From 2ecebbda26499effdba58652955295817c9cca32d4f69d64fde78f0c83aaebcf Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Mon, 12 Aug 2019 10:37:17 +0000 Subject: [PATCH] Accepting request 722640 from home:weberho:branches:security - Added fail2ban-0.10.4-env-script-interpreter.patch to define interpreter - removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2 will be removed from Factory (see sr#713247): * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for older distributions * Removed installation recommendation of the SuSEfirewall2-fail2ban package for all distributions as it is deprecated. - fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file location (boo#1145181, gh#fail2ban/fail2ban#2474) OBS-URL: https://build.opensuse.org/request/show/722640 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=96 --- fail2ban-0.10.4-env-script-interpreter.patch | 9 +++++ ...an-0.10.4-upstream-pid-file-location.patch | 19 ++++++++++ fail2ban-opensuse-service-sfw.patch | 14 ++++++++ fail2ban-opensuse-service.patch | 16 +++------ fail2ban.changes | 14 ++++++++ fail2ban.spec | 36 ++++++++++++++----- 6 files changed, 87 insertions(+), 21 deletions(-) create mode 100644 fail2ban-0.10.4-env-script-interpreter.patch create mode 100644 fail2ban-0.10.4-upstream-pid-file-location.patch create mode 100644 fail2ban-opensuse-service-sfw.patch diff --git a/fail2ban-0.10.4-env-script-interpreter.patch b/fail2ban-0.10.4-env-script-interpreter.patch new file mode 100644 index 0000000..f186716 --- /dev/null +++ b/fail2ban-0.10.4-env-script-interpreter.patch @@ -0,0 +1,9 @@ +diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot +--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot 2018-10-04 11:26:22.000000000 +0200 ++++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot 2019-08-12 10:46:05.067842214 +0200 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env fail2ban-python ++#!/usr/bin/python + # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ + # + # Written in Python to reuse built-in Python batteries and not depend on diff --git a/fail2ban-0.10.4-upstream-pid-file-location.patch b/fail2ban-0.10.4-upstream-pid-file-location.patch new file mode 100644 index 0000000..4791b66 --- /dev/null +++ b/fail2ban-0.10.4-upstream-pid-file-location.patch @@ -0,0 +1,19 @@ +diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in +--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:18:27.754395688 +0200 ++++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:18:49.150908423 +0200 +@@ -7,13 +7,13 @@ + [Service] + Type=simple + EnvironmentFile=-/etc/sysconfig/fail2ban +-ExecStartPre=/bin/mkdir -p /var/run/fail2ban ++ExecStartPre=/bin/mkdir -p /run/fail2ban + ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start + # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local + # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start + ExecStop=/usr/bin/fail2ban-client stop + ExecReload=/usr/bin/fail2ban-client reload +-PIDFile=/var/run/fail2ban/fail2ban.pid ++PIDFile=/run/fail2ban/fail2ban.pid + Restart=on-failure + RestartPreventExitStatus=0 255 + diff --git a/fail2ban-opensuse-service-sfw.patch b/fail2ban-opensuse-service-sfw.patch new file mode 100644 index 0000000..ac90524 --- /dev/null +++ b/fail2ban-opensuse-service-sfw.patch @@ -0,0 +1,14 @@ +diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in +--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:27:18.175106400 +0200 ++++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:28:42.045116215 +0200 +@@ -1,8 +1,8 @@ + [Unit] + Description=Fail2Ban Service + Documentation=man:fail2ban(1) +-After=network.target iptables.service firewalld.service ip6tables.service ipset.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service ++After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service ++PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service + + [Service] + Type=simple diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch index b3f68a1..e99bf14 100644 --- a/fail2ban-opensuse-service.patch +++ b/fail2ban-opensuse-service.patch @@ -1,15 +1,7 @@ -Index: files/fail2ban.service.in -=================================================================== ---- files/fail2ban.service.in.orig -+++ files/fail2ban.service.in -@@ -1,17 +1,18 @@ - [Unit] - Description=Fail2Ban Service - Documentation=man:fail2ban(1) --After=network.target iptables.service firewalld.service ip6tables.service ipset.service --PartOf=iptables.service firewalld.service ip6tables.service ipset.service -+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service -+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service +diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in +--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2018-10-04 11:26:22.000000000 +0200 ++++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:17:34.929129813 +0200 +@@ -6,12 +6,13 @@ [Service] Type=simple diff --git a/fail2ban.changes b/fail2ban.changes index 4274770..83dd4e0 