From 552f2139260d91be915f108e0e2175c2de540338830ef343348daa0abbb9e24a Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Tue, 20 Feb 2018 09:42:27 +0000 Subject: [PATCH 1/2] Accepting request 578297 from home:weberho:branches:security - Updated to version 0.10.2. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog - rebased patch OBS-URL: https://build.opensuse.org/request/show/578297 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=87 --- fail2ban-0.10.1.tar.gz | 3 -- fail2ban-0.10.2.tar.gz | 3 ++ fail2ban-opensuse-service.patch | 20 ++++----- fail2ban.changes | 79 +++++++++++++++++++++++++++++++++ fail2ban.spec | 4 +- 5 files changed, 94 insertions(+), 15 deletions(-) delete mode 100644 fail2ban-0.10.1.tar.gz create mode 100644 fail2ban-0.10.2.tar.gz diff --git a/fail2ban-0.10.1.tar.gz b/fail2ban-0.10.1.tar.gz deleted file mode 100644 index 76c56a8..0000000 --- a/fail2ban-0.10.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:19bac652e50f35b3b58ea010c2b89b91b945365d37dbf17467e0dc345c058465 -size 465156 diff --git a/fail2ban-0.10.2.tar.gz b/fail2ban-0.10.2.tar.gz new file mode 100644 index 0000000..b90215f --- /dev/null +++ b/fail2ban-0.10.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1c1a969137c56f7e8b90e5f14d78b80214d34d67209787bfddc8d5804ceb29cc +size 474624 diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch index 918d967..d44cafa 100644 --- a/fail2ban-opensuse-service.patch +++ b/fail2ban-opensuse-service.patch @@ -1,14 +1,14 @@ -diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fail2ban.service.in ---- fail2ban-0.10.1.orig/files/fail2ban.service.in 2017-10-12 13:46:46.000000000 +0200 -+++ fail2ban-0.10.1/files/fail2ban.service.in 2017-10-21 07:33:59.289164729 +0200 +diff -ur fail2ban-0.10.2-orig/files/fail2ban.service.in fail2ban-0.10.2/files/fail2ban.service.in +--- fail2ban-0.10.2-orig/files/fail2ban.service.in 2018-01-18 14:49:01.000000000 +0100 ++++ fail2ban-0.10.2/files/fail2ban.service.in 2018-02-20 09:35:36.759476111 +0100 @@ -1,17 +1,18 @@ [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) --After=network.target iptables.service firewalld.service --PartOf=iptables.service firewalld.service -+After=network.target iptables.service firewalld.service SuSEfirewall2.service -+PartOf=iptables.service firewalld.service SuSEfirewall2.service +-After=network.target iptables.service firewalld.service ip6tables.service ipset.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service ++After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service ++PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service [Service] Type=simple @@ -16,11 +16,11 @@ diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fa ExecStartPre=/bin/mkdir -p /var/run/fail2ban -ExecStart=@BINDIR@/fail2ban-server -xf start +ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start - # if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local --# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=stdout start + # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local +-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start -ExecStop=@BINDIR@/fail2ban-client stop -ExecReload=@BINDIR@/fail2ban-client reload -+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start ++# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start +ExecStop=/usr/bin/fail2ban-client stop +ExecReload=/usr/bin/fail2ban-client reload PIDFile=/var/run/fail2ban/fail2ban.pid diff --git a/fail2ban.changes b/fail2ban.changes index 95dc1f7..ed52315 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,82 @@ +------------------------------------------------------------------- +Tue Feb 20 08:36:40 UTC 2018 - jweberhofer@weberhofer.at + +- + +------------------------------------------------------------------- +Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at + +- Updated to version 0.10.2. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog + +- rebased patch + +- Incompatibility list (compared to v.0.9): + * Filter (or `failregex`) internal capture-groups: + - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should + rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` + (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). + Of course you can always define your own capture-group (like below `_cond_ip_`) to do this. + testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" + fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" + - New internal groups (currently reserved for internal usage): + `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if + mapping from tag `` used in failregex (e. g. `user` by ``). + * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some + user configurations resp. `datepattern`. + * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are + IPv6-capable now. + +- Incompatibility: + * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses + anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors, + just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. + +- Fixes + * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid + write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876) + * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639) + * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely + (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942. + * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) + in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955. + * `action.d/pf.conf`: + - fixed syntax error in achnor definition (documentation, see gh-1919); + - enclose ports in braces for multiport jails (see gh-1925); + * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990) + * `filter.d/sshd.conf`: + - extended failregex for modes "extra"/"aggressive": now finds all possible (also future) + forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", + see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944); + - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263); + +- New Features + * datedetector: extended default date-patterns (allows extra space between the date and time stamps); + introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing): + - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock, + (corresponds %H, but allows space if not zero-padded). + - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock, + (corresponds %I, but allows space if not zero-padded). + * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983); + +- New Actions: + * `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in + nginx-location with map-file); + + - Enhancements + * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988); + * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once. + * Introduced new parameters for logging within fail2ban-server (gh-1980). + Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`: + - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler + for the list of facilities); + - `datetime` - add date-time to the message (default on, ignored if `format` specified); + - `format` - specify own format how it will be logged, for example for short-log into STDOUT: + `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`; + * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with + 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, + if repair fails - recreate new database (gh-1465, gh-2004). + ------------------------------------------------------------------- Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com diff --git a/fail2ban.spec b/fail2ban.spec index 5325d99..d07c1b7 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ # # spec file for package fail2ban # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -23,7 +23,7 @@ %{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} Name: fail2ban -Version: 0.10.1 +Version: 0.10.2 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ From 68abb5fa88fac639549d8cae21be7e600db45e3b0bbddb2940a0d9660d484f54 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Tue, 20 Feb 2018 13:50:34 +0000 Subject: [PATCH 2/2] OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=88 --- fail2ban.changes | 5 ----- 1 file changed, 5 deletions(-) diff --git a/fail2ban.changes b/fail2ban.changes index ed52315..b7d28ff 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,8 +1,3 @@ -------------------------------------------------------------------- -Tue Feb 20 08:36:40 UTC 2018 - jweberhofer@weberhofer.at - -- - ------------------------------------------------------------------- Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at