From 7ac30d53364f2e706e83f87e34e5b01bc4b5f294b501a5cfe582902cda585623 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Thu, 10 Mar 2016 12:14:45 +0000 Subject: [PATCH] Accepting request 369600 from home:weberho:branches:security - Update to version 0.9.4 - Defined services which per default uses systemd logger - The update to this versions allow to close boo#917818, as the logger-backends for several services are now centrally set in /etc/fail2ban/paths-opensuse.conf OBS-URL: https://build.opensuse.org/request/show/369600 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=69 --- fail2ban-0.9.3.tar.gz | 3 - fail2ban-0.9.4.tar.gz | 3 + fail2ban-exclude-dev-log-tests.patch | 58 --------- fail2ban-opensuse-locations.patch | 29 ++--- fail2ban-opensuse-service.patch | 10 +- ...ExecuteTimeoutWithNastyChildren-test.patch | 120 ------------------ fail2ban.changes | 96 ++++++++++++++ fail2ban.spec | 44 +++++-- paths-opensuse.conf | 12 ++ 9 files changed, 157 insertions(+), 218 deletions(-) delete mode 100644 fail2ban-0.9.3.tar.gz create mode 100644 fail2ban-0.9.4.tar.gz delete mode 100644 fail2ban-exclude-dev-log-tests.patch delete mode 100644 fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch diff --git a/fail2ban-0.9.3.tar.gz b/fail2ban-0.9.3.tar.gz deleted file mode 100644 index 7a67e45..0000000 --- a/fail2ban-0.9.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b3a0793d9ed3b4e341e568388c65bb07a904f77ac8044186376cab3e58e5b2c9 -size 321920 diff --git a/fail2ban-0.9.4.tar.gz b/fail2ban-0.9.4.tar.gz new file mode 100644 index 0000000..21e1369 --- /dev/null +++ b/fail2ban-0.9.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:870b99dd0110f10d705d0ca5743d42d358e0b5a0a4de8b69ed1d41b40dd98fa4 +size 335532 diff --git a/fail2ban-exclude-dev-log-tests.patch b/fail2ban-exclude-dev-log-tests.patch deleted file mode 100644 index 0555634..0000000 --- a/fail2ban-exclude-dev-log-tests.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff -ur fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py fail2ban-0.9.2/fail2ban/tests/servertestcase.py ---- fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py 2015-04-29 05:52:48.000000000 +0200 -+++ fail2ban-0.9.2/fail2ban/tests/servertestcase.py 2015-05-08 15:57:57.021437562 +0200 -@@ -778,32 +778,32 @@ - self.setGetTest("logtarget", "STDOUT") - self.setGetTest("logtarget", "STDERR") - -- def testLogTargetSYSLOG(self): -- if not os.path.exists("/dev/log") and sys.version_info >= (2, 7): -- raise unittest.SkipTest("'/dev/log' not present") -- elif not os.path.exists("/dev/log"): -- return -- self.assertTrue(self.server.getSyslogSocket(), "auto") -- self.setGetTest("logtarget", "SYSLOG") -- self.assertTrue(self.server.getSyslogSocket(), "/dev/log") -+# def testLogTargetSYSLOG(self): -+# if not os.path.exists("/dev/log") and sys.version_info >= (2, 7): -+# raise unittest.SkipTest("'/dev/log' not present") -+# elif not os.path.exists("/dev/log"): -+# return -+# self.assertTrue(self.server.getSyslogSocket(), "auto") -+# self.setGetTest("logtarget", "SYSLOG") -+# self.assertTrue(self.server.getSyslogSocket(), "/dev/log") - - def testSyslogSocket(self): - self.setGetTest("syslogsocket", "/dev/log/NEW/PATH") - -- def testSyslogSocketNOK(self): -- self.setGetTest("syslogsocket", "/this/path/should/not/exist") -- self.setGetTestNOK("logtarget", "SYSLOG") -- # set back for other tests -- self.setGetTest("syslogsocket", "/dev/log") -- self.setGetTest("logtarget", "SYSLOG", -- **{True: {}, # should work on Linux -- False: dict( # expect to fail otherwise -- outCode=1, -- outValue=Exception('Failed to change log target'), -- repr_=True # Exceptions are not comparable apparently -- ) -- }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] -- ) -+# def testSyslogSocketNOK(self): -+# self.setGetTest("syslogsocket", "/this/path/should/not/exist") -+# self.setGetTestNOK("logtarget", "SYSLOG") -+# # set back for other tests -+# self.setGetTest("syslogsocket", "/dev/log") -+# self.setGetTest("logtarget", "SYSLOG", -+# **{True: {}, # should work on Linux -+# False: dict( # expect to fail otherwise -+# outCode=1, -+# outValue=Exception('Failed to change log target'), -+# repr_=True # Exceptions are not comparable apparently -+# ) -+# }[platform.system() in ('Linux',) and os.path.exists('/dev/log')] -+# ) - - def