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Mon Aug 12 09:10:37 UTC 2019 - Johannes Weberhofer + +- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpretor +- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2 + will be removed from Factory (see sr#713247): + * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service + * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for + older distributions + * Removed installation recommendation of the fail2ban-SuSEfirewall2 + package for all distributions as it is deprecated. +- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file + location (boo#1145181, gh#fail2ban/fail2ban#2474) + ------------------------------------------------------------------- Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger diff --git a/fail2ban.spec b/fail2ban.spec index bcfdf77..2f052ac 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -16,19 +16,18 @@ # +%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} - %define _fillupdir /var/adm/fillup-templates + %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif - -%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} Name: fail2ban Version: 0.10.4 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0-or-later Group: Productivity/Networking/Security -Url: http://www.fail2ban.org/ +URL: http://www.fail2ban.org/ Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc Source2: %{name}.sysconfig @@ -46,6 +45,12 @@ Patch100: %{name}-opensuse-locations.patch Patch101: %{name}-opensuse-service.patch # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases Patch200: %{name}-disable-iptables-w-option.patch +# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor +Patch201: %{name}-0.10.4-env-script-interpreter.patch +# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch boo#1145181 jweberhofer@weberhofer.at -- changed fail2ban pid file location (gh#fail2ban/fail2ban#2474) +Patch202: %{name}-0.10.4-upstream-pid-file-location.patch +# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions +Patch300: fail2ban-opensuse-service-sfw.patch BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python-devel @@ -57,7 +62,6 @@ Requires: iptables Requires: logrotate Requires: python >= 2.6 Requires: whois -BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} != 1110 BuildArch: noarch %endif @@ -88,17 +92,18 @@ reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. +%if !0%{?suse_version} > 1500 %package -n SuSEfirewall2-%{name} Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd Group: Productivity/Networking/Security Requires: SuSEfirewall2 Requires: fail2ban -Recommends: packageand(SuSEfirewall2:fail2ban) %description -n SuSEfirewall2-%{name} This package ships systemd files which will cause fail2ban to be ordered in relation to SuSEfirewall2 such that the two can be run concurrently within reason, i.e. SFW will always run first because it does a table flush. +%endif %package -n monitoring-plugins-%{name} %define nagios_plugindir %{_libexecdir}/nagios/plugins @@ -128,10 +133,15 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py %patch100 -%patch101 +%patch101 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif +%patch201 -p1 +%patch202 -p1 +%if !0%{?suse_version} > 1500 +%patch300 -p1 +%endif rm config/paths-arch.conf \ config/paths-debian.conf \ @@ -200,12 +210,14 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name} install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +%if !0%{?suse_version} > 1500 %if 0%{?_unitdir:1} install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \ "%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf" install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \ "%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf" %endif +%endif install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name} # install docs using the macro @@ -253,6 +265,7 @@ export LANG=en_US.UTF-8 %insserv_cleanup %endif +%if !0%{?suse_version} > 1500 %if 0%{?_unitdir:1} %post -n SuSEfirewall2-%{name} %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : @@ -260,6 +273,7 @@ export LANG=en_US.UTF-8 %postun -n SuSEfirewall2-%{name} %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %endif +%endif %files %defattr(-, root, root) @@ -307,22 +321,26 @@ export LANG=en_US.UTF-8 %{_fillupdir}/sysconfig.%{name} %{_mandir}/man1/* %{_mandir}/man5/* -%doc README.md TODO ChangeLog COPYING doc/*.txt +%license COPYING +%doc README.md TODO ChangeLog doc/*.txt # do not include tests as they are executed during the build process %exclude %{_bindir}/%{name}-testcases %exclude %{python_sitelib}/%{name}/tests +%if !0%{?suse_version} > 1500 %if 0%{?_unitdir:1} %files -n SuSEfirewall2-%{name} %defattr(-,root,root) %{_unitdir}/SuSEfirewall2.service.d %{_unitdir}/%{name}.service.d %endif +%endif %files -n monitoring-plugins-%{name} %defattr(-,root,root) -%doc files/nagios/README COPYING +%license COPYING +%doc files/nagios/README %dir %{_libexecdir}/nagios %dir %{nagios_plugindir} %{nagios_plugindir}/check_%{name}