From c0917c8a4c36e21045de51ba5166f7c1ae9ed81dbb285bf2dbad9ebc9faf7e5f Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 4 Sep 2024 08:00:14 +0000 Subject: [PATCH] - fail2ban-fix-openssh98.patch: fix to work with openssh 9.8 (bsc#1230101) OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=120 --- .gitattributes | 23 + .gitignore | 1 + f2b-restart.conf | 5 + fail2ban-0.10.4-env-script-interpreter.patch | 9 + fail2ban-1.0.2.tar.gz | 3 + fail2ban-1.0.2.tar.gz.asc | 11 + fail2ban-disable-iptables-w-option.patch | 14 + fail2ban-fix-openssh98.patch | 13 + fail2ban-opensuse-locations.patch | 32 + fail2ban-opensuse-service-sfw.patch | 14 + fail2ban-opensuse-service.patch | 27 + fail2ban.changes | 1450 ++++++++++++++++++ fail2ban.keyring | 29 + fail2ban.logrotate | 13 + fail2ban.spec | 351 +++++ fail2ban.sysconfig | 10 + fail2ban.tmpfiles | 1 + harden_fail2ban.service.patch | 23 + paths-opensuse.conf | 50 + sfw-fail2ban.conf | 7 + 20 files changed, 2086 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 f2b-restart.conf create mode 100644 fail2ban-0.10.4-env-script-interpreter.patch create mode 100644 fail2ban-1.0.2.tar.gz create mode 100644 fail2ban-1.0.2.tar.gz.asc create mode 100644 fail2ban-disable-iptables-w-option.patch create mode 100644 fail2ban-fix-openssh98.patch create mode 100644 fail2ban-opensuse-locations.patch create mode 100644 fail2ban-opensuse-service-sfw.patch create mode 100644 fail2ban-opensuse-service.patch create mode 100644 fail2ban.changes create mode 100644 fail2ban.keyring create mode 100644 fail2ban.logrotate create mode 100644 fail2ban.spec create mode 100644 fail2ban.sysconfig create mode 100644 fail2ban.tmpfiles create mode 100644 harden_fail2ban.service.patch create mode 100644 paths-opensuse.conf create mode 100644 sfw-fail2ban.conf diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/f2b-restart.conf b/f2b-restart.conf new file mode 100644 index 0000000..5b1b2e0 --- /dev/null +++ b/f2b-restart.conf @@ -0,0 +1,5 @@ +# When a restart is issued for SuSEfirewall2, fail2ban.service too must be +# restarted, which is what this drop-in file does. + +[Unit] +PartOf=SuSEfirewall2.service diff --git a/fail2ban-0.10.4-env-script-interpreter.patch b/fail2ban-0.10.4-env-script-interpreter.patch new file mode 100644 index 0000000..4dc43fe --- /dev/null +++ b/fail2ban-0.10.4-env-script-interpreter.patch @@ -0,0 +1,9 @@ +diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot +--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot 2018-10-04 11:26:22.000000000 +0200 ++++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot 2019-08-12 10:46:05.067842214 +0200 +@@ -1,4 +1,4 @@ +-#!/usr/bin/env fail2ban-python ++#!/usr/bin/fail2ban-python + # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ + # + # Written in Python to reuse built-in Python batteries and not depend on diff --git a/fail2ban-1.0.2.tar.gz b/fail2ban-1.0.2.tar.gz new file mode 100644 index 0000000..2644181 --- /dev/null +++ b/fail2ban-1.0.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23 +size 583295 diff --git a/fail2ban-1.0.2.tar.gz.asc b/fail2ban-1.0.2.tar.gz.asc new file mode 100644 index 0000000..d2165cb --- /dev/null +++ b/fail2ban-1.0.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K +iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q +EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A +aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb +dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV +Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R +e8+y9LLToHFjKeji436S6985hBQnEA== +=jGOy +-----END PGP SIGNATURE----- diff --git a/fail2ban-disable-iptables-w-option.patch b/fail2ban-disable-iptables-w-option.patch new file mode 100644 index 0000000..19c65d5 --- /dev/null +++ b/fail2ban-disable-iptables-w-option.patch @@ -0,0 +1,14 @@ +--- fail2ban-1.0.1/config/action.d/iptables.conf.orig 2022-10-12 11:35:25.789327341 +0200 ++++ fail2ban-1.0.1/config/action.d/iptables.conf 2022-10-12 11:35:40.585449861 +0200 +@@ -138,8 +138,10 @@ + # running concurrently and causing irratic behavior. -w was introduced + # in iptables 1.4.20, so might be absent on older systems + # See https://github.com/fail2ban/fail2ban/issues/1122 ++# The default option "-w" can be used for openSUSE versions 13.2+ and ++# for updated versions of openSUSE 13.1; SLE 12 supports this option. + # Values: STRING +-lockingopt = -w ++lockingopt = + + # Option: iptables + # Notes.: Actual command to be executed, including common to all calls options diff --git a/fail2ban-fix-openssh98.patch b/fail2ban-fix-openssh98.patch new file mode 100644 index 0000000..e09353e --- /dev/null +++ b/fail2ban-fix-openssh98.patch @@ -0,0 +1,13 @@ +Index: fail2ban-1.0.2/config/filter.d/sshd.conf +=================================================================== +--- fail2ban-1.0.2.orig/config/filter.d/sshd.conf ++++ fail2ban-1.0.2/config/filter.d/sshd.conf +@@ -16,7 +16,7 @@ before = common.conf + + [DEFAULT] + +-_daemon = sshd ++_daemon = sshd(?:-session)? + + # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " + __pref = (?:(?:error|fatal): (?:PAM: )?)? diff --git a/fail2ban-opensuse-locations.patch b/fail2ban-opensuse-locations.patch new file mode 100644 index 0000000..e0dfbd6 --- /dev/null +++ b/fail2ban-opensuse-locations.patch @@ -0,0 +1,32 @@ +Index: fail2ban-1.0.1/config/jail.conf +=================================================================== +--- fail2ban-1.0.1.orig/config/jail.conf ++++ fail2ban-1.0.1/config/jail.conf +@@ -731,7 +731,7 @@ backend = %(syslog_backend)s + # filter = named-refused + # port = domain,953 + # protocol = udp +-# logpath = /var/log/named/security.log ++# logpath = /var/lib/named/log/security.log + + # IMPORTANT: see filter.d/named-refused for instructions to enable logging + # This jail blocks TCP traffic for DNS requests. +@@ -739,7 +739,7 @@ backend = %(syslog_backend)s + [named-refused] + + port = domain,953 +-logpath = /var/log/named/security.log ++logpath = /var/lib/named/log/security.log + + + [nsd] +Index: fail2ban-1.0.1/config/paths-common.conf +=================================================================== +--- fail2ban-1.0.1.orig/config/paths-common.conf ++++ fail2ban-1.0.1/config/paths-common.conf +@@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s + mysql_log = %(syslog_daemon)s + mysql_backend = %(default_backend)s + +-roundcube_errors_log = /var/log/roundcube/errors ++roundcube_errors_log = /srv/www/roundcubemail/logs/errors diff --git a/fail2ban-opensuse-service-sfw.patch b/fail2ban-opensuse-service-sfw.patch new file mode 100644 index 0000000..ac90524 --- /dev/null +++ b/fail2ban-opensuse-service-sfw.patch @@ -0,0 +1,14 @@ +diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in +--- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:27:18.175106400 +0200 ++++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:28:42.045116215 +0200 +@@ -1,8 +1,8 @@ + [Unit] + Description=Fail2Ban Service + Documentation=man:fail2ban(1) +-After=network.target iptables.service firewalld.service ip6tables.service ipset.