pool/fail2ban
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 722640 from home:weberho:branches:security

Browse Source 
- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpreter
- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2
  will be removed from Factory (see sr#713247):
  * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service
  * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for
    older distributions
  * Removed installation recommendation of the SuSEfirewall2-fail2ban
    package for all distributions as it is deprecated.
- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file
  location (boo#1145181, gh#fail2ban/fail2ban#2474)

OBS-URL: https://build.opensuse.org/request/show/722640
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=96
This commit is contained in:
Johannes Weberhofer 2019-08-12 10:37:17 +00:00 committed by Git OBS Bridge
parent 1080a2c48e
commit 2ecebbda26
6 changed files with 87 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
fail2ban-0.10.4-env-script-interpreter.patch Normal file
View File

@ -0,0 +1,9 @@
diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot 2018-10-04 11:26:22.000000000 +0200
+++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot 2019-08-12 10:46:05.067842214 +0200
@@ -1,4 +1,4 @@
-#!/usr/bin/env fail2ban-python
+#!/usr/bin/python
# Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
#
# Written in Python to reuse built-in Python batteries and not depend on

19
fail2ban-0.10.4-upstream-pid-file-location.patch Normal file
View File

@ -0,0 +1,19 @@
diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:18:27.754395688 +0200
+++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:18:49.150908423 +0200
@@ -7,13 +7,13 @@
[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/fail2ban
-ExecStartPre=/bin/mkdir -p /var/run/fail2ban
+ExecStartPre=/bin/mkdir -p /run/fail2ban
ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
-PIDFile=/var/run/fail2ban/fail2ban.pid
+PIDFile=/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

14
fail2ban-opensuse-service-sfw.patch Normal file
View File

@ -0,0 +1,14 @@
diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:27:18.175106400 +0200
+++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:28:42.045116215 +0200
@@ -1,8 +1,8 @@
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
[Service]
Type=simple

16
fail2ban-opensuse-service.patch
View File

@ -1,15 +1,7 @@
Index: files/fail2ban.service.in diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
=================================================================== --- fail2ban-0.10.4-orig/files/fail2ban.service.in 2018-10-04 11:26:22.000000000 +0200
--- files/fail2ban.service.in.orig +++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:17:34.929129813 +0200
+++ files/fail2ban.service.in @@ -6,12 +6,13 @@
@@ -1,17 +1,18 @@
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
[Service] [Service]
Type=simple Type=simple

14
fail2ban.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Mon Aug 12 09:10:37 UTC 2019 - Johannes Weberhofer <jweberhofer@weberhofer.at>
- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpretor
- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2
will be removed from Factory (see sr#713247):
* fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service
* fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for
older distributions
* Removed installation recommendation of the fail2ban-SuSEfirewall2
package for all distributions as it is deprecated.
- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file
location (boo#1145181, gh#fail2ban/fail2ban#2474)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org> Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>

