Accepting request 1284779 from home:smithfarm:branches:security

- spec: + Use pyproject macros to build and install (including implementing manual install for files under /etc and /usr from the wheel) + some BuildRequires cleanup OBS-URL: https://build.opensuse.org/request/show/1284779 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=131
2025-06-11 11:23:44 +00:00
commit 8eb6070bf0
21 changed files with 2082 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+.osc
--- a/f2b-restart.conf
+++ b/f2b-restart.conf
@@ -0,0 +1,5 @@
+# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
+# restarted, which is what this drop-in file does.
+
+[Unit]
+PartOf=SuSEfirewall2.service
--- a/fail2ban-0.10.4-env-script-interpreter.patch
+++ b/fail2ban-0.10.4-env-script-interpreter.patch
@@ -0,0 +1,9 @@
+diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
+--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
+++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env fail2ban-python
+#!/usr/bin/fail2ban-python
+ # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
+ #
+ # Written in Python to reuse built-in Python batteries and not depend on
--- a/fail2ban-1.0.2.tar.gz
+++ b/fail2ban-1.0.2.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23
+size 583295
--- a/fail2ban-1.0.2.tar.gz.asc
+++ b/fail2ban-1.0.2.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K
+iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q
+EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A
+aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb
+dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV
+Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R
+e8+y9LLToHFjKeji436S6985hBQnEA==
+=jGOy
+-----END PGP SIGNATURE-----
--- a/fail2ban-1.1.0.tar.gz
+++ b/fail2ban-1.1.0.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:474fcc25afdaf929c74329d1e4d24420caabeea1ef2e041a267ce19269570bae
+size 603854
--- a/fail2ban-1.1.0.tar.gz.asc
+++ b/fail2ban-1.1.0.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmYqzEoACgkQaDvxvr0K
+iCwMfQf9GcxsuVs/LiHeDYmmvFOxCmS2zO4K5pzDuX1JmtSzKCj9HbPSxUWbIZIc
+yJv+x8t6QNBPBMnxI70TP+RcxKpCO4Fc2WRcrYS5B6gDTKy9Ty0fHorHlA4QQthu
+ywoqxf1eddQKcwlk+lw/wI1QPwZ1xA93BkasJht/bTnhAvXJBeN1Tgf+jZ23bHHf
+9FIGV8zt8fvaAIG8lB22AD/+PhSYEkp1TRuRx9VEuBbkH00u1i054I0cHTrsu3Fr
+jTIljf5TgpmFyXHBCA6JT6nnGn0jsaNDT/lBNxUmw5BmMxGWUTv4SlKbcjKjgXRH
+MTZipOHHYPx/7IyKJJvB1p1gvmOxyg==
+=qvry
+-----END PGP SIGNATURE-----
--- a/fail2ban-fix-openssh98.patch
+++ b/fail2ban-fix-openssh98.patch
@@ -0,0 +1,13 @@
+Index: fail2ban-1.0.2/config/filter.d/sshd.conf
+===================================================================
+--- fail2ban-1.0.2.orig/config/filter.d/sshd.conf
+++ fail2ban-1.0.2/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
+_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?
--- a/fail2ban-opensuse-locations.patch
+++ b/fail2ban-opensuse-locations.patch
@@ -0,0 +1,32 @@
+Index: fail2ban-1.0.1/config/jail.conf
+===================================================================
+--- fail2ban-1.0.1.orig/config/jail.conf
+++ fail2ban-1.0.1/config/jail.conf
+@@ -731,7 +731,7 @@ backend = %(syslog_backend)s
+ # filter   = named-refused
+ # port     = domain,953
+ # protocol = udp
+-# logpath  = /var/log/named/security.log
+# logpath  = /var/lib/named/log/security.log
+ 
+ # IMPORTANT: see filter.d/named-refused for instructions to enable logging
+ # This jail blocks TCP traffic for DNS requests.
