diff --git a/fail2ban-1.0.2.tar.gz b/fail2ban-1.0.2.tar.gz deleted file mode 100644 index 2644181..0000000 --- a/fail2ban-1.0.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23 -size 583295 diff --git a/fail2ban-1.0.2.tar.gz.asc b/fail2ban-1.0.2.tar.gz.asc deleted file mode 100644 index d2165cb..0000000 --- a/fail2ban-1.0.2.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K -iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q -EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A -aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb -dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV -Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R -e8+y9LLToHFjKeji436S6985hBQnEA== -=jGOy ------END PGP SIGNATURE----- diff --git a/fail2ban-1.1.0.tar.gz b/fail2ban-1.1.0.tar.gz new file mode 100644 index 0000000..f8d532a --- /dev/null +++ b/fail2ban-1.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:474fcc25afdaf929c74329d1e4d24420caabeea1ef2e041a267ce19269570bae +size 603854 diff --git a/fail2ban-1.1.0.tar.gz.asc b/fail2ban-1.1.0.tar.gz.asc new file mode 100644 index 0000000..01765cf --- /dev/null +++ b/fail2ban-1.1.0.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K +iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc +yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu +ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf +9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr +jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH +MTZipOHHYPx/7IyKJJvB1p1gvmOxyg== +=qvry +-----END PGP SIGNATURE----- diff --git a/fail2ban-disable-iptables-w-option.patch b/fail2ban-disable-iptables-w-option.patch deleted file mode 100644 index 19c65d5..0000000 --- a/fail2ban-disable-iptables-w-option.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- fail2ban-1.0.1/config/action.d/iptables.conf.orig 2022-10-12 11:35:25.789327341 +0200 -+++ fail2ban-1.0.1/config/action.d/iptables.conf 2022-10-12 11:35:40.585449861 +0200 -@@ -138,8 +138,10 @@ - # running concurrently and causing irratic behavior. -w was introduced - # in iptables 1.4.20, so might be absent on older systems - # See https://github.com/fail2ban/fail2ban/issues/1122 -+# The default option "-w" can be used for openSUSE versions 13.2+ and -+# for updated versions of openSUSE 13.1; SLE 12 supports this option. - # Values: STRING --lockingopt = -w -+lockingopt = - - # Option: iptables - # Notes.: Actual command to be executed, including common to all calls options diff --git a/fail2ban.changes b/fail2ban.changes index 6f0e5a2..0f97379 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,56 @@ +------------------------------------------------------------------- +Wed Oct 23 09:08:23 UTC 2024 - Dirk Müller + +- update to 1.1.0: + * circumvent SEGFAULT in a python's socket module by + getaddrinfo with disabled IPv6 (gh-3438) + * avoid sporadic error in pyinotify backend if pending file + deleted in other thread, e. g. by flushing logs (gh-3635) + * `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode + args by unban + * `action.d/*ipset*`: make `maxelem` ipset option configurable + through banaction arguments (gh-3564) + * `filter.d/apache-common.conf` - accepts remote besides client + (gh-3622) + * `filter.d/mysqld-auth.conf` - matches also if no suffix in + message (mariadb 10.3 log format, gh-3603) + * `filter.d/nginx-*.conf` - nginx error-log filters extended + with support of journal format (gh-3646) + * `filter.d/postfix.conf`: + - "rejected" rule extended to match "Access denied" too + - avoid double counting ('lost connection after AUTH' + together with message 'disconnect ...', gh-3505) + - add Sender address rejected: Malformed DNS server reply + - add to postfix syslog daemon format (gh-3690) + - change journalmatch postfix, allow sub-units with + postfix@-.service (gh-3692) + * `filter.d/recidive.conf`: support for systemd-journal, + conditional RE depending on logtype (for file or journal, + gh-3693) + * `filter.d/slapd.conf` - filter rewritten for single-line + processing, matches errored result without `text=...` + (gh-3604) + * supports python 3.12 and 3.13 (gh-3487) + * bundling async modules removed in python 3.12+ (fallback to + local libraries pyasyncore/pyasynchat if import would miss + them, gh-3487) + * `fail2ban-client` extended (gh-2975): + - `fail2ban-client status --all [flavor]` - returns status + of fail2ban and all jails in usual form + - `fail2ban-client stats` - returns statistic in form of + table (jail, backend, found and banned counts) + - `fail2ban-client statistic` or `fail2ban-client + statistics` - same as `fail2ban-client stats` (aliases for + stats) + - `fail2ban-client status --all stats` - (undocumented, + flavor "stats") returns statistic of all jails in form of + python dict + * `fail2ban-regex` extended to load settings from jail (by + simple name it'd prefer jail to the filter now, gh-2655); +- drop fail2ban-disable-iptables-w-option.patch: only needed for + sle10 and older, which is no longer supported (is now python >= + 3.5) + ------------------------------------------------------------------- Wed Sep 4 07:54:06 UTC 2024 - Marcus Meissner @@ -13,7 +66,7 @@ Mon Jun 5 16:36:47 UTC 2023 - Lars Vogdt - use nagios-rpm-macros to define the libexecdir for SUSE distributions correctly (defaut here is /usr/lib/nagios/plugins) -- move conditional for %%pre scripts, to avoid any dependency or other +- move conditional for %%pre scripts, to avoid any dependency or other stuff getting in the way on old distributions ------------------------------------------------------------------- @@ -51,7 +104,7 @@ Wed Jan 19 13:05:44 UTC 2022 - Dirk Müller ------------------------------------------------------------------- Fri Nov 12 10:49:20 UTC 2021 - Johannes Weberhofer -- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow +- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow fail2ban run under under python 3.9+ - Shifted the order of the patches @@ -65,7 +118,7 @@ Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz ------------------------------------------------------------------- Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer -- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch +- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand ------------------------------------------------------------------- @@ -78,7 +131,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer - Update to 0.11.2 increased stability, filter and action updates - + - New Features and Enhancements * fail2ban-regex: - speedup formatted output (bypass unneeded stats creation) @@ -89,7 +142,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689) * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855) * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723) - * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured + * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured (gh#fail2ban/fail2ban#2631) * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778) * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; @@ -98,7 +151,7 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814): - filter gets mode in-operation, which gets activated if filter starts processing of new messages; in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much - from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected + from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected bypass of failure (previously exceeding `findtime`); - better interaction with non-matching optional datepattern or invalid timestamps; - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages, @@ -119,9 +172,9 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357 * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686) - * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), + * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), so would bother the action interpolation - * fixed type conversion in config readers (take place after all interpolations get ready), that allows to + * fixed type conversion in config readers (take place after all interpolations get ready), that allows to specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters. * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703) @@ -132,17 +185,17 @@ Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836) * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line` should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650) - * `filter.d/dovecot.conf`: + * `filter.d/dovecot.conf`: - add managesieve and submission support (gh#fail2ban/fail2ban#2795); - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573); * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697) - * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle + * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle the match of username differently (gh#fail2ban/fail2ban#2693): - `normal`: matches 401 with supplied username only - `ddos`: matches 401 without supplied username only - `aggressive`: matches 401 and any variant (with and without username) * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749) - + - Rebased patches - Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch @@ -165,7 +218,7 @@ Thu May 21 07:49:38 UTC 2020 - Paolo Stivanin * Introduced new action command `actionprolong` to prolong ban-time (e. g. set new timeout if expected); * algorithm of restore current bans after restart changed: - update the restored ban-time (and therefore + update the restored ban-time (and therefore end of ban) of the ticket with ban-time of jail (as maximum), for all tickets with ban-time greater (or persistent) * added new setup-option `--without-tests` to skip building @@ -215,7 +268,7 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de * https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog - Fixes - * `filter.d/dovecot.conf`: + * `filter.d/dovecot.conf`: - failregex enhancement to catch sql password mismatch errors (gh-2153); - disconnected with "proxy dest auth failed" (gh-2184); * `filter.d/freeswitch.conf`: @@ -229,7 +282,7 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de * `filter.d/domino-smtp.conf`: - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets); - failregex extended to catch connections rejected for policy reasons (gh-2228); - * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected + * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions), see gh-2114; * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171): - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly @@ -238,14 +291,14 @@ Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database; additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137); - logging in fail2ban is process-wide exception-safe now. - * repaired start-time of initial seek to time (as well as other log-parsing related data), + * repaired start-time of initial seek to time (as well as other log-parsing related data), if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173) * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125); - New Features - * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, + * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example; - * `ignorecommand` extended to use actions-similar replacement (capable to interpolate + * `ignorecommand` extended to use actions-similar replacement (capable to interpolate all possible tags like ``, ``, ``, `F-USER` etc.) - Enhancements @@ -332,23 +385,23 @@ Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at - Incompatibility: * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors, - just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. + just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. - Fixes - * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid + * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876) * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639) - * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely + * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942. * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955. - * `action.d/pf.conf`: + * `action.d/pf.conf`: - fixed syntax error in achnor definition (documentation, see gh-1919); - enclose ports in braces for multiport jails (see gh-1925); * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990) * `filter.d/sshd.conf`: - extended failregex for modes "extra"/"aggressive": now finds all possible (also future) - forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", + forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944); - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263); @@ -375,14 +428,14 @@ Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at - `datetime` - add date-time to the message (default on, ignored if `format` specified); - `format` - specify own format how it will be logged, for example for short-log into STDOUT: `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`; - * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with + * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, if repair fails - recreate new database (gh-1465, gh-2004). ------------------------------------------------------------------- Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com -- Replace references to /var/adm/fillup-templates with new +- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468) ------------------------------------------------------------------- @@ -393,9 +446,9 @@ Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at - Removed 607568f.patch and 1783.patch -- New features: +- New features: * IPv6 support - - IP addresses are now handled as objects rather than strings capable for + - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally @@ -451,32 +504,32 @@ Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at - added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP" - this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no + this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no action as a result" - Update to 0.9.7 - * Fixed a systemd-journal handling in fail2ban-regex + * Fixed a systemd-journal handling in fail2ban-regex (gh#fail2ban/fail2ban#1657) * filter.d/sshd.conf - Fixed non-anchored part of failregex (misleading match of colon inside - IPv6 address instead of `: ` in the reason-part by missing space, + IPv6 address instead of `: ` in the reason-part by missing space, gh#fail2ban/fail2ban#1658) (0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479) * config/pathes-freebsd.conf - Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667) * filter.d/exim.conf - - optional part `(...)` after host-name before `[IP]` + - optional part `(...)` after host-name before `[IP]` (gh#fail2ban/fail2ban#1751) - - new reason "Unrouteable address" for "rejected RCPT" regex + - new reason "Unrouteable address" for "rejected RCPT" regex (gh#fail2ban/fail2ban#1762) - - match of complex time like `D=2m42s` in regex "no MAIL in SMTP + - match of complex time like `D=2m42s` in regex "no MAIL in SMTP connection" (gh#fail2ban/fail2ban#1766) * filter.d/sshd.conf - new aggressive rules (gh#fail2ban/fail2ban#864): - Connection reset by peer (multi-line rule during authorization process) - No supported authentication methods available - single line and multi-line expression optimized, added optional prefixes - and suffix (logged from several ssh versions), according + and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206; - fixed expression received disconnect auth fail (optional space after port part, gh#fail2ban/fail2ban#1652) @@ -499,7 +552,7 @@ Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at ------------------------------------------------------------------- Sun Mar 5 12:56:10 UTC 2017 - wagner-thomas@gmx.at -- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban +- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban ------------------------------------------------------------------- Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de @@ -582,7 +635,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at - Update to version 0.9.5 New Features - * New Actions: action.d/firewallcmd-rich-rules and + * New Actions: action.d/firewallcmd-rich-rules and action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367) * New filter: slapd - ban hosts, that were failed to connect with invalid credentials: error code 49 (gh#fail2ban/fail2ban#1478) @@ -594,7 +647,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at - (journal_mode = MEMORY) use memory for the transaction logging - (temp_store = MEMORY) temporary tables and indices are kept in memory * journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362) - * Added additional regex filter for dovecot ldap authentication + * Added additional regex filter for dovecot ldap authentication failures (gh#fail2ban/fail2ban#1370) * filter.d/exim*conf - Added additional regexes (gh#fail2ban/fail2ban#1371) @@ -619,7 +672,7 @@ Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at (gh#fail2ban/fail2ban#1405) - All optional spaces normalized in common.conf, test covered now - Generic __prefix_line extended with optional brackets for the date ambit - (gh#fail2ban/fail2ban#1421), added new parameter __date_ambit + (gh#fail2ban/fail2ban#1421), added new parameter __date_ambit * gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon, not argument of fail2ban (see gh#fail2ban/fail2ban#1434) @@ -654,7 +707,7 @@ Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at New Features: * New interpolation feature for definition config readers - `` (means last known init definition of filters or actions with name `parameter`). - This interpolation makes possible to extend a parameters of stock filter or + This interpolation makes possible to extend a parameters of stock filter or action directly in jail inside jail.local file, without creating a separately filter.d/*.local file. As extension to interpolation `%(known/parameter)s`, that does not works for @@ -695,7 +748,7 @@ Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at * Add *_backend options for services to allow distros to set the default backend per service, set default to systemd for Fedora as appropriate * Performance improvements while monitoring large number of files (gh-1265). - Use associative array (dict) for monitored log files to speed up lookup + Use associative array (dict) for monitored log files to speed up lookup operations. Thanks @kshetragia * Specified that fail2ban is PartOf iptables.service firewalld.service in .service file -- would reload fail2ban if those services are restarted @@ -762,7 +815,7 @@ Mon Sep 7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at openSUSE. - fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for - older releases. + older releases. - Update to version 0.9.3 @@ -980,7 +1033,7 @@ Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de