testLogLevel(self): - self.setGetTest("loglevel", "HEAVYDEBUG") diff --git a/fail2ban-opensuse-locations.patch b/fail2ban-opensuse-locations.patch index 5ff830e..ad6fdae 100644 --- a/fail2ban-opensuse-locations.patch +++ b/fail2ban-opensuse-locations.patch @@ -1,16 +1,7 @@ -diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf ---- fail2ban-0.9.3-orig/config/jail.conf 2015-08-01 03:32:13.000000000 +0200 -+++ fail2ban-0.9.3/config/jail.conf 2015-08-26 14:39:57.561851833 +0200 -@@ -348,7 +348,7 @@ - [roundcube-auth] - - port = http,https --logpath = logpath = %(roundcube_errors_log)s -+logpath = %(roundcube_errors_log)s - - - [openwebmail] -@@ -628,7 +628,7 @@ +diff -Nur fail2ban-0.9.4-orig/config/jail.conf fail2ban-0.9.4/config/jail.conf +--- fail2ban-0.9.4-orig/config/jail.conf 2016-03-08 03:50:10.000000000 +0100 ++++ fail2ban-0.9.4/config/jail.conf 2016-03-10 09:38:46.382071358 +0100 +@@ -669,7 +669,7 @@ # filter = named-refused # port = domain,953 # protocol = udp @@ -19,7 +10,7 @@ diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. -@@ -636,7 +636,7 @@ +@@ -677,7 +677,7 @@ [named-refused] port = domain,953 @@ -28,12 +19,12 @@ diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf [nsd] -diff -ur fail2ban-0.9.3-orig/config/paths-common.conf fail2ban-0.9.3/config/paths-common.conf ---- fail2ban-0.9.3-orig/config/paths-common.conf 2015-08-01 03:32:13.000000000 +0200 -+++ fail2ban-0.9.3/config/paths-common.conf 2015-08-26 14:40:58.187091888 +0200 -@@ -62,7 +62,7 @@ - +diff -Nur fail2ban-0.9.4-orig/config/paths-common.conf fail2ban-0.9.4/config/paths-common.conf +--- fail2ban-0.9.4-orig/config/paths-common.conf 2016-03-08 03:50:10.000000000 +0100 ++++ fail2ban-0.9.4/config/paths-common.conf 2016-03-10 09:36:00.690852425 +0100 +@@ -74,7 +74,7 @@ mysql_log = %(syslog_daemon)s + mysql_backend = %(default_backend)s -roundcube_errors_log = /var/log/roundcube/errors +roundcube_errors_log = /srv/www/roundcubemail/logs/errors diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch index d9276aa..ea5fd9d 100644 --- a/fail2ban-opensuse-service.patch +++ b/fail2ban-opensuse-service.patch @@ -1,12 +1,14 @@ -diff -ur fail2ban-0.9.2-orig/files/fail2ban.service fail2ban-0.9.2/files/fail2ban.service ---- fail2ban-0.9.2-orig/files/fail2ban.service 2015-04-29 05:52:48.000000000 +0200 -+++ fail2ban-0.9.2/files/fail2ban.service 2015-05-07 10:52:04.187045581 +0200 -@@ -1,11 +1,12 @@ +diff -Nur fail2ban-0.9.4-orig/files/fail2ban.service fail2ban-0.9.4/files/fail2ban.service +--- fail2ban-0.9.4-orig/files/fail2ban.service 2016-03-08 03:50:10.000000000 +0100 ++++ fail2ban-0.9.4/files/fail2ban.service 2016-03-10 10:33:48.834063007 +0100 +@@ -1,12 +1,13 @@ [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) -After=network.target iptables.service firewalld.service +-PartOf=iptables.service firewalld.service +After=network.target SuSEfirewall2.service ++PartOf=SuSEfirewall2.service [Service] Type=forking diff --git a/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch b/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch deleted file mode 100644 index 83a46fa..0000000 --- a/fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch +++ /dev/null @@ -1,120 +0,0 @@ -Only in fail2ban-0.9.3/: ChangeLog.orig -diff -ur fail2ban-0.9.3.orig/fail2ban/server/action.py fail2ban-0.9.3/fail2ban/server/action.py ---- fail2ban-0.9.3.orig/fail2ban/server/action.py 2015-08-01 03:32:13.000000000 +0200 -+++ fail2ban-0.9.3/fail2ban/server/action.py 2015-09-23 11:54:38.066927465 +0200 -@@ -560,32 +560,33 @@ - return True - - _cmd_lock.acquire() -- try: # Try wrapped within another try needed for python version < 2.5 -+ try: -+ retcode = None # to guarantee being defined upon early except - stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_") - stderr = tempfile.TemporaryFile(suffix=".stderr", prefix="fai2ban_") -- try: -- popen = subprocess.Popen( -- realCmd, stdout=stdout, stderr=stderr, shell=True, -- preexec_fn=os.setsid # so that killpg does not kill our process -- ) -- stime = time.time() -+ -+ popen = subprocess.Popen( -+ realCmd, stdout=stdout, stderr=stderr, shell=True, -+ preexec_fn=os.setsid # so that killpg does not kill our process -+ ) -+ stime = time.time() -+ retcode = popen.poll() -+ while time.time() - stime <= timeout