+@@ -739,7 +739,7 @@ backend = %(syslog_backend)s
+ [named-refused]
+ 
+ port     = domain,953
+-logpath  = /var/log/named/security.log
+logpath  = /var/lib/named/log/security.log
+ 
+ 
+ [nsd]
+Index: fail2ban-1.0.1/config/paths-common.conf
+===================================================================
+--- fail2ban-1.0.1.orig/config/paths-common.conf
+++ fail2ban-1.0.1/config/paths-common.conf
+@@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s
+ mysql_log = %(syslog_daemon)s
+ mysql_backend = %(default_backend)s
+ 
+-roundcube_errors_log = /var/log/roundcube/errors
+roundcube_errors_log = /srv/www/roundcubemail/logs/errors
--- a/fail2ban-opensuse-service-sfw.patch
+++ b/fail2ban-opensuse-service-sfw.patch
@@ -0,0 +1,14 @@
+diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
+--- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:27:18.175106400 +0200
+++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:28:42.045116215 +0200
+@@ -1,8 +1,8 @@
+ [Unit]
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+ 
+ [Service]
+ Type=simple
--- a/fail2ban-opensuse-service.patch
+++ b/fail2ban-opensuse-service.patch
@@ -0,0 +1,27 @@
+diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in
+--- fail2ban-0.11.2-orig/files/fail2ban.service.in	2020-11-23 21:43:03.000000000 +0100
+++ fail2ban-0.11.2/files/fail2ban.service.in	2020-12-05 18:22:01.503018894 +0100
+@@ -2,17 +2,18 @@
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+ After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+PartOf=firewalld.service
+ 
+ [Service]
+ Type=simple
+EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
+ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
+-ExecStop=@BINDIR@/fail2ban-client stop
+-ExecReload=@BINDIR@/fail2ban-client reload
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+ExecStop=/usr/bin/fail2ban-client stop
+ExecReload=/usr/bin/fail2ban-client reload
+ PIDFile=/run/fail2ban/fail2ban.pid
+ Restart=on-failure
+ RestartPreventExitStatus=0 255
--- a/fail2ban.changes
+++ b/fail2ban.changes
--- a/fail2ban.keyring
+++ b/fail2ban.keyring
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
+Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
+lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
+i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
+hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
+BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
+ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
+NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
+RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
+2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
+GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
+3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
+XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
+uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
+Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
+kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
+awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
+7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
+AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
+2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
+IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
+ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
+muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
+6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
+=vqSW
+-----END PGP PUBLIC KEY BLOCK-----
--- a/fail2ban.logrotate
+++ b/fail2ban.logrotate
@@ -0,0 +1,13 @@
+/var/log/fail2ban.log {
+    compress
+    dateext
+    maxage 365
+    rotate 99
+    size=+4096k
+    notifempty
+    missingok
+    create 644 root root
+    postrotate
+      fail2ban-client flushlogs  1>/dev/null || true
+    endscript
+}
--- a/fail2ban.spec
+++ b/fail2ban.spec
@@ -0,0 +1,261 @@
+#
+# spec file for package fail2ban
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define pythons python3
+
+%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           fail2ban
+Version:        1.1.0
+Release:        0
+Summary:        Bans IP addresses that make too many authentication failures
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.fail2ban.org/
+Source0:        https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:        https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Source2:        %{name}.sysconfig
+Source3:        %{name}.logrotate
+Source5:        %{name}.tmpfiles
+# Path definitions have been submitted to upstream
+Source8:        paths-opensuse.conf
+Source200:      fail2ban.keyring
+# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
+Patch100:       %{name}-opensuse-locations.patch
+# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
+Patch201:       %{name}-0.10.4-env-script-interpreter.patch
+# PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400
+Patch301:       harden_fail2ban.service.patch
+# PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101
+Patch302:       fail2ban-fix-openssh98.patch
+BuildRequires:  %{python_module pip}
+BuildRequires:  %{python_module pyinotify >= 0.8.3}
+BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module systemd}
+BuildRequires:  %{python_module tools}
+BuildRequires:  %{python_module wheel}
+BuildRequires:  fdupes
+BuildRequires:  logrotate
+BuildRequires:  python-rpm-macros
+# timezone package is required to run the tests
+BuildRequires:  timezone
+Requires:       cron
+Requires:       ed
+Requires:       iptables
+Requires:       logrotate
+Requires:       python3 >= 3.5
+Requires:       python3-setuptools
+Requires:       whois
+BuildArch:      noarch
+BuildRequires:  pkgconfig(systemd)
+Requires:       python3-systemd
+Requires:       systemd > 204
+%{?systemd_requires}
+Requires:       python3-pyinotify >= 0.8.3
+%if 0%{?suse_version} < 1600
+Obsoletes:      SuSEfirewall2-%{name}
+Provides:       SuSEfirewall2-%{name}
+%endif
+
+%description
+Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP
+addresses that makes too many password failures. It updates firewall rules to
+reject the IP address, can send e-mails, or set host.deny entries.  These rules
+can be defined by the user. Fail2Ban can read multiple log files such as sshd
+or Apache web server ones.