user" - filter dovecot - lip= was optional and extended TLS errors can occur. Thanks Noel Butler. -- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed +- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed upstream - split out nagios-plugins-fail2ban package @@ -1044,17 +1097,17 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at * Filter improvements: - apache-noscript now includes php cgi scripts - exim-spam filter to match spamassassin log entry for option SAdevnull. - - Added to sshd filter expression for + - Added to sshd filter expression for "Received disconnect from : 3: Auth fail" - Improved ACL-handling for Asterisk - Added improper command pipelining to postfix filter. * General fixes: - - Added lots of jail.conf entries for missing filters that creaped in + - Added lots of jail.conf entries for missing filters that creaped in over the last year. - synchat changed to use push method which verifies whether all data was send. This ensures that all data is sent before closing the connection. - - Fixed python 2.4 compatibility (as sub-second in date patterns weren't + - Fixed python 2.4 compatibility (as sub-second in date patterns weren't 2.4 compatible) - Complain/email actions fixed to only include relevant IPs to reporting @@ -1064,7 +1117,7 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at - Kernel syslog expression can have leading spaces - allow for ",milliseconds" in the custom date format of proftpd.log - recidive jail to block all protocols - - smtps not a IANA standard so may be missing from /etc/services. Due to + - smtps not a IANA standard so may be missing from /etc/services. Due to (still) common use 465 has been used as the explicit port number - Filter dovecot reordered session and TLS items in regex with wider scope for session characters @@ -1081,7 +1134,7 @@ Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at - Fixed formating of github references in changelog - reformatted spec-file - + ------------------------------------------------------------------- Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at @@ -1127,7 +1180,7 @@ Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at * files/suse-initd -- update to the copy from stock SUSE * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227, gh#fail2ban/fail2ban#230. - * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes gh#fail2ban/fail2ban#244. ------------------------------------------------------------------ @@ -1173,7 +1226,7 @@ Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at * [945ad3d9] Fix dates on email actions to work in different locals. Closes gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. blotus - * [96eb8986] ' and " should also be escaped in action tags Closes + * [96eb8986] ' and " should also be escaped in action tags Closes gh#fail2ban/fail2ban#109 Christoph Theis, Nick Hilliard, Daniel Black * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD @@ -1265,7 +1318,7 @@ would be at a significant security risk. custom action files) since its value could contain arbitrary symbols. Thanks for discovery go to the NBS System security team - * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. + * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. Close gh#fail2ban/fail2ban#83 * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages @@ -1274,7 +1327,7 @@ would be at a significant security risk. - New features: David Engeset * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching - the log file to take 'banip' or 'unbanip' in effect. + the log file to take 'banip' or 'unbanip' in effect. Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 - Enhancements: @@ -1384,7 +1437,7 @@ Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at ------------------------------------------------------------------- Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de -- Adding to fail2ban.init remove of pid and sock files on stop +- Adding to fail2ban.init remove of pid and sock files on stop in case not removed before (prevents start fail) ------------------------------------------------------------------- diff --git a/fail2ban.spec b/fail2ban.spec index 6200663..e03e67f 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -22,7 +22,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: fail2ban -Version: 1.0.2 +Version: 1.1.0 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0-or-later @@ -42,8 +42,6 @@ Source200: fail2ban.keyring Patch100: %{name}-opensuse-locations.patch # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file Patch101: %{name}-opensuse-service.patch -# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases -Patch200: %{name}-disable-iptables-w-option.patch # PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor Patch201: %{name}-0.10.4-env-script-interpreter.patch # PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions @@ -62,11 +60,9 @@ Requires: cron Requires: ed Requires: iptables Requires: logrotate -Requires: python3 >= 3.2 +Requires: python3 >= 3.5 Requires: whois -%if 0%{?suse_version} != 1110 BuildArch: noarch -%endif %if 0%{?suse_version} >= 1230 # systemd BuildRequires: python3-systemd @@ -79,7 +75,7 @@ Requires: systemd > 204 Requires: lsof Requires: syslog %endif -%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 +%if 0%{?suse_version} >= 1500 BuildRequires: python3-pyinotify >= 0.8.3 Requires: python3-pyinotify >= 0.8.3 %endif @@ -134,9 +130,6 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf %patch -P 100 -p1 %patch -P 101 -p1 -%if 0%{?suse_version} < 1310 -%patch -P 200 -p1 -%endif %patch -P 201 -p1 %if !0%{?suse_version} > 1500 %patch -P 300 -p1 @@ -160,7 +153,6 @@ sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf %build export CFLAGS="%{optflags}" -./fail2ban-2to3 python3 setup.py build gzip man/*.{1,5} @@ -229,10 +221,8 @@ rm -r %{buildroot}%{_docdir}/%{name} %fdupes -s %{buildroot}%{python3_sitelib} %check -#stat /dev/log -#python -c "import platform; print(platform.system())" # tests require python-pyinotify to be installed, so don't run them on older versions -%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 +%if 0%{?suse_version} >= 1500 # Need a UTF-8 locale to work export LANG=en_US.UTF-8 ./fail2ban-testcases-all --no-network || true