36
fail2ban.spec
View File

@ -16,19 +16,18 @@
# #
%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
#Compat macro for new _fillupdir macro introduced in Nov 2017 #Compat macro for new _fillupdir macro introduced in Nov 2017
%if ! %{defined _fillupdir} %if ! %{defined _fillupdir}
%define _fillupdir /var/adm/fillup-templates %define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif %endif
%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
Name: fail2ban Name: fail2ban
Version: 0.10.4 Version: 0.10.4
Release: 0 Release: 0
Summary: Bans IP addresses that make too many authentication failures Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0-or-later License: GPL-2.0-or-later
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Url: http://www.fail2ban.org/ URL: http://www.fail2ban.org/
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz
Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
Source2: %{name}.sysconfig Source2: %{name}.sysconfig
@ -46,6 +45,12 @@ Patch100: %{name}-opensuse-locations.patch
Patch101: %{name}-opensuse-service.patch Patch101: %{name}-opensuse-service.patch
# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
Patch200: %{name}-disable-iptables-w-option.patch Patch200: %{name}-disable-iptables-w-option.patch
# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
Patch201: %{name}-0.10.4-env-script-interpreter.patch
# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch boo#1145181 jweberhofer@weberhofer.at -- changed fail2ban pid file location (gh#fail2ban/fail2ban#2474)
Patch202: %{name}-0.10.4-upstream-pid-file-location.patch
# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
Patch300: fail2ban-opensuse-service-sfw.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: logrotate BuildRequires: logrotate
BuildRequires: python-devel BuildRequires: python-devel
@ -57,7 +62,6 @@ Requires: iptables
Requires: logrotate Requires: logrotate
Requires: python >= 2.6 Requires: python >= 2.6
Requires: whois Requires: whois
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} != 1110 %if 0%{?suse_version} != 1110
BuildArch: noarch BuildArch: noarch
%endif %endif
@ -88,17 +92,18 @@ reject the IP address, can send e-mails, or set host.deny entries. These rules
can be defined by the user. Fail2Ban can read multiple log files such as sshd can be defined by the user. Fail2Ban can read multiple log files such as sshd
or Apache web server ones. or Apache web server ones.
%if !0%{?suse_version} > 1500
%package -n SuSEfirewall2-%{name} %package -n SuSEfirewall2-%{name}
Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Requires: SuSEfirewall2 Requires: SuSEfirewall2
Requires: fail2ban Requires: fail2ban
Recommends: packageand(SuSEfirewall2:fail2ban)
%description -n SuSEfirewall2-%{name} %description -n SuSEfirewall2-%{name}
This package ships systemd files which will cause fail2ban to be ordered in This package ships systemd files which will cause fail2ban to be ordered in
relation to SuSEfirewall2 such that the two can be run concurrently within relation to SuSEfirewall2 such that the two can be run concurrently within
reason, i.e. SFW will always run first because it does a table flush. reason, i.e. SFW will always run first because it does a table flush.
%endif
%package -n monitoring-plugins-%{name} %package -n monitoring-plugins-%{name}
%define nagios_plugindir %{_libexecdir}/nagios/plugins %define nagios_plugindir %{_libexecdir}/nagios/plugins
@ -128,10 +133,15 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py
%patch100 %patch100
%patch101 %patch101 -p1
%if 0%{?suse_version} < 1310 %if 0%{?suse_version} < 1310
%patch200 -p1 %patch200 -p1
%endif %endif
%patch201 -p1
%patch202 -p1
%if !0%{?suse_version} > 1500
%patch300 -p1
%endif
rm config/paths-arch.conf \ rm config/paths-arch.conf \
config/paths-debian.conf \ config/paths-debian.conf \
@ -200,12 +210,14 @@ install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
%if !0%{?suse_version} > 1500
%if 0%{?_unitdir:1} %if 0%{?_unitdir:1}
install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \ install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf" "%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \ install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf" "%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
%endif %endif
%endif
install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name} install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
# install docs using the macro # install docs using the macro
@ -253,6 +265,7 @@ export LANG=en_US.UTF-8
%insserv_cleanup %insserv_cleanup
%endif %endif
%if !0%{?suse_version} > 1500
%if 0%{?_unitdir:1} %if 0%{?_unitdir:1}
%post -n SuSEfirewall2-%{name} %post -n SuSEfirewall2-%{name}
%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
@ -260,6 +273,7 @@ export LANG=en_US.UTF-8
%postun -n SuSEfirewall2-%{name} %postun -n SuSEfirewall2-%{name}
%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
%endif %endif
%endif
%files %files
%defattr(-, root, root) %defattr(-, root, root)
@ -307,22 +321,26 @@ export LANG=en_US.UTF-8
%{_fillupdir}/sysconfig.%{name} %{_fillupdir}/sysconfig.%{name}
%{_mandir}/man1/* %{_mandir}/man1/*
%{_mandir}/man5/* %{_mandir}/man5/*
%doc README.md TODO ChangeLog COPYING doc/*.txt %license COPYING
%doc README.md TODO ChangeLog doc/*.txt
# do not include tests as they are executed during the build process # do not include tests as they are executed during the build process
%exclude %{_bindir}/%{name}-testcases %exclude %{_bindir}/%{name}-testcases
%exclude %{python_sitelib}/%{name}/tests %exclude %{python_sitelib}/%{name}/tests
%if !0%{?suse_version} > 1500
%if 0%{?_unitdir:1} %if 0%{?_unitdir:1}
%files -n SuSEfirewall2-%{name} %files -n SuSEfirewall2-%{name}
%defattr(-,root,root) %defattr(-,root,root)
%{_unitdir}/SuSEfirewall2.service.d %{_unitdir}/SuSEfirewall2.service.d
%{_unitdir}/%{name}.service.d %{_unitdir}/%{name}.service.d
%endif %endif
%endif
%files -n monitoring-plugins-%{name} %files -n monitoring-plugins-%{name}
%defattr(-,root,root) %defattr(-,root,root)
%doc files/nagios/README COPYING %license COPYING
%doc files/nagios/README
%dir %{_libexecdir}/nagios %dir %{_libexecdir}/nagios
%dir %{nagios_plugindir} %dir %{nagios_plugindir}
%{nagios_plugindir}/check_%{name} %{nagios_plugindir}/check_%{name}