_access_log = /var/log/apache2/*access_log + +pureftpd_log = %(syslog_local0)s + +exim_main_log = /var/log/exim/main.log + +mysql_log = /var/log/mysql/mysqld.log + +solidpop3d_log = %(syslog_mail)s