and retcode is None: -+ time.sleep(0.1) - retcode = popen.poll() -- while time.time() - stime <= timeout and retcode is None: -- time.sleep(0.1) -- retcode = popen.poll() -- if retcode is None: -- logSys.error("%s -- timed out after %i seconds." % -- (realCmd, timeout)) -- pgid = os.getpgid(popen.pid) -- os.killpg(pgid, signal.SIGTERM) # Terminate the process -+ if retcode is None: -+ logSys.error("%s -- timed out after %i seconds." % -+ (realCmd, timeout)) -+ pgid = os.getpgid(popen.pid) -+ os.killpg(pgid, signal.SIGTERM) # Terminate the process -+ time.sleep(0.1) -+ retcode = popen.poll() -+ if retcode is None: # Still going... -+ os.killpg(pgid, signal.SIGKILL) # Kill the process - time.sleep(0.1) - retcode = popen.poll() -- if retcode is None: # Still going... -- os.killpg(pgid, signal.SIGKILL) # Kill the process -- time.sleep(0.1) -- retcode = popen.poll() -- except OSError, e: -- logSys.error("%s -- failed with %s" % (realCmd, e)) -+ except OSError as e: -+ logSys.error("%s -- failed with %s" % (realCmd, e)) - finally: - _cmd_lock.release() - -@@ -603,15 +604,16 @@ - return True - elif retcode is None: - logSys.error("%s -- unable to kill PID %i" % (realCmd, popen.pid)) -- elif retcode < 0: -- logSys.error("%s -- killed with %s" % -- (realCmd, signame.get(-retcode, "signal %i" % -retcode))) -+ elif retcode < 0 or retcode > 128: -+ # dash would return negative while bash 128 + n -+ sigcode = -retcode if retcode < 0 else retcode - 128 -+ logSys.error("%s -- killed with %s (return code: %s)" % -+ (realCmd, signame.get(sigcode, "signal %i" % sigcode), retcode)) - else: - msg = _RETCODE_HINTS.get(retcode, None) - logSys.error("%s -- returned %i" % (realCmd, retcode)) - if msg: - logSys.info("HINT on %i: %s" - % (retcode, msg % locals())) -- return False -- raise RuntimeError("Command execution failed: %s" % realCmd) -+ return False - -diff -ur fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py ---- fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py 2015-08-01 03:32:13.000000000 +0200 -+++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py 2015-09-23 11:54:38.074927626 +0200 -@@ -196,11 +196,10 @@ - def testExecuteTimeout(self): - stime = time.time() - # Should take a minute -- self.assertRaises( -- RuntimeError, CommandAction.executeCmd, 'sleep 60', timeout=2) -+ self.assertFalse(CommandAction.executeCmd('sleep 60', timeout=2)) - # give a test still 1 second, because system could be too busy - self.assertTrue(time.time() >= stime + 2 and time.time() <= stime + 3) -- self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds') -+ self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds') - or self._is_logged('sleep 60 -- timed out after 3 seconds')) - self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM')) - -@@ -222,17 +221,16 @@ - return int(f.read()) - - # First test if can kill the bastard -- self.assertRaises( -- RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1) -+ self.assertFalse(CommandAction.executeCmd( -+ 'bash %s' % tmpFilename, timeout=.1)) - # Verify that the proccess itself got killed - self.assertFalse(pid_exists(getnastypid())) # process should have been killed - self.assertTrue(self._is_logged('timed out')) - self.assertTrue(self._is_logged('killed with SIGTERM')) - - # A bit evolved case even though, previous test already tests killing children processes -- self.assertRaises( -- RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename, -- timeout=.2) -+ self.assertFalse(CommandAction.executeCmd( -+ 'out=`bash %s`; echo ALRIGHT' % tmpFilename, timeout=.2)) - # Verify that the proccess itself got killed - self.assertFalse(pid_exists(getnastypid())) - self.assertTrue(self._is_logged('timed out')) diff --git a/fail2ban.changes b/fail2ban.changes index 0b7e665..62829ba 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,99 @@ +------------------------------------------------------------------- +Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at + +- Removed patch: fail2ban-exclude-dev-log-tests.patch +- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch +- rebased other patches +- Defined services which per default uses systemd logger +- Provide /usr/sbin/rcfail2ban also on systemd based distros + +- All files in /etc/fail2ban/ except jail.local are now automatically