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service ++After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service ++PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service + + [Service] + Type=simple diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch new file mode 100644 index 0000000..089d45f --- /dev/null +++ b/fail2ban-opensuse-service.patch @@ -0,0 +1,27 @@ +diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in +--- fail2ban-0.11.2-orig/files/fail2ban.service.in 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/files/fail2ban.service.in 2020-12-05 18:22:01.503018894 +0100 +@@ -2,17 +2,18 @@ + Description=Fail2Ban Service + Documentation=man:fail2ban(1) + After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service ++PartOf=firewalld.service + + [Service] + Type=simple ++EnvironmentFile=-/etc/sysconfig/fail2ban + Environment="PYTHONNOUSERSITE=1" + ExecStartPre=/bin/mkdir -p /run/fail2ban +-ExecStart=@BINDIR@/fail2ban-server -xf start ++ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start + # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local +-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start +-ExecStop=@BINDIR@/fail2ban-client stop +-ExecReload=@BINDIR@/fail2ban-client reload ++# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start ++ExecStop=/usr/bin/fail2ban-client stop ++ExecReload=/usr/bin/fail2ban-client reload + PIDFile=/run/fail2ban/fail2ban.pid + Restart=on-failure + RestartPreventExitStatus=0 255 diff --git a/fail2ban.changes b/fail2ban.changes new file mode 100644 index 0000000..6f0e5a2 --- /dev/null +++ b/fail2ban.changes @@ -0,0 +1,1450 @@ +------------------------------------------------------------------- +Wed Sep 4 07:54:06 UTC 2024 - Marcus Meissner + +- fail2ban-fix-openssh98.patch: fix to work with openssh 9.8 (bsc#1230101) + +------------------------------------------------------------------- +Mon Feb 26 08:17:28 UTC 2024 - Dominique Leuenberger + +- Use %patch -P N instead of deprecated %patchN. + +------------------------------------------------------------------- +Mon Jun 5 16:36:47 UTC 2023 - Lars Vogdt + +- use nagios-rpm-macros to define the libexecdir for SUSE distributions + correctly (defaut here is /usr/lib/nagios/plugins) +- move conditional for %%pre scripts, to avoid any dependency or other + stuff getting in the way on old distributions + +------------------------------------------------------------------- +Sun Dec 4 21:07:21 UTC 2022 - Dirk Müller + +- update to 1.0.2: + * Update of major version of fail2ban with primary target to fix a + dovecot-filter regression #3370. + * See the ChangeLog for more information. + +------------------------------------------------------------------- +Wed Oct 12 08:11:52 UTC 2022 - Paolo Stivanin + +- Update to 1.0.1: + * https://github.com/fail2ban/fail2ban/blob/1.0.1/ChangeLog +- Remove fail2ban-0.11.2-upstream-patch-python-3.9.patch. +- Remove fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch. +- Remove fail2ban-rpmlintrc since it's no longer needed. +- Add fail2ban.keyring. + +------------------------------------------------------------------- +Sat Jan 22 11:17:48 UTC 2022 - Arjen de Korte + +- Fail2ban can't be PartOf ipset.service and nftables.service that + conflict with firewalld.service (as it will prevent restarting the + latter and which are not provided anymore) + * fail2ban-opensuse-service.patch + * harden_fail2ban.service.patch + +------------------------------------------------------------------- +Wed Jan 19 13:05:44 UTC 2022 - Dirk Müller + +- add python-rpm-macros buildrequires (bsc#1194752) + +------------------------------------------------------------------- +Fri Nov 12 10:49:20 UTC 2021 - Johannes Weberhofer + +- Added fail2ban-0.11.2-upstream-patch-python-3.9.patch to allow + fail2ban run under under python 3.9+ + +- Shifted the order of the patches + +------------------------------------------------------------------- +Tue Sep 14 07:47:32 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_fail2ban.service.patch + +------------------------------------------------------------------- +Tue Aug 24 13:40:32 UTC 2021 - Johannes Weberhofer + +- Added fail2ban-0.11.2-upstream-patch-for-CVE-2021-32749.patch + to fixs CVE-2021-32749 - bnc#1188610 to prevent a command injection via mail comand + +------------------------------------------------------------------- +Sat Dec 5 17:25:17 UTC 2020 - Johannes Weberhofer + +- Integrate change to resolve bnc#1146856 and bnc#1180738 + +------------------------------------------------------------------- +Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer + +- Update to 0.11.2 + increased stability, filter and action updates + +- New Features and Enhancements + * fail2ban-regex: + - speedup formatted output (bypass unneeded stats creation) + - extended with prefregex statistic + - more informative output for `datepattern` (e. g. set from filter) - pattern : description + * parsing of action in jail-configs considers space between action-names as separator also + (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b` + * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689) + * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855) + * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723) + * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured + (gh#fail2ban/fail2ban#2631) + * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778) + * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; + * datetemplate: improved anchor detection for capturing groups `(^...)`; + * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) + as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814): + - filter gets mode in-operation, which gets activated if filter starts processing of new messages; + in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much + from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected + bypass of failure (previously exceeding `findtime`); + - better interaction with non-matching optional datepattern or invalid timestamps; + - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages, + whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802) + * performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template); + * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791; + * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag + prefix `` with all value of `` tags (gh#fail2ban/fail2ban#2755) + +- Fixes + * [stability] prevent race condition - no ban if filter (backend) is continuously busy if + too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660) + * pyinotify-backend sporadically avoided initial scanning of log-file by start + * python 3.9 compatibility (and Travis CI support) + * restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed + * manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647) + * `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead) + * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified + per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357 + * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686) + * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), + so would bother the action interpolation + * fixed type conversion in config readers (take place after all interpolations get ready), that allows to + specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters. + * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy + between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703) + * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing + with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656) + * `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763) + * `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821) + * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836) + * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line` + should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650) + * `filter.d/dovecot.conf`: + - add managesieve and submission support (gh#fail2ban/fail2ban#2795); + - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573); + * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697) + * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle + the match of username differently (gh#fail2ban/fail2ban#2693): + - `normal`: matches 401 with supplied username