+
+%package -n monitoring-plugins-%{name}
+Summary:        Check fail2ban server and how many IPs are currently banned
+Group:          System/Monitoring
+%if 0%{?suse_version}
+BuildRequires:  nagios-rpm-macros
+%else
+%define         nagios_plugindir %{_libexecdir}/nagios/plugins
+%endif
+Provides:       nagios-plugins-%{name} = %{version}
+Obsoletes:      nagios-plugins-%{name} < %{version}
+
+%description -n monitoring-plugins-%{name}
+This plugin checks if the fail2ban server is running and how many IPs are
+currently banned.  You can use this plugin to monitor all the jails or just a
+specific jail.
+
+How to use
+----------
+Just have to run the following command:
+  $ ./check_fail2ban --help
+
+%prep
+%setup -q
+install -m644 %{SOURCE8} config/paths-opensuse.conf
+
+# Use openSUSE paths
+sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
+
+%patch -P 100 -p1
+%patch -P 201 -p1
+%patch -P 301 -p1
+%patch -P 302 -p1
+
+rm 	config/paths-arch.conf \
+	config/paths-debian.conf \
+	config/paths-fedora.conf \
+	config/paths-freebsd.conf \
+	config/paths-osx.conf
+
+# correct doc-path
+sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
+
+%build
+export CFLAGS="%{optflags}"
+%pyproject_wheel
+gzip man/*.{1,5}
+
+%install
+%pyproject_install
+%python_expand %fdupes %{buildroot}%{python3_sitelib}
+
+install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
+install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
+install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
+
+install -d -m 755 %{buildroot}%{_initddir}
+install -d -m 755 %{buildroot}%{_sbindir}
+
+# use /run directory
+install -d -m 755 %{buildroot}/run
+touch %{buildroot}/run/%{name}
+
+# systemd
+install -d -m 755 %{buildroot}%{_unitdir}
+cp -av build/fail2ban.service "%{buildroot}/%{_unitdir}/%{name}.service"
+
+install -d -m 755 %{buildroot}%{_tmpfilesdir}
+install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
+ln -sf service %{buildroot}%{_sbindir}/rc%{name}
+
+install -d -m 755 %{buildroot}%{_sysconfdir}
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/action.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/fail2ban.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/filter.d
+install -d -m 755 %{buildroot}%{_sysconfdir}/%{name}/jail.d
+echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
+cp -av config/action.d/* %{buildroot}%{_sysconfdir}/%{name}/action.d
+cp -av config/filter.d/* %{buildroot}%{_sysconfdir}/%{name}/filter.d
+cp -av config/paths-common.conf %{buildroot}%{_sysconfdir}/%{name}
+cp -av config/paths-opensuse.conf %{buildroot}%{_sysconfdir}/%{name}
+cp -av config/fail2ban.conf %{buildroot}%{_sysconfdir}/%{name}
+cp -av config/jail.conf %{buildroot}%{_sysconfdir}/%{name}
+rm -rv %{buildroot}%{python3_sitelib}%{_sysconfdir}
+rm -rv %{buildroot}%{python3_sitelib}%{_docdir}/%{name}
+
+install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
+
+install -d -m 755 %{buildroot}%{_fillupdir}
+install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
+
+install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+
+%if 0%{?suse_version} < 1600
+perl -i -lpe 's{(After|PartOf)=(.*)}{$1=$2 SuSEfirewall2.service}' \
+	"%{buildroot}/%{_unitdir}/%{name}.service"
+%endif
+install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
+
+%check
+# tests require python-pyinotify to be installed, so don't run them on older versions
+%if 0%{?suse_version} >= 1500
+# Need a UTF-8 locale to work
+export LANG=en_US.UTF-8
+./fail2ban-testcases-all --no-network || true
+%endif
+
+%pre
+%service_add_pre %{name}.service
+
+%post
+%fillup_only
+%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%files
+%dir %{_sysconfdir}/%{name}
+%dir %{_sysconfdir}/%{name}/action.d
+%dir %{_sysconfdir}/%{name}/%{name}.d
+%dir %{_sysconfdir}/%{name}/filter.d
+%dir %{_sysconfdir}/%{name}/jail.d
+#
+%config %{_sysconfdir}/%{name}/action.d/*
+%config %{_sysconfdir}/%{name}/filter.d/*
+#
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%config %{_sysconfdir}/%{name}/jail.conf
+%config %{_sysconfdir}/%{name}/paths-common.conf
+%config %{_sysconfdir}/%{name}/paths-opensuse.conf
+#
+%config(noreplace) %{_sysconfdir}/%{name}/jail.local
+#
+%config %{_sysconfdir}/logrotate.d/%{name}
+%dir %{_localstatedir}/lib/%{name}/
+# use /run directory
+%ghost /run/%{name}
+# systemd
+%{_unitdir}/%{name}.service
+%{_tmpfilesdir}/%{name}.conf
+%{_sbindir}/rc%{name}
+%{_bindir}/%{name}-server
+%{_bindir}/%{name}-client
+%{_bindir}/%{name}-python
+%{_bindir}/%{name}-regex
+%{python3_sitelib}/%{name}
+%exclude %{python3_sitelib}/%{name}/tests
+%{python3_sitelib}/%{name}-*
+%{_fillupdir}/sysconfig.%{name}
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%license COPYING
+%doc README.md TODO ChangeLog doc/*.txt
+
+# do not include tests as they are executed during the build process
+%exclude %{_bindir}/%{name}-testcases
+%exclude %{python3_sitelib}/%{name}/tests
+
+%files -n monitoring-plugins-%{name}
+%license COPYING
+%doc files/nagios/README
+%if 0%{?suse_version}
+%dir %{nagios_libdir}
+%else
+%dir %{_libexecdir}/nagios
+%endif
+%dir %{nagios_plugindir}
+%{nagios_plugindir}/check_%{name}
+
+%changelog
--- a/fail2ban.sysconfig
+++ b/fail2ban.sysconfig
@@ -0,0 +1,10 @@
+## Path:	System/Security/Fail2ban
+## Description:	fail2ban options
+## Type:	string
+## Default:	""
+## ServiceReload: fail2ban
+## ServiceRestart: fail2ban
+#
+# Options for fail2ban
+#
+FAIL2BAN_OPTIONS=""
--- a/fail2ban.tmpfiles
+++ b/fail2ban.tmpfiles
@@ -0,0 +1 @@
+d /run/fail2ban 0755 root root
--- a/harden_fail2ban.service.patch
+++ b/harden_fail2ban.service.patch
@@ -0,0 +1,27 @@
+---
+ files/fail2ban.service.in |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+Index: fail2ban-1.1.0/files/fail2ban.service.in
+===================================================================
+--- fail2ban-1.1.0.orig/files/fail2ban.service.in
+++ fail2ban-1.1.0/files/fail2ban.service.in
+@@ -5,6 +5,18 @@ After=network.target iptables.service fi
+ PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+ 
+ [Service]
+# added automatically, for details please see
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# end of automatic additions 
+ Type=simple
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
--- a/paths-opensuse.conf
+++ b/paths-opensuse.conf
@@ -0,0 +1,50 @@
+# openSUSE log-file locations
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_local0  = /var/log/messages
+
+syslog_mail = /var/log/mail
+
+syslog_mail_warn = %(syslog_mail)s
+
+syslog_authpriv = %(syslog_local0)s
+
+syslog_user =  %(syslog_local0)s
+
+syslog_ftp  = %(syslog_local0)s
+
+syslog_daemon  = %(syslog_local0)s
+
+apache_error_log = /var/log/apache2/*error_log
+
+apache_access_log = /var/log/apache2/*access_log
+
+pureftpd_log = %(syslog_local0)s
+
+exim_main_log = /var/log/exim/main.log
+
+mysql_log = /var/log/mysql/mysqld.log
+
+roundcube_errors_log = /srv/www/roundcubemail/logs/errors
+
+solidpop3d_log = %(syslog_mail)s
+
+# These services will log to the journal via syslog, so use the journal by
+# default.
+syslog_backend = systemd
+sshd_backend = systemd
+dropbear_backend = systemd
+proftpd_backend = systemd
+pureftpd_backend = systemd
+wuftpd_backend = systemd
+postfix_backend = systemd
+dovecot_backend = systemd
+mysql_backend = systemd
--- a/sfw-fail2ban.conf
+++ b/sfw-fail2ban.conf
@@ -0,0 +1,7 @@
+# This drop-in file extends SuSEfirewall2.service to also start
+# fail2ban.service, and to make sure that fail2ban is only (re)started after
+# SFW has completed.
+
+[Unit]
+Wants=fail2ban.service
+Before=fail2ban.service