replaced + upon installation of fail2ban + +- The update to this versions allow to close boo#917818, as the logger-backends for + several services are now centrally set in /etc/fail2ban/paths-opensuse.conf + +- Update to version 0.9.4 + New Features: + * New interpolation feature for definition config readers - `` + (means last known init definition of filters or actions with name `parameter`). + This interpolation makes possible to extend a parameters of stock filter or + action directly in jail inside jail.local file, without creating a separately + filter.d/*.local file. + As extension to interpolation `%(known/parameter)s`, that does not works for + filter and action init parameters + * New actions: + - nftables-multiport and nftables-allports - filtering using nftables + framework. Note: it requires a pre-existing chain for the filtering rule. + * New filters: + - openhab - domotic software authentication failure with the + rest api and web interface (gh-1223) + - nginx-limit-req - ban hosts, that were failed through nginx by limit + request processing rate (ngx_http_limit_req_module) + - murmur - ban hosts that repeatedly attempt to connect to + murmur/mumble-server with an invalid server password or certificate. + - haproxy-http-auth - filter to match failed HTTP Authentications against a + HAProxy server + * New jails: + - murmur - bans TCP and UDP from the bad host on the default murmur port. + * sshd filter got new failregex to match "maximum authentication + attempts exceeded" (introduced in openssh 6.8) + * Added filter for Mac OS screen sharing (VNC) daemon + + Enhancements: + * Do not rotate empty log files + * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) + http://bugs.debian.org/798923 + * Added openSUSE path configuration (Thanks Johannes Weberhofer) + * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197) + * Added a timeout (3 sec) to urlopen within badips.py action + (Thanks M. Maraun) + * Added check against atacker's Googlebot PTR fake records + (Thanks Pablo Rodriguez Fernandez) + * Enhance filter against atacker's Googlebot PTR fake records + (gh-1226) + * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237) + * Added filter for openhab domotic software authentication failure with the + rest api and web interface (gh-1223) + * Add *_backend options for services to allow distros to set the default + backend per service, set default to systemd for Fedora as appropriate + * Performance improvements while monitoring large number of files (gh-1265). + Use associative array (dict) for monitored log files to speed up lookup + operations. Thanks @kshetragia + * Specified that fail2ban is PartOf iptables.service firewalld.service in + .service file -- would reload fail2ban if those services are restarted + * Provides new default `fail2ban_version` and interpolation variable + `fail2ban_agent` in jail.conf + * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, + and to support multiple instances of postfix having varying suffix (gh-1331) + (Thanks Tom Hendrikx) + * files/gentoo-initd to use start-stop-daemon to robustify restarting the service + + Fixes: + * roundcube-auth jail typo for logpath + * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164) + * filter.d/apache-badbots.conf + - Updated useragent string regex adding escape for `+` + * filter.d/mysqld-auth.conf + gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332) + * filter.d/sshd.conf + - Updated "Auth fail" regex for OpenSSH 5.9 and later + * Treat failed and killed execution of commands identically (only + different log messages), which addresses different behavior on different + exit codes of dash and bash (gh-1155) + * Fix jail.conf.5 man's section (gh-1226) + * Fixed default banaction for allports jails like pam-generic, recidive, etc + with new default variable `banaction_allports` (gh-1216) + * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character + for python version < 3.x (gh-1248) + * Use postfix_log logpath for postfix-rbl jail + * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex + * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) + * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl + * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now) + * Removed compression and rotation count from