pool/fail2ban
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1217267 from security

Browse Source 
- update to 1.1.0:
  * circumvent SEGFAULT in a python's socket module by
    getaddrinfo with disabled IPv6 (gh-3438)
  * avoid sporadic error in pyinotify backend if pending file
    deleted in other thread, e. g. by flushing logs (gh-3635)
  * `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode
    args by unban
  * `action.d/*ipset*`: make `maxelem` ipset option configurable
    through banaction arguments (gh-3564)
  * `filter.d/apache-common.conf` - accepts remote besides client
    (gh-3622)
  * `filter.d/mysqld-auth.conf` - matches also if no suffix in
    message (mariadb 10.3 log format, gh-3603)
  * `filter.d/nginx-*.conf` - nginx error-log filters extended
    with support of journal format (gh-3646)
  * `filter.d/postfix.conf`:
    - "rejected" rule extended to match "Access denied" too
    - avoid double counting ('lost connection after AUTH'
      together with message 'disconnect ...', gh-3505)
    - add Sender address rejected: Malformed DNS server reply
    - add to postfix syslog daemon format (gh-3690)
    - change journalmatch postfix, allow sub-units with
      postfix@-.service (gh-3692)
  * `filter.d/recidive.conf`: support for systemd-journal,
    conditional RE depending on logtype (for file or journal,
    gh-3693)
  * `filter.d/slapd.conf` - filter rewritten for single-line
    processing, matches errored result without `text=...`
    (gh-3604)
  * supports python 3.12 and 3.13 (gh-3487)

OBS-URL: https://build.opensuse.org/request/show/1217267
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=70
This commit is contained in:
Ana Guerrero 2024-10-23 19:11:23 +00:00 committed by Git OBS Bridge
commit 2e5142b6d5
7 changed files with 122 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fail2ban-1.0.2.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23
size 583295

11
fail2ban-1.0.2.tar.gz.asc
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K
iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q
EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A
aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb
dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV
Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R
e8+y9LLToHFjKeji436S6985hBQnEA==
=jGOy
-----END PGP SIGNATURE-----

3
fail2ban-1.1.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:474fcc25afdaf929c74329d1e4d24420caabeea1ef2e041a267ce19269570bae
size 603854

11
fail2ban-1.1.0.tar.gz.asc Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
=qvry
-----END PGP SIGNATURE-----

14
fail2ban-disable-iptables-w-option.patch
View File

@ -1,14 +0,0 @@
--- fail2ban-1.0.1/config/action.d/iptables.conf.orig 2022-10-12 11:35:25.789327341 +0200
+++ fail2ban-1.0.1/config/action.d/iptables.conf 2022-10-12 11:35:40.585449861 +0200
@@ -138,8 +138,10 @@
# running concurrently and causing irratic behavior. -w was introduced
# in iptables 1.4.20, so might be absent on older systems
# See https://github.com/fail2ban/fail2ban/issues/1122
+# The default option "-w" can be used for openSUSE versions 13.2+ and
+# for updated versions of openSUSE 13.1; SLE 12 supports this option.
# Values: STRING
-lockingopt = -w
+lockingopt =
# Option: iptables
# Notes.: Actual command to be executed, including common to all calls options