only + - `ddos`: matches 401 without supplied username only + - `aggressive`: matches 401 and any variant (with and without username) + * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749) + +- Rebased patches +- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch + +------------------------------------------------------------------- +Wed Aug 19 09:04:12 UTC 2020 - Dominique Leuenberger + +- Use %{_tmpfilesdir} consistently throughout the .spec. + +------------------------------------------------------------------- +Thu May 21 07:49:38 UTC 2020 - Paolo Stivanin + +- Update to 0.11.1: + * Increment ban time (+ observer) functionality introduced. + * Database functionality extended with bad ips. + * New tags (usable in actions): + - `` - ban count of this offender if known as bad + (started by 1 for unknown) + - `` - current ban-time of the ticket + (prolongation can be retarded up to 10 sec.) + * Introduced new action command `actionprolong` to prolong ban-time + (e. g. set new timeout if expected); + * algorithm of restore current bans after restart changed: + update the restored ban-time (and therefore + end of ban) of the ticket with ban-time of jail (as maximum), + for all tickets with ban-time greater (or persistent) + * added new setup-option `--without-tests` to skip building + and installing of tests files (gh-2287). + * added new command `fail2ban-client get banip ?sep-char|--with-time?` + to get the banned ip addresses (gh-1916). + * purge database will be executed now (within observer). + restoring currently banned ip after service restart fixed + (now < timeofban + bantime), ignore old log failures (already banned) + * upgrade database: update new created table `bips` with entries + from table `bans` (allows restore current bans after + upgrade from version <= 0.10) + +------------------------------------------------------------------- +Thu Jan 9 14:06:14 UTC 2020 - Dominique Leuenberger + +- Switch to use python3 (upstream supported): + + BuildRequire python3-tools instead of python-devel (for the + 2to3 tool). + + Drop the python-gamin dependency. + + Replace all python-FOO deps for their python3-FOO counterpart. + +------------------------------------------------------------------- +Mon Aug 12 09:10:37 UTC 2019 - Johannes Weberhofer + +- Added fail2ban-0.10.4-env-script-interpreter.patch to define interpretor +- removal of SuSEfirewall2-fail2ban for factory versions since SuSEfirewall2 + will be removed from Factory (see sr#713247): + * fail2ban-opensuse-service.patch: removed references to SuSEfirewall2 service + * fail2ban-opensuse-service-sfw.patch: use references to SuSEfirewall2 only for + older distributions + * Removed installation recommendation of the fail2ban-SuSEfirewall2 + package for all distributions as it is deprecated. +- fail2ban-0.10.4-upstream-pid-file-location.patch changed fail2ban unit file + location (boo#1145181, gh#fail2ban/fail2ban#2474) + +------------------------------------------------------------------- +Tue Jun 11 12:42:54 UTC 2019 - Dominique Leuenberger + +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut the build queues by allowing usage of systemd-mini + +------------------------------------------------------------------- +Sat Feb 16 22:28:49 UTC 2019 - chris@computersalat.de + +- ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four + * https://github.com/fail2ban/fail2ban/blob/0.10.4/ChangeLog + +- Fixes + * `filter.d/dovecot.conf`: + - failregex enhancement to catch sql password mismatch errors (gh-2153); + - disconnected with "proxy dest auth failed" (gh-2184); + * `filter.d/freeswitch.conf`: + - provide compatibility for log-format from gh-2193: + * extended with new default date-pattern `^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?` to cover + `YYYY-mm-dd HH:MM::SS.ms` as well as `mm-dd HH:MM::SS.ms` (so year is optional); + * more optional arguments in log-line (so accept [WARN] as well as [WARNING] and optional [SOFIA] hereafter); + - extended with mode parameter, allows to avoid matching of messages like `auth challenge (REGISTER)` + (see gh-2163) (currently `extra` as default to be backwards-compatible), see comments in filter + how to set it to mode `normal`. + * `filter.d/domino-smtp.conf`: + - recognizes failures logged using another format (something like session-id, IP enclosed in square brackets); + - failregex extended to catch connections rejected for policy reasons (gh-2228); + * `action.d/hostsdeny.conf`: fix parameter in config (dynamic parameters stating with '_' are protected + and don't allowed in command-actions), see gh-2114; + * decoding stability fix by wrong encoded characters like utf-8 surrogate pairs, etc (gh-2171): + - fail2ban running in the preferred encoding now (as default encoding also within python 2.x), mostly + `UTF-8` in opposite to `ascii` previously, so minimizes influence of implicit conversions errors; + - actions: avoid possible conversion errors on wrong-chars by replace tags; + - database: improve adapter/converter handlers working on invalid characters in sense of json and/or sqlite-database; + additionally both are exception-safe now, so avoid possible locking of database (closes gh-2137); + - logging in fail2ban is process-wide exception-safe now. + * repaired start-time of initial seek to time (as well as other log-parsing related data), + if parameter `logpath` specified before `findtime`, `backend`, `datepattern`, etc (gh-2173) + * systemd: fixed type error on option `journalflags`: an integer is required (gh-2125); + +- New Features + * new option `ignorecache` to improve performance of ignore failure check (using caching of `ignoreip`, + `ignoreself` and `ignorecommand`), see `man jail.conf` for syntax-example; + * `ignorecommand` extended to use actions-similar replacement (capable to interpolate + all possible tags like ``, ``, ``, `F-USER` etc.) + +- Enhancements + * `filter.d/dovecot.conf`: extended with tags F-USER (and alternatives) to collect user-logins (gh-2168) + * since v.0.10.4, fail2ban-client, fail2ban-server and fail2ban-regex will return version without logo info, + additionally option `-V` can be used to get version in normalized machine-readable short format. + +- rebase patches + * fail2ban-opensuse-locations.patch + * fail2ban-opensuse-service.patch +- add signature file + +------------------------------------------------------------------- +Sat Apr 21 06:02:12 UTC 2018 - jweberhofer@weberhofer.at + +- Updated to version 0.10.3.1. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10.3.1/ChangeLog + + * fixed JSON serialization for the set-object within dump into database (gh-2103). + +- Updated to version 0.10.3. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10.3/ChangeLog + +- Fixes + * `filter.d/asterisk.conf`: fixed failregex prefix by log over remote syslog server (gh-2060); + * `filter.d/exim.conf`: failregex extended - SMTP call dropped: too many syntax or protocol errors (gh-2048); + * `filter.d/recidive.conf`: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069; + * `filter.d/sendmail-auth.conf`, `filter.d/sendmail-reject.conf` : + - fixed failregex, sendmail uses prefix 'IPv6:' logging of IPv6 addresses (gh-2064); + * `filter.d/sshd.conf`: + - failregex got an optional space in order to match new log-format (see gh-2061); + - fixed ddos-mode regex to match refactored message (some versions can contain port now, see gh-2062); + - fixed root login refused regex (optional port before preauth, gh-2080); + - avoid banning of legitimate users when pam_unix used in combination with other password method, so + bypass pam_unix failures if accepted available for this user gh-2070; + - amend to gh-1263 with better handling of multiple attempts (failures for different user-names recognized immediatelly); + - mode `ddos` (and `aggressive`) extended to catch `Connection closed by ... [preauth]`, so in DDOS mode + it counts failure on closing connection within preauth-stage (gh-2085); + * `action.d/abuseipdb.conf`: fixed curl cypher errors and comment quote-issue (gh-2044, gh-2101); + * `action.d/badips.py`: implicit convert IPAddr to str, solves an issue "expected string, IPAddr found" (gh-2059); + * `action.d/hostsdeny.conf`: fixed IPv6 syntax (enclosed in square brackets, gh-2066); + * (Free)BSD ipfw actionban fixed to allow same rule added several times (gh-2054); + +- New Features + * several stability and performance optimizations, more effective filter parsing, etc; + * stable runnable within python versions 3.6 (as well as within 3.7-dev); + +- Enhancements + * `filter.d/apache-auth.conf`: detection of Apache SNI errors resp. misredirect attempts (gh-2017, gh-2097); + * `filter.d/apache-noscript.conf`: extend failregex to match "Primary script unknown", e. g. from php-fpm (gh-2073); + * date-detector extended with long epoch (`LEPOCH`) to parse milliseconds/microseconds posix-dates (gh-2029); + * possibility to specify own regex-pattern to match epoch date-time, e. g. `^\[{EPOCH}\]` or `^\[{LEPOCH}\]` (gh-2038); + the epoch-pattern similar to `{DATE}` patterns does the capture and cuts out the match of whole pattern from the log-line, + e. g. date-pattern `^\[{LEPOCH}\]\s+:` will match and cut out `[1516469849551000] :` from begin of the log-line. + * badips.py now uses https instead of plain http when requesting badips.com (gh-2057); + * add support for "any" badips.py bancategory, to be able to retrieve IPs from all categories with a desired score (gh-2056); + * Introduced new parameter `padding` for logging within fail2ban-server (default on, excepting SYSLOG): + Usage `logtarget = target[padding=on|off]` + +------------------------------------------------------------------- +Tue Feb 20 08:19:07 UTC 2018 - jweberhofer@weberhofer.at + +- Updated to version 0.10.2. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10.2/ChangeLog + +- rebased patch + +- Incompatibility list (compared to v.0.9): + * Filter (or `failregex`) internal capture-groups: + - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should + rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` + (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). + Of course you can always define your own capture-group (like below `_cond_ip_`) to do this. + testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" + fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" + - New internal groups (currently reserved for internal usage): + `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if + mapping from tag `` used in failregex (e. g. `user` by ``). + * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some + user configurations resp. `datepattern`. + * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are + IPv6-capable now. + +- Incompatibility: + * The configuration for jails using banaction `pf` can be incompatible after upgrade, because pf-action uses + anchors now (see `action.d/pf.conf` for more information). If you want use obsolete handling without anchors, + just rewrite it in the `jail.local` by overwrite of `pfctl` parameter, e. g. like `banaction = pf[pfctl="pfctl"]`. + +- Fixes + * Fixed logging to systemd-journal: new logtarget value SYSOUT can be used instead of STDOUT, to avoid + write of the time-stamp, if logging to systemd-journal from foreground mode (gh-1876) + * Fixed recognition of the new date-format on mysqld-auth filter (gh-1639) + * jail.conf: port `imap3` replaced with `imap` everywhere, since imap3 is not a standard port and old rarely + (if ever) used and can missing on some systems (e. g. debian stretch), see gh-1942. + * config/paths-common.conf: added missing initial values (and small normalization in config/paths-*.conf) + in order to avoid errors while interpolating (e. g. starting with systemd-backend), see gh-1955. + * `action.d/pf.conf`: + - fixed syntax error in achnor definition (documentation, see gh-1919); + - enclose ports in braces for multiport jails (see gh-1925); + * `action.d/firewallcmd-ipset.conf`: fixed create of set for ipv6 (missing `family inet6`, gh-1990) + * `filter.d/sshd.conf`: + - extended failregex for modes "extra"/"aggressive": now finds all possible (also future) + forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", + see "ssherr.c" for all possible SSH_ERR_..._ALG_MATCH errors (gh-1943, gh-1944); + - fixed failregex in order to avoid banning of legitimate users with multiple public keys (gh-2014, gh-1263); + +- New Features + * datedetector: extended default date-patterns (allows extra space between the date and time stamps); + introduces 2 new format directives (with corresponding %Ex prefix for more precise parsing): + - %k - one- or two-digit number giving the hour of the day (0-23) on a 24-hour clock, + (corresponds %H, but allows space if not zero-padded). + - %l - one- or two-digit number giving the hour of the day (12-11) on a 12-hour clock, + (corresponds %I, but allows space if not zero-padded). + * `filter.d/exim.conf`: added mode `aggressive` to ban flood resp. DDOS-similar failures (gh-1983); + +- New Actions: + * `action.d/nginx-block-map.conf` - in order to ban not IP-related tickets via nginx (session blacklisting in + nginx-location with map-file); + + - Enhancements + * jail.conf: extended with new parameter `mode` for the filters supporting it (gh-1988); + * action.d/pf.conf: extended with bulk-unban, command `actionflush` in order to flush all bans at once. + * Introduced new parameters for logging within fail2ban-server (gh-1980). + Usage `logtarget = target[facility=..., datetime=on|off, format="..."]`: + - `facility` - specify syslog facility (default `daemon`, see https://docs.python.org/2/library/logging.handlers.html#sysloghandler + for the list of facilities); + - `datetime` - add date-time to the message (default on, ignored if `format` specified); + - `format` - specify own format how it will be logged, for example for short-log into STDOUT: + `fail2ban-server -f --logtarget 'stdout[format="%(relativeCreated)5d | %(message)s"]' start`; + * Automatically recover or recreate corrupt persistent database (e. g. if failed to open with + 'database disk image is malformed'). Fail2ban will create a backup, try to repair the database, + if repair fails - recreate new database (gh-1465, gh-2004). + +------------------------------------------------------------------- +Thu Nov 23 13:44:10 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at + +- Updated to version 0.10.1. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog + +- Removed 607568f.patch and 1783.patch + +- New features: + * IPv6 support + - IP addresses are now handled as objects rather than strings capable for + handling both address types IPv4 and IPv6 + - iptables related actions have been amended to support IPv6 specific actions + additionally + - hostsdeny and route actions have been tested to be aware of v4 and v6 already + - pf action for *BSD systems has been improved and supports now also v4 and v6 + - name resolution is now working for either address type + - new conditional section functionality used in config resp. includes: + - [Init?family=inet4] - IPv4 qualified hosts only + - [Init?family=inet6] - IPv6 qualified hosts only + * Reporting via abuseipdb.com + - Bans can now be reported to abuseipdb + - Catagories must be set in the config + - Relevant log lines included in report + * Several commands extended and new commands introduced + * Implemented execution of `actionstart` on demand + * nftables actions are IPv6-capable now + * Introduced new filter option `prefregex` for pre-filtering using single regular expression + * Many times faster because of several optimizations + * Several filters optimized + * Introduced new jail option "ignoreself" + + +- Lots of fixes and internal improvements + +- Incompatibitilities: + * Filter (or `failregex`) internal capture-groups: + - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should + rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` + (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). + + Of course you can always your own capture-group (like below `_cond_ip_`) to do this. + ``` + testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" + fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" + ``` + - New internal groups (currently reserved for internal usage): + `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if + mapping from tag `` used in failregex (e. g. `user` by ``). + + * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some + user configurations resp. `datepattern`. + + * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are + IPv6-capable now. + +------------------------------------------------------------------- +Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at + +- added 1783.patch from upstream: "Updated roundcube authentication filter" +- use tmpfiles_create macro + +------------------------------------------------------------------- +Mon May 15 12:11:23 UTC 2017 - jweberhofer@weberhofer.at + +- added 607568f.patch from upstream: "Postfix RBL: 554 & SMTP" + this fixes bnc#1036928 " fail2ban-rbl regex incorrect, takes no + action as a result" + +- Update to 0.9.7 + * Fixed a systemd-journal handling in fail2ban-regex + (gh#fail2ban/fail2ban#1657) + * filter.d/sshd.conf + - Fixed non-anchored part of failregex (misleading match of colon inside + IPv6 address instead of `: ` in the reason-part by missing space, + gh#fail2ban/fail2ban#1658) + (0.10th resp. IPv6 relevant only, amend for gh#fail2ban/fail2ban#1479) + * config/pathes-freebsd.conf + - Fixed filenames for apache and nginx log files (gh#fail2ban/fail2ban#1667) + * filter.d/exim.conf + - optional part `(...)` after host-name before `[IP]` + (gh#fail2ban/fail2ban#1751) + - new reason "Unrouteable address" for "rejected RCPT" regex + (gh#fail2ban/fail2ban#1762) + - match of complex time like `D=2m42s` in regex "no MAIL in SMTP + connection" (gh#fail2ban/fail2ban#1766) + * filter.d/sshd.conf + - new aggressive rules (gh#fail2ban/fail2ban#864): + - Connection reset by peer (multi-line rule during authorization process) + - No supported authentication methods available + - single line and multi-line expression optimized, added optional prefixes + and suffix (logged from several ssh versions), according + to gh#fail2ban/fail2ban#1206; + - fixed expression received disconnect auth fail (optional space after port + part, gh#fail2ban/fail2ban#1652) + and suffix (logged from several ssh versions), according to gh#fail2ban/fail2ban#1206; + * filter.d/suhosin.conf + - greedy catch-all before `` fixed (potential vulnerability) + * filter.d/cyrus-imap.conf + - accept entries without login-info resp. hostname before IP address (#fail2ban/fail2ban#707) + * Filter tests extended with check of all config-regexp, that contains greedy catch-all + before ``, that is hard-anchored at end or precise sub expression after `` + +* New Actions: + - action.d/netscaler: Block IPs on a Citrix Netscaler ADC (gh#fail2ban/fail2ban#1663) + +* New Filters: + - filter.d/domino-smtp: IBM Domino SMTP task (gh#fail2ban/fail2ban#1603) + +* Introduced new log-level `MSG` (as INFO-2, equivalent to 18) + +------------------------------------------------------------------- +Sun Mar 5 12:56:10 UTC 2017 - wagner-thomas@gmx.at + +- rename nagios-plugins-fail2ban to monitoring-plugins-fail2ban + +------------------------------------------------------------------- +Thu Jan 26 23:16:49 UTC 2017 - chris@computersalat.de + +- Update to 0.9.6 (2016/12/10) + +### Fixes +* Misleading add resp. enable of (already available) jail in database, that + induced a subsequent error: last position of log file will be never retrieved (gh-795) +* Fixed a distribution related bug within testReadStockJailConfForceEnabled + (e.g. test-cases faults on Fedora, see gh-1353) +* Fixed pythonic filters and test scripts (running via wrong python version, + uses "fail2ban-python" now); +* Fixed test case "testSetupInstallRoot" for not default python version (also + using direct call, out of virtualenv); +* Fixed ambiguous wrong recognized date pattern resp. its optional parts (see gh-1512); +* FIPS compliant, use sha1 instead of md5 if it not allowed (see gh-1540) +* Monit config: scripting is not supported in path (gh-1556) +* `filter.d/apache-modsecurity.conf` + - Fixed for newer version (one space, gh-1626), optimized: non-greedy catch-all + replaced for safer match, unneeded catch-all anchoring removed, non-capturing +* `filter.d/asterisk.conf` + - Fixed to match different asterisk log prefix (source file: method:) +* `filter.d/dovecot.conf` + - Fixed failregex ignores failures through some not relevant info (gh-1623) +* `filter.d/ignorecommands/apache-fakegooglebot` + - Fixed error within apache-fakegooglebot, that will be called + with wrong python version (gh-1506) +* `filter.d/assp.conf` + - Extended failregex and test cases to handle ASSP V1 and V2 (gh-1494) +* `filter.d/postfix-sasl.conf` + - Allow for having no trailing space after 'failed:' (gh-1497) +* `filter.d/vsftpd.conf` + - Optional reason part in message after FAIL LOGIN (gh-1543) +* `filter.d/sendmail-reject.conf` + - removed mandatory double space (if dns-host available, gh-1579) +* filter.d/sshd.conf + - recognized "Failed publickey for" (gh-1477); + - optimized failregex to match all of "Failed any-method for ... from " (gh-1479) + - eliminated possible complex injections (on user-name resp. auth-info, see gh-1479) + - optional port part after host (see gh-1533, gh-1581) + +### New Features +* New Actions: + - `action.d/npf.conf` for NPF, the latest packet filter for NetBSD +* New Filters: + - `filter.d/mongodb-auth.conf` for MongoDB (document-oriented NoSQL database engine) + (gh-1586, gh-1606 and gh-1607) + +### Enhancements +* DateTemplate regexp extended with the word-end boundary, additionally to + word-start boundary +* Introduces new command "fail2ban-python", as automatically created symlink to + python executable, where fail2ban currently installed (resp. its modules are located): + - allows to use the same version, fail2ban currently running, e.g. in + external scripts just via replace python with fail2ban-python: + ```diff + -#!/usr/bin/env python + +#!