logrotate (inherit them from + the global logrotate config) + ------------------------------------------------------------------- Thu Feb 4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at diff --git a/fail2ban.spec b/fail2ban.spec index 96fe6ca..5b1fa91 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -17,7 +17,7 @@ Name: fail2ban -Version: 0.9.3 +Version: 0.9.4 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ @@ -37,12 +37,8 @@ Source200: %{name}-rpmlintrc Patch100: fail2ban-opensuse-locations.patch # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file Patch101: fail2ban-opensuse-service.patch -# PATCH-FIX-UPSTREAM fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- fix failing test -Patch102: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases Patch200: fail2ban-disable-iptables-w-option.patch -# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3 -Patch201: fail2ban-exclude-dev-log-tests.patch BuildRequires: fdupes BuildRequires: logrotate BuildRequires: python-devel @@ -121,13 +117,9 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf %patch100 -p1 %patch101 -p1 -%patch102 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif -%if 0%{?suse_version} < 1321 -%patch201 -p1 -%endif rm config/paths-debian.conf \ config/paths-fedora.conf \ @@ -137,6 +129,11 @@ rm config/paths-debian.conf \ # correct doc-path sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py +# remove syslogd-logger settings for older distributions +%if 0%{?suse_version} < 1230 +sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf +%endif + %build export CFLAGS="%{optflags}" python setup.py build @@ -171,7 +168,7 @@ install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf -sed -i -e 's/^backend = auto/backend = systemd/' %{buildroot}%{_sysconfdir}/%{name}/paths-opensuse.conf +ln -sf service %{buildroot}%{_sbindir}/rc%{name} %else # without systemd @@ -180,6 +177,8 @@ install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name} ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} %endif +echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local + install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates @@ -220,7 +219,9 @@ export LANG=en_US.UTF-8 %post %fillup_only %if 0%{?suse_version} >= 1230 -systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf +systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf +# The next line is not workin in Leap 42.1, so keep the old way +#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf %service_add_post %{name}.service %endif @@ -249,7 +250,22 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf %files %defattr(-, root, root) -%config(noreplace) %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name}/action.d +%dir %{_sysconfdir}/%{name}/fail2ban.d +%dir %{_sysconfdir}/%{name}/filter.d +%dir %{_sysconfdir}/%{name}/jail.d +# +%config %{_sysconfdir}/%{name}/action.d/* +%config %{_sysconfdir}/%{name}/filter.d/* +# +%config %{_sysconfdir}/%{name}/fail2ban.conf +%config %{_sysconfdir}/%{name}/jail.conf +%config %{_sysconfdir}/%{name}/paths-common.conf +%config %{_sysconfdir}/%{name}/paths-opensuse.conf +# +%config(noreplace) %{_sysconfdir}/%{name}/jail.local +# %config %{_sysconfdir}/logrotate.d/fail2ban %dir %{_localstatedir}/lib/fail2ban/ %if 0%{?suse_version} > 1310 @@ -262,12 +278,12 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf %if 0%{?suse_version} >= 1230 # systemd %{_unitdir}/%{name}.service -%{_libexecdir}/tmpfiles.d/%{name}.conf +%{_tmpfilesdir}/%{name}.conf %else # without-systemd %{_initddir}/%{name} -%{_sbindir}/rc%{name} %endif +%{_sbindir}/rc%{name} %{_bindir}/fail2ban-server %{_bindir}/fail2ban-client %{_bindir}/fail2ban-regex diff --git a/paths-opensuse.conf b/paths-opensuse.conf index d5ab854..0c029da 100644 --- a/paths-opensuse.conf +++ b/paths-opensuse.conf @@ -36,3 +36,15 @@ mysql_log = /var/log/mysql/mysqld.log roundcube_errors_log = /srv/www/roundcubemail/logs/errors solidpop3d_log = %(syslog_mail)s + +# These services will log to the journal via syslog, so use the journal by +# default. +syslog_backend = systemd +sshd_backend = systemd +dropbear_backend = systemd +proftpd_backend = systemd +pureftpd_backend = systemd +wuftpd_backend = systemd +postfix_backend = systemd +dovecot_backend = systemd +mysql_backend = systemd