155
fail2ban.changes
View File

@ -1,3 +1,56 @@
-------------------------------------------------------------------
Wed Oct 23 09:08:23 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 1.1.0:
* circumvent SEGFAULT in a python's socket module by
getaddrinfo with disabled IPv6 (gh-3438)
* avoid sporadic error in pyinotify backend if pending file
deleted in other thread, e. g. by flushing logs (gh-3635)
* `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode
args by unban
* `action.d/*ipset*`: make `maxelem` ipset option configurable
through banaction arguments (gh-3564)
* `filter.d/apache-common.conf` - accepts remote besides client
(gh-3622)
* `filter.d/mysqld-auth.conf` - matches also if no suffix in
message (mariadb 10.3 log format, gh-3603)
* `filter.d/nginx-*.conf` - nginx error-log filters extended
with support of journal format (gh-3646)
* `filter.d/postfix.conf`:
- "rejected" rule extended to match "Access denied" too
- avoid double counting ('lost connection after AUTH'
together with message 'disconnect ...', gh-3505)
- add Sender address rejected: Malformed DNS server reply
- add to postfix syslog daemon format (gh-3690)
- change journalmatch postfix, allow sub-units with
postfix@-.service (gh-3692)
* `filter.d/recidive.conf`: support for systemd-journal,
conditional RE depending on logtype (for file or journal,
gh-3693)
* `filter.d/slapd.conf` - filter rewritten for single-line
processing, matches errored result without `text=...`
(gh-3604)
* supports python 3.12 and 3.13 (gh-3487)
* bundling async modules removed in python 3.12+ (fallback to
local libraries pyasyncore/pyasynchat if import would miss
them, gh-3487)
* `fail2ban-client` extended (gh-2975):
- `fail2ban-client status --all [flavor]` - returns status
of fail2ban and all jails in usual form
- `fail2ban-client stats` - returns statistic in form of
table (jail, backend, found and banned counts)
- `fail2ban-client statistic` or `fail2ban-client
statistics` - same as `fail2ban-client stats` (aliases for
stats)
- `fail2ban-client status --all stats` - (undocumented,
flavor "stats") returns statistic of all jails in form of
python dict
* `fail2ban-regex` extended to load settings from jail (by
simple name it'd prefer jail to the filter now, gh-2655);
- drop fail2ban-disable-iptables-w-option.patch: only needed for
sle10 and older, which is no longer supported (is now python >=
3.5)
-------------------------------------------------------------------
Wed Sep 4 07:54:06 UTC 2024 - Marcus Meissner <meissner@suse.com>
@ -13,7 +66,7 @@ Mon Jun 5 16:36:47 UTC 2023 - Lars Vogdt <lars@linux-schulserver.de>
- use nagios-rpm-macros to define the libexecdir for SUSE distributions
correctly (defaut here is /usr/lib/nagios/plugins)
- move conditional for %%pre scripts, to avoid any dependency or other
- move conditional for %%pre scripts, to avoid any dependency or other
stuff getting in the way on old distributions
-------------------------------------------------------------------
@ -51,7 +104,7 @@ Wed Jan 19 13:05:44 UTC 2022 - Dirk Müller <dmueller@suse.com>
-------------------------------------------------------------------
Fri Nov 12 10:49:20 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow
- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow
fail2ban run under under python 3.9+
- Shifted the order of the patches
@ -65,7 +118,7 @@ Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
-------------------------------------------------------------------
Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch
to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand
-------------------------------------------------------------------
@ -78,7 +131,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Update to 0.11.2
increased stability, filter and action updates
- New Features and Enhancements
* fail2ban-regex:
- speedup formatted output (bypass unneeded stats creation)
@ -89,7 +142,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
* new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689)
* new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855)
* new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723)
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured
* `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured
(gh#fail2ban/fail2ban#2631)
* `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778)
* introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex;
@ -98,7 +151,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814):
- filter gets mode in-operation, which gets activated if filter starts processing of new messages;
in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected
bypass of failure (previously exceeding `findtime`);
- better interaction with non-matching optional datepattern or invalid timestamps;
- implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages,
@ -119,9 +172,9 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
* no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified
per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357
* ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686)
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
* don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes),
so would bother the action interpolation
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
* fixed type conversion in config readers (take place after all interpolations get ready), that allows to
specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters.
* `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy
between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703)
@ -132,17 +185,17 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer <jweberhofer@weberhofer.at>
* `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836)
* `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line`
should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650)
* `filter.d/dovecot.conf`:
* `filter.d/dovecot.conf`:
- add managesieve and submission support (gh#fail2ban/fail2ban#2795);
- accept messages with more verbose logging (gh#fail2ban/fail2ban#2573);
* `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697)
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
* `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle
the match of username differently (gh#fail2ban/fail2ban#2693):
- `normal`: matches 401 with supplied username only
- `ddos`: matches 401 without supplied username only
- `aggressive`: matches 401 and any variant (with and without username)