/usr/bin/env fail2ban-python + ``` + - always the same pickle protocol + - the same (and also guaranteed available) fail2ban modules + - simplified stand-alone install, resp. stand-alone installation possibility + via setup (like gh-1487) is getting closer +* Several test cases rewritten using new methods assertIn, assertNotIn +* New forward compatibility method assertRaisesRegexp (normally python >= 2.7). + Methods assertIn, assertNotIn, assertRaisesRegexp, assertLogged, assertNotLogged + are test covered now +* Jail configuration extended with new syntax to pass options to the backend (see gh-1408), + examples: + - `backend = systemd[journalpath=/run/log/journal/machine-1]` + - `backend = systemd[journalfiles="/run/log/journal/machine-1/system.journal, /run/log/journal/machine-1/user.journal"]` + - `backend = systemd[journalflags=2]` + +- rebase fail2ban-opensuse-locations.patch, fail2ban-opensuse-service.patch + +------------------------------------------------------------------- +Mon Jul 25 13:43:18 UTC 2016 - jweberhofer@weberhofer.at + +- Update to version 0.9.5 + + New Features + * New Actions: action.d/firewallcmd-rich-rules and + action.d/firewallcmd-rich-logging (gh#fail2ban/fail2ban#1367) + * New filter: slapd - ban hosts, that were failed to connect with invalid + credentials: error code 49 (gh#fail2ban/fail2ban#1478) + + Enhancements + * Extreme speedup of all sqlite database operations + (gh#fail2ban/fail2ban#1436), by using of following sqlite options: + - (synchronous = OFF) write data through OS without syncing + - (journal_mode = MEMORY) use memory for the transaction logging + - (temp_store = MEMORY) temporary tables and indices are kept in memory + * journald journalmatch for pure-ftpd (gh#fail2ban/fail2ban#1362) + * Added additional regex filter for dovecot ldap authentication + failures (gh#fail2ban/fail2ban#1370) + * filter.d/exim*conf + - Added additional regexes (gh#fail2ban/fail2ban#1371) + - Made port entry optional + + Fixes + * filter.d/monit.conf + - Extended failregex with new monit "access denied" version + (gh#fail2ban/fail2ban#1355) + - failregex of previous monit version merged as single expression + * filter.d/postfix.conf, filter.d/postfix-sasl.conf + - Extended failregex daemon part, matching also postfix/smtps/smtpd now + (gh#fail2ban/fail2ban#1391) + + * Fixed a grave bug within tags substitutions because of incorrect detection + of recursion in case of multiple inline substitutions of the same tag + (affected actions: bsd-ipfw, etc). Now tracks the actual list of the + already substituted tags (per tag instead of single list) + + * filter.d/common.conf + - Unexpected extra regex-space in generic __prefix_line + (gh#fail2ban/fail2ban#1405) + - All optional spaces normalized in common.conf, test covered now + - Generic __prefix_line extended with optional brackets for the date ambit + (gh#fail2ban/fail2ban#1421), added new parameter __date_ambit + + * gentoo-initd fixed --pidfile bug: --pidfile is option of start-stop-daemon, + not argument of fail2ban (see gh#fail2ban/fail2ban#1434) + + * filter.d/asterisk.conf + - Fixed security log support for PJSIP and Asterisk 13+ + (gh#fail2ban/fail2ban#1456) + - Improved log support for PJSIP and Asterisk 13+ with different callID + (gh#fail2ban/fail2ban#1458) + +------------------------------------------------------------------- +Thu Mar 10 14:09:51 UTC 2016 - jweberhofer@weberhofer.at + +- Mark /etc/fail2ban/fail2ban.conf as noreplace. + +------------------------------------------------------------------- +Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at + +- Removed patch: fail2ban-exclude-dev-log-tests.patch +- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch +- rebased other patches +- Defined services which per default uses systemd logger +- Provide /usr/sbin/rcfail2ban also on systemd based distros + +- All files in /etc/fail2ban/ except jail.local are now automatically replaced + upon installation of fail2ban + +- The update to this versions allow to close boo#917818, as the logger-backends for + several services are now centrally set in /etc/fail2ban/paths-opensuse.conf + +- Update to version 0.9.4 + New Features: + * New interpolation feature for definition config readers - `` + (means last known init definition of filters or actions with name `parameter`). + This interpolation makes possible to extend a parameters of stock filter or + action directly in jail inside jail.local file, without creating a separately + filter.d/*.local file. + As extension to interpolation `%(known/parameter)s`, that does not works for + filter and action init parameters + * New actions: + - nftables-multiport and nftables-allports - filtering using nftables + framework. Note: it requires a pre-existing chain for the filtering rule. + * New filters: + - openhab - domotic software authentication failure with the + rest api and web interface (gh-1223) + - nginx-limit-req - ban hosts, that were failed through nginx by limit + request processing rate (ngx_http_limit_req_module) + - murmur - ban hosts that repeatedly attempt to connect to + murmur/mumble-server with an invalid server password or certificate. + - haproxy-http-auth - filter to match failed HTTP Authentications against a + HAProxy server + * New jails: + - murmur - bans TCP and UDP from the bad host on the default murmur port. + * sshd filter got new failregex to match "maximum authentication + attempts exceeded" (introduced in openssh 6.8) + * Added filter for Mac OS screen sharing (VNC) daemon + + Enhancements: + * Do not rotate empty log files + * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59) + http://bugs.debian.org/798923 + * Added openSUSE path configuration (Thanks Johannes Weberhofer) + * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197) + * Added a timeout (3 sec) to urlopen within badips.py action + (Thanks M. Maraun) + * Added check against atacker's Googlebot PTR fake records + (Thanks Pablo Rodriguez Fernandez) + * Enhance filter against atacker's Googlebot PTR fake records + (gh-1226) + * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237) + * Added filter for openhab domotic software authentication failure with the + rest api and web interface (gh-1223) + * Add *_backend options for services to allow distros to set the default + backend per service, set default to systemd for Fedora as appropriate + * Performance improvements while monitoring large number of files (gh-1265). + Use associative array (dict) for monitored log files to speed up lookup + operations. Thanks @kshetragia + * Specified that fail2ban is PartOf iptables.service firewalld.service in + .service file -- would reload fail2ban if those services are restarted + * Provides new default `fail2ban_version` and interpolation variable + `fail2ban_agent` in jail.conf + * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname, + and to support multiple instances of postfix having varying suffix (gh-1331) + (Thanks Tom Hendrikx) + * files/gentoo-initd to use start-stop-daemon to robustify restarting the service + + Fixes: + * roundcube-auth jail typo for logpath + * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164) + * filter.d/apache-badbots.conf + - Updated useragent string regex adding escape for `+` + * filter.d/mysqld-auth.conf + gg - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332) + * filter.d/sshd.conf + - Updated "Auth fail" regex for OpenSSH 5.9 and later + * Treat failed and killed execution of commands identically (only + different log messages), which addresses different behavior on different + exit codes of dash and bash (gh-1155) + * Fix jail.conf.5 man's section (gh-1226) + * Fixed default banaction for allports jails like pam-generic, recidive, etc + with new default variable `banaction_allports` (gh-1216) + * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character + for python version < 3.x (gh-1248) + * Use postfix_log logpath for postfix-rbl jail + * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex + * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271) + * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl + * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now) + * Removed compression and rotation count from logrotate (inherit them from + the global logrotate config) + +------------------------------------------------------------------- +Thu Feb 4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at + +- Require python-systemd for openSUSE 12.3+ +- Cleaned up the spec file +- Added /run/fail2ban for openSUSE 13.2+ +- Don't fail on test-errors + +------------------------------------------------------------------- +Wed Sep 23 10:10:17 UTC 2015 - jweberhofer@weberhofer.at + +- Added fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch + to fix the former failing test and removed + fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch + +- Do not longer create test-package. Developers should not use the packaged + version of fail2ban. + +------------------------------------------------------------------- +Mon Sep 7 09:45:56 UTC 2015 - jweberhofer@weberhofer.at + +- patches are no longer included conditionally + +------------------------------------------------------------------- +Mon Sep 7 06:54:33 UTC 2015 - jweberhofer@weberhofer.at + +- fail2ban-exclude-ExecuteTimeoutWithNastyChildren-test.patch excludes the + ExecuteTimeoutWithNastyChildren test, as it doesn't run correctly on + openSUSE. + +- fail2ban-disable-iptables-w-option.patch disables iptables "-w" option for + older releases. + +- Update to version 0.9.3 + +- IMPORTANT incompatible changes: + * filter.d/roundcube-auth.conf + - Changed logpath to 'errors' log (was 'userlogins') + * action.d/iptables-common.conf + - All calls to iptables command now use -w switch introduced in + iptables 1.4.20 (some distribution could have patched their + earlier base version as well) to provide this locking mechanism + useful under heavy load to avoid contesting on iptables calls. + If you need to disable, define 'action.d/iptables-common.local' + with empty value for 'lockingopt' in `[Init]` section. + * mail-whois-lines, sendmail-geoip-lines and sendmail-whois-lines + actions now include by default only the first 1000 log lines in + the emails. Adjust to augment the behavior. + +- Fixes: + * reload in interactive mode appends all the jails twice (gh-825) + * reload server/jail failed if database used (but was not changed) and + some jail active (gh-1072) + * filter.d/dovecot.conf - also match unknown user in passwd-file. + Thanks Anton Shestakov + * Fix fail2ban-regex not parsing journalmatch correctly from filter config + * filter.d/asterisk.conf - fix security log support for Asterisk 12+ + * filter.d/roundcube-auth.conf + - Updated regex to work with 'errors' log (1.0.5 and 1.1.1) + - Added regex to work with 'userlogins' log + * action.d/sendmail*.conf - use LC_ALL (superseeding LC_TIME) to override + locale on systems with customized LC_ALL + * performance fix: minimizes connection overhead, close socket only at + communication end (gh-1099) + * unbanip always deletes ip from database (independent of bantime, also if + currently not banned or persistent) + * guarantee order of dbfile to be before dbpurgeage (gh-1048) + * always set 'dbfile' before other database options (gh-1050) + * kill the entire process group of the child process upon timeout (gh-1129). + Otherwise could lead to resource exhaustion due to hanging whois + processes. + * resolve /var/run/fail2ban path in setup.py to help installation + on platforms with /var/run -> /run symlink (gh-1142) + +- New Features: + * RETURN iptables target is now a variable: + * New type of operation: pass2allow, use fail2ban for "knocking", + opening a closed port by swapping blocktype and returntype + * New filters: + - froxlor-auth - Thanks Joern Muehlencord + - apache-pass - filter Apache access log for successful authentication + * New actions: + - shorewall-ipset-proto6 - using proto feature of the Shorewall. Still requires + manual pre-configuration of the shorewall. See the action file for detail. + * New jails: + - pass2allow-ftp - allows FTP traffic after successful HTTP authentication + +- Enhancements: + * action.d/cloudflare.conf - improved documentation on how to allow + multiple CF accounts, and jail.conf got new compound action + definition action_cf_mwl to submit cloudflare report. + * Check access to socket for more detailed logging on error (gh-595) + * fail2ban-testcases man page + * filter.d/apache-badbots.conf, filter.d/nginx-botsearch.conf - add + HEAD method verb + * Revamp of Travis and coverage automated testing + * Added a space between IP address and the following colon + in notification emails for easier text selection + * Character detection heuristics for whois output via optional setting + in mail-whois*.conf. Thanks Thomas Mayer. + Not enabled by default, if _whois_command is set to be + %(_whois_convert_charset)s (e.g. in action.d/mail-whois-common.local), + it + - detects character set of whois output (which is undefined by + RFC 3912) via heuristics of the file command + - converts whois data to UTF-8 character set with iconv + - sends the whois output in UTF-8 character set to mail program + - avoids that heirloom mailx creates binary attachment for input with + unknown character set + +------------------------------------------------------------------- +Thu Jul 2 06:38:00 UTC 2015 - jweberhofer@weberhofer.at + +- Note: fail2ban-issue_906-strptime.patch has been removed as it is already + integrated in the current version. + +------------------------------------------------------------------- +Mon Jun 8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at + +- Removed "backend" setting from paths-opensuse.conf + +------------------------------------------------------------------- +Fri May 8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at + +- Update to version 0.9.2 (requested in boo#917818) + + Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog + + Here are some notes to be read when updating existing installations: + + The default log-backend for openssue 13.2+ is now systemd + + * jail.conf was heavily refactored and now is similar to how it looked on + Debian systems: + - default action could be configured once for all jails + - jails definitions only provide customizations (port, logpath) + - no need to specify 'filter' if name matches jail name + + * Added fail2ban persistent database + - default location at /var/lib/fail2ban/fail2ban.sqlite3 + - allows active bans to be reinstated on restart + - log files read from last position after restart + + * Added systemd journal backend + - Dependency on python-systemd + - New "journalmatch" option added to filter configs files + - New "systemd-journal" option added to fail2ban-regex + + * Support %z (Timezone offset) and %f (sub-seconds) support for datedetector. + Enhanced existing date/time have been updated patterns to support these. + ISO8601 now defaults to localtime unless specified otherwise. Some filters + have been change as required to capture these elements in the right + timezone correctly. + + * Log levels are now set by Syslog style strings e.g. DEBUG, ERROR. + + * Optionally can read log files starting from "head" or "tail". See "logpath" + option in jail.conf(5) man page. + + * Can now set log encoding for files per jail.Default uses systemd locale. + + * iptables-common.conf replaced iptables-blocktype.conf + (iptables-blocktype.local should still be read) and now also provides + defaults for the chain, port, protocol and name tags + +- Require whois + +- Whereever possible, path-definitions have been moved paths-opensuse.conf + which has been submittet upstream + +- Use default fail2ban.service including fail2ban-opensuse-service.patch + +- Use default suse-initd from upstream + +- Run test-cases during build + +- run fdupes + +- Tests have been moved to a seperate page + +- Added rpmlintrc file to ignore some hidden files in the test package + +- Must build arch-depended packages for SLES 11 + +- Removed two tests which can't run on the build server with openSUSE + before 13.3: fail2ban-exclude-dev-log-tests.patch + +------------------------------------------------------------------- +Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com + +- Add missing dependency on ed (boo#926943) + +------------------------------------------------------------------- +Wed Jan 21 21:00:48 UTC 2015 - jweberhofer@weberhofer.at + +- Fixed strptime thread safety issue. + fail2ban-issue_906-strptime.patch (bnc#914075 gh#fail2ban/fail2ban#906) + +------------------------------------------------------------------- +Tue Nov 25 11:36:13 UTC 2014 - jweberhofer@weberhofer.at + +- Added syslog to requirements, as this version of fail2ban does not + work with systemd-logging: bnc#905733 + +------------------------------------------------------------------- +Fri Oct 17 09:44:12 UTC 2014 - jengelh@inai.de + +- Recommend installation of the ordering package when all + constituing parts are installed + +------------------------------------------------------------------- +Thu Aug 21 16:50:20 UTC 2014 - jweberhofer@weberhofer.at + +- Fixed check for %_unitdir to make fail2ban build under older systems, too. +- Changed /usr to %{_prefix} in the spec file + +------------------------------------------------------------------- +Wed Aug 20 15:44:54 UTC 2014 - jweberhofer@weberhofer.at + +- update to 0.8.14 + * minor fixes for claimed Python 2.4 and 2.5 compatibility + * Handle case when inotify watch is auto deleted on file deletion to stop + error messages + * tests - fixed few "leaky" file descriptors when files were not closed while + being removed physically + * grep in mail*-whois-lines.conf now also matches end of line to work with + the recidive filter +- add fail2ban-opensuse-locations.patch to fix default locations as suggested + in bnc#878028 + +------------------------------------------------------------------- +Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de + +- update to 0.8.13: + + Fixes: + - action firewallcmd-ipset had non-working actioncheck. Removed. + redhat bug #1046816. + - filter pureftpd - added _daemon which got removed. Added + + + New Features: + - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa) + - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23). + + + Enhancements: + - filter asterisk now supports syslog format + - filter pureftpd - added all translations of "Authentication failed for + user" + - filter dovecot - lip= was optional and extended TLS errors can occur. + Thanks Noel Butler. +- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed + upstream +- split out nagios-plugins-fail2ban package + +------------------------------------------------------------------- +Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de + +- Add a new subpackage to install systemd drop-ins that couple + SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf, + f2b-restart.conf. + +------------------------------------------------------------------- +Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at + +Security note: The update to version 0.8.11 has fixed two additional security +issues: A remote unauthenticated attacker may cause arbitrary IP addresses to +be blocked by Fail2ban causing legitimate users to be blocked from accessing +services protected by Fail2ban. CVE-2013-7177 (cyrus-imap) and CVE-2013-7176 +(postfix) + +------------------------------------------------------------------- +Thu Jan 23 21:35:27 UTC 2014 - jweberhofer@weberhofer.at + +- action firewallcmd-ipset had non-working actioncheck. Removed. rh#1046816 + +- lsof was required for fail2ban's SysVinit scripts only. Not longer used for + newer versions of openSUSE + +------------------------------------------------------------------- +Thu Jan 23 08:40:40 UTC 2014 - jweberhofer@weberhofer.at + +- Reviewed and fixed github references in the changelog + +------------------------------------------------------------------- +Wed Jan 22 09:27:43 UTC 2014 - jweberhofer@weberhofer.at + +- Use new flushlogs syntax after logrotate + +------------------------------------------------------------------- +Wed Jan 22 08:50:05 UTC 2014 - jweberhofer@weberhofer.at + +- Update to version 0.8.12 + + * Log rotation can now occur with the command "flushlogs" rather than + reloading fail2ban or keeping the logtarget settings consistent in + jail.conf/local and /etc/logrotate.d/fail2ban. (dep#697333, rh#891798). + + * Added ignorecommand option for allowing dynamic determination as to ignore + and IP or not. + + * Remove indentation of name and loglevel while logging to SYSLOG to resolve + syslog(-ng) parsing problems. (dep#730202). Log lines now also + report "[PID]" after the name portion too. + + * Epoch dates can now be enclosed within [] + + * New actions: badips, firewallcmd-ipset, ufw, blocklist_de + + * New filters: solid-pop3d, nsd, openwebmail, horde, freeswitch, squid, + ejabberd, openwebmail, groupoffice + + * Filter improvements: + - apache-noscript now includes php cgi scripts + - exim-spam filter to match spamassassin log entry for option SAdevnull. + - Added to sshd filter expression for + "Received disconnect from : 3: Auth fail" + - Improved ACL-handling for Asterisk + - Added improper command pipelining to postfix filter. + + * General fixes: + - Added lots of jail.conf entries for missing filters that creaped in + over the last year. + - synchat changed to use push method which verifies whether all data was + send. This ensures that all data is sent before closing the connection. + - Fixed python 2.4 compatibility (as sub-second in date patterns weren't + 2.4 compatible) + - Complain/email actions fixed to only include relevant IPs to reporting + + * Filter fixes: + - Added HTTP referrer bit of the apache access log to the apache filters. + - Apache 2.4 perfork regexes fixed + - Kernel syslog expression can have leading spaces + - allow for ",milliseconds" in the custom date format of proftpd.log + - recidive jail to block all protocols + - smtps not a IANA standard so may be missing from /etc/services. Due to + (still) common use 465 has been used as the explicit port number + - Filter dovecot reordered session and TLS items in regex with wider scope + for session characters + + * Ugly Fixes (Potentially incompatible changes): + + - Unfortunately at the end of last release when the action + firewall-cmd-direct-new was added it was too long and had a broken action + check. The action was renamed to firewallcmd-new to fit within jail name + name length. (gh#fail2ban/fail2ban#395). + + - Last release added mysqld-syslog-iptables as a jail configuration. This + jailname was too long and it has been renamed to mysqld-syslog. + +- Fixed formating of github references in changelog +- reformatted spec-file + +------------------------------------------------------------------- +Thu Nov 14 05:14:35 UTC 2013 - jweberhofer@weberhofer.at + +- Update to version 0.8.11 + +- In light of CVE-2013-2178 that triggered our last release we have put a + significant effort into tightening all of the regexs of our filters to avoid + another similar vulnerability. We haven't examined all of these for a potential + DoS scenario however it is possible that another DoS vulnerability exists that + is fixed by this release. A large number of filters have been updated to + include more failure regexs supporting previously unbanned failures and support + newer application versions too. We have test cases for most of these now + however if you have other examples that demonstrate that a filter is + insufficient we welcome your feedback. During the tightening of the regexs to + avoid DoS vulnerabilities there is the possibility that we have inadvertently, + despite our best intentions, incorrectly allowed a failure to continue. + +------------------------------------------------------------------- +Sat Sep 21 11:38:29 UTC 2013 - schuetzm@gmx.net + +- