pool/fail2ban
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 578362 from security

Browse Source 
- Updated to version 0.10.2. Changelog:
  https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch
- Incompatibility list (compared to v.0.9):
  * Filter (or `failregex`) internal capture-groups:
    - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
      rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
      (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
      Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
      testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
      fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
    - New internal groups (currently reserved for internal usage):
      `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
      mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
  * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
    user configurations resp. `datepattern`.
  * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
    IPv6-capable now.
- Incompatibility:
  * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
    anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
    just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. 
- Fixes
  * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid 
    write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
  * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
  * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely 
    (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
  * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
    in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
  * `action.d/pf.conf`: 
    - fixed syntax error in achnor definition (documentation, see gh-1919);
    - enclose ports in braces for multiport jails (see gh-1925);
  * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
  * `filter.d/sshd.conf`:
    - extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
      forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", 
      see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
    - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- New Features
  * datedetector: extended default date-patterns (allows extra space between the date and time stamps);
    introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
    - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
      (corresponds %H, but allows space if not zero-padded).
    - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
      (corresponds %I, but allows space if not zero-padded).
  * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
- New Actions:
  * `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
     nginx-location with map-file);
  - Enhancements
    * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
    * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
    * Introduced new parameters for logging within fail2ban-server (gh-1980).
      Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
      - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
        for the list of facilities);
      - `datetime` - add date-time to the message (default on, ignored if `format` specified);
      - `format` - specify own format how it will be logged, for example for short-log into STDOUT:
        `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
    * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with 
     'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
      if repair fails - recreate new database (gh-1465, gh-2004).

OBS-URL: https://build.opensuse.org/request/show/578362
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=52
This commit is contained in:
Dominique Leuenberger 2018-02-21 13:11:41 +00:00 committed by Git OBS Bridge
commit 671fbd787d
5 changed files with 89 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fail2ban-0.10.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:19bac652e50f35b3b58ea010c2b89b91b945365d37dbf17467e0dc345c058465
size 465156

3
fail2ban-0.10.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1c1a969137c56f7e8b90e5f14d78b80214d34d67209787bfddc8d5804ceb29cc
size 474624

20
fail2ban-opensuse-service.patch
View File

@ -1,14 +1,14 @@
diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fail2ban.service.in
--- fail2ban-0.10.1.orig/files/fail2ban.service.in 2017-10-12 13:46:46.000000000 +0200
+++ fail2ban-0.10.1/files/fail2ban.service.in 2017-10-21 07:33:59.289164729 +0200
diff -ur fail2ban-0.10.2-orig/files/fail2ban.service.in fail2ban-0.10.2/files/fail2ban.service.in
--- fail2ban-0.10.2-orig/files/fail2ban.service.in 2018-01-18 14:49:01.000000000 +0100
+++ fail2ban-0.10.2/files/fail2ban.service.in 2018-02-20 09:35:36.759476111 +0100
@@ -1,17 +1,18 @@
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service
-PartOf=iptables.service firewalld.service
+After=network.target iptables.service firewalld.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service SuSEfirewall2.service
-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
[Service]
Type=simple
@ -16,11 +16,11 @@ diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fa
ExecStartPre=/bin/mkdir -p /var/run/fail2ban
-ExecStart=@BINDIR@/fail2ban-server -xf start
+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
# if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local
-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=stdout start
# if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
-ExecStop=@BINDIR@/fail2ban-client stop
-ExecReload=@BINDIR@/fail2ban-client reload
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+ExecStop=/usr/bin/fail2ban-client stop
+ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid

74
fail2ban.changes
View File

@ -1,3 +1,77 @@
-------------------------------------------------------------------
Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at
- Updated to version 0.10.2. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog
- rebased patch
- Incompatibility list (compared to v.0.9):
* Filter (or `failregex`) internal capture-groups:
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
Of course you can always define your own capture-group (like below `_cond_ip_`) to do this.
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
user configurations resp. `datepattern`.
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
IPv6-capable now.
- Incompatibility:
* The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses
anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors,
just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`.
- Fixes
* Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid
write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876)
* Fixed recognition of the new date-format on mysqld-auth filter (gh-1639)
* jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely
(if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942.
* config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf)
in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955.
* `action.d/pf.conf`:
- fixed syntax error in achnor definition (documentation, see gh-1919);
- enclose ports in braces for multiport jails (see gh-1925);
* `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990)
* `filter.d/sshd.conf`:
- extended failregex for modes "extra"/"aggressive": now finds all possible (also future)
forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944);
- fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263);
- New Features
* datedetector: extended default date-patterns (allows extra space between the date and time stamps);
introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing):
- %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock,
(corresponds %H, but allows space if not zero-padded).
- %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock,
(corresponds %I, but allows space if not zero-padded).
* `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983);
- New Actions:
* `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in
nginx-location with map-file);
- Enhancements
* jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988);
* action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once.
* Introduced new parameters for logging within fail2ban-server (gh-1980).
Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`:
- `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler
for the list of facilities);
- `datetime` - add date-time to the message (default on, ignored if `format` specified);
- `format` - specify own format how it will be logged, for example for short-log into STDOUT:
`fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`;
* Automatically recover or recreate corrupt persistent database (e. g. if failed to open with
'database disk image is malformed'). Fail2ban will create a backup, try to repair the database,
if repair fails - recreate new database (gh-1465, gh-2004).
-------------------------------------------------------------------
Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com

4
fail2ban.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package fail2ban
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -23,7 +23,7 @@
%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
Name: fail2ban
Version: 0.10.1
Version: 0.10.2
Release: 0
Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0+