* `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749)
- Rebased patches
- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch
@ -165,7 +218,7 @@ Thu May 21 07:49:38 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
* Introduced new action command `actionprolong` to prolong ban-time
(e. g. set new timeout if expected);
* algorithm of restore current bans after restart changed:
update the restored ban-time (and therefore
update the restored ban-time (and therefore
end of ban) of the ticket with ban-time of jail (as maximum),
for all tickets with ban-time greater (or persistent)
* added new setup-option `--without-tests` to skip building
@ -215,7 +268,7 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
* https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog
- Fixes
* `filter.d/dovecot.conf`:
* `filter.d/dovecot.conf`:
- failregex enhancement to catch sql password mismatch errors (gh-2153);
- disconnected with "proxy dest auth failed" (gh-2184);
* `filter.d/freeswitch.conf`:
@ -229,7 +282,7 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
* `filter.d/domino-smtp.conf`:
- recognizes failures logged using another format (something like session-id, IP enclosed in square brackets);
- failregex extended to catch connections rejected for policy reasons (gh-2228);
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
* `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected
and don't allowed in command-actions), see gh-2114;
* decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171):
- fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly
@ -238,14 +291,14 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de
- database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database;
additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137);
- logging in fail2ban is process-wide exception-safe now.
* repaired start-time of initial seek to time (as well as other log-parsing related data),
* repaired start-time of initial seek to time (as well as other log-parsing related data),
if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173)
* systemd: fixed type error on option `journalflags`: an integer is required (gh-2125);
- New Features
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
* new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`,
`ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example;
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
* `ignorecommand` extended to use actions-similar replacement (capable to interpolate
all possible tags like `<ip-host>`, `<family>`, `<fid>`, `F-USER` etc.)
- Enhancements
@ -332,23 +385,23 @@ Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
- Incompatibility:
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
- Fixes
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
* `action.d/pf.conf`:
* `action.d/pf.conf`:
- fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925);
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
* `filter.d/sshd.conf`:
- extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
@ -375,14 +428,14 @@ Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
- `datetime` - add date-time to the message (default on, ignored if `format` specified);
- `format` - specify own format how it will be logged, for example for short-log into STDOUT:
`fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
if repair fails - recreate new database (gh-1465, gh-2004).
-------------------------------------------------------------------
Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com
- Replace references to /var/adm/fillup-templates with new
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
-------------------------------------------------------------------
@ -393,9 +446,9 @@ Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at
- Removed 607568f.patch and 1783.patch
- New features:
- New features:
* IPv6 support
- IP addresses are now handled as objects rather than strings capable for
- IP addresses are now handled as objects rather than strings capable for
handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific actions
additionally
@ -451,32 +504,32 @@ Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at
Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP"
this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no
action as a result"
- Update to 0.9.7
* Fixed a systemd-journal handling in fail2ban-regex
* Fixed a systemd-journal handling in fail2ban-regex
(gh#fail2ban/fail2ban#1657)
* filter.d/sshd.conf
- Fixed non-anchored part of failregex (misleading match of colon inside
IPv6 address instead of `: ` in the reason-part by missing space,
IPv6 address instead of `: ` in the reason-part by missing space,
gh#fail2ban/fail2ban#1658)
(0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479)
* config/pathes-freebsd.conf
- Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667)
* filter.d/exim.conf
- optional part `(...)` after host-name before `[IP]`
- optional part `(...)` after host-name before `[IP]`
(gh#fail2ban/fail2ban#1751)
- new reason "Unrouteable address" for "rejected RCPT" regex
- new reason "Unrouteable address" for "rejected RCPT" regex
(gh#fail2ban/fail2ban#1762)
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP
- match of complex time like `D=2m42s` in regex "no MAIL in SMTP
connection" (gh#fail2ban/fail2ban#1766)
* filter.d/sshd.conf
- new aggressive rules (gh#fail2ban/fail2ban#864):
- Connection reset by peer (multi-line rule during authorization process)
- No supported authentication methods available
- single line and multi-line expression optimized, added optional prefixes
and suffix (logged from several ssh versions), according
and suffix (logged from several ssh versions), according
to gh#fail2ban/fail2ban#1206;
- fixed expression received disconnect auth fail (optional space after port
part, gh#fail2ban/fail2ban#1652)
@ -499,7 +552,7 @@ Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at
-------------------------------------------------------------------
Sun Mar 5 12:56:10 UTC 2017 - wagner-thomas@gmx.at
- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban
-------------------------------------------------------------------
Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de
@ -582,7 +635,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
- Update to version 0.9.5
New Features
* New Actions: action.d/firewallcmd-rich-rules and
* New Actions: action.d/firewallcmd-rich-rules and
action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367)
* New filter: slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (gh#fail2ban/fail2ban#1478)
@ -594,7 +647,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362)
* Added additional regex filter for dovecot ldap authentication
* Added additional regex filter for dovecot ldap authentication
failures (gh#fail2ban/fail2ban#1370)
* filter.d/exim*conf
- Added additional regexes (gh#fail2ban/fail2ban#1371)
@ -619,7 +672,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at
(gh#fail2ban/fail2ban#1405)
- All optional spaces normalized in common.conf, test covered now
- Generic __prefix_line extended with optional brackets for the date ambit
(gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
(gh#fail2ban/fail2ban#1421), added new parameter __date_ambit
* gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon,
not argument of fail2ban (see gh#fail2ban/fail2ban#1434)
@ -654,7 +707,7 @@ Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
New Features:
* New interpolation feature for definition config readers - `<known/parameter>`
(means last known init definition of filters or actions with name `parameter`).
This interpolation makes possible to extend a parameters of stock filter or
This interpolation makes possible to extend a parameters of stock filter or
action directly in jail inside jail.local file, without creating a separately
filter.d/*.local file.
As extension to interpolation `%(known/parameter)s`, that does not works for
@ -695,7 +748,7 @@ Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
* Add *_backend options for services to allow distros to set the default
backend per service, set default to systemd for Fedora as appropriate
* Performance improvements while monitoring large number of files (gh-1265).
Use associative array (dict) for monitored log files to speed up lookup
Use associative array (dict) for monitored log files to speed up lookup
operations. Thanks @kshetragia
* Specified that fail2ban is PartOf iptables.service firewalld.service in
.service file -- would reload fail2ban if those services are restarted
@ -762,7 +815,7 @@ Mon Sep 7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at
openSUSE.
- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for
older releases.
older releases.
- Update to version 0.9.3
@ -980,7 +1033,7 @@ Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de
user"
- filter dovecot - lip= was optional and extended TLS errors can occur.
Thanks Noel Butler.
- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed
upstream
- split out nagios-plugins-fail2ban package
@ -1044,17 +1097,17 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
* Filter improvements:
- apache-noscript now includes php cgi scripts
- exim-spam filter to match spamassassin log entry for option SAdevnull.
- Added to sshd filter expression for
- Added to sshd filter expression for
"Received disconnect from : 3: Auth fail"
- Improved ACL-handling for Asterisk
- Added improper command pipelining to postfix filter.
* General fixes:
- Added lots of jail.conf entries for missing filters that creaped in
- Added lots of jail.conf entries for missing filters that creaped in
over the last year.
- synchat changed to use push method which verifies whether all data was
send. This ensures that all data is sent before closing the connection.
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
- Fixed python 2.4 compatibility (as sub-second in date patterns weren't
2.4 compatible)
- Complain/email actions fixed to only include relevant IPs to reporting
@ -1064,7 +1117,7 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
- Kernel syslog expression can have leading spaces
- allow for ",milliseconds" in the custom date format of proftpd.log
- recidive jail to block all protocols
- smtps not a IANA standard so may be missing from /etc/services. Due to
- smtps not a IANA standard so may be missing from /etc/services. Due to
(still) common use 465 has been used as the explicit port number
- Filter dovecot reordered session and TLS items in regex with wider scope
for session characters
@ -1081,7 +1134,7 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at
- Fixed formating of github references in changelog
- reformatted spec-file
-------------------------------------------------------------------
Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at
@ -1127,7 +1180,7 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at
* files/suse-initd -- update to the copy from stock SUSE
* Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227,
gh#fail2ban/fail2ban#230.
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
* Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes
gh#fail2ban/fail2ban#244.
------------------------------------------------------------------
@ -1173,7 +1226,7 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at
* [945ad3d9] Fix dates on email actions to work in different locals. Closes
gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea.
blotus
* [96eb8986] ' and " should also be escaped in action tags Closes
* [96eb8986] ' and " should also be escaped in action tags Closes
gh#fail2ban/fail2ban#109
Christoph Theis, Nick Hilliard, Daniel Black
* [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD
@ -1265,7 +1318,7 @@ would be at a significant security risk.
custom action files) since its value could contain arbitrary
symbols. Thanks for discovery go to the NBS System security
team
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
* [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes.
Close gh#fail2ban/fail2ban#83
* [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3
* [37a2e59] store IP as a base, non-unicode str to avoid spurious messages
@ -1274,7 +1327,7 @@ would be at a significant security risk.
- New features:
David Engeset
* [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching
the log file to take 'banip' or 'unbanip' in effect.
the log file to take 'banip' or 'unbanip' in effect.
Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86
- Enhancements:
@ -1384,7 +1437,7 @@ Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at
-------------------------------------------------------------------
Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de
- Adding to fail2ban.init remove of pid and sock files on stop
- Adding to fail2ban.init remove of pid and sock files on stop
in case not removed before (prevents start fail)
-------------------------------------------------------------------

18
fail2ban.spec
View File

@ -22,7 +22,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: fail2ban
Version: 1.0.2
Version: 1.1.0
Release: 0
Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0-or-later
@ -42,8 +42,6 @@ Source200: fail2ban.keyring
Patch100: %{name}-opensuse-locations.patch
# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
Patch101: %{name}-opensuse-service.patch
# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
Patch200: %{name}-disable-iptables-w-option.patch
# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
Patch201: %{name}-0.10.4-env-script-interpreter.patch
# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
@ -62,11 +60,9 @@ Requires: cron
Requires: ed
Requires: iptables
Requires: logrotate
Requires: python3 >= 3.2
Requires: python3 >= 3.5
Requires: whois
%if 0%{?suse_version} != 1110
BuildArch: noarch
%endif
%if 0%{?suse_version} >= 1230
# systemd
BuildRequires: python3-systemd
@ -79,7 +75,7 @@ Requires: systemd > 204
Requires: lsof
Requires: syslog
%endif
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
%if 0%{?suse_version} >= 1500
BuildRequires: python3-pyinotify >= 0.8.3
Requires: python3-pyinotify >= 0.8.3
%endif
@ -134,9 +130,6 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
%patch -P 100 -p1
%patch -P 101 -p1
%if 0%{?suse_version} < 1310
%patch -P 200 -p1
%endif
%patch -P 201 -p1
%if !0%{?suse_version} > 1500
%patch -P 300 -p1
@ -160,7 +153,6 @@ sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
%build
export CFLAGS="%{optflags}"
./fail2ban-2to3
python3 setup.py build
gzip man/*.{1,5}
@ -229,10 +221,8 @@ rm -r %{buildroot}%{_docdir}/%{name}
%fdupes -s %{buildroot}%{python3_sitelib}
%check
#stat /dev/log
#python -c "import platform; print(platform.system())"
# tests require python-pyinotify to be installed, so don't run them on older versions
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
%if 0%{?suse_version} >= 1500
# Need a UTF-8 locale to work
export LANG=en_US.UTF-8
./fail2ban-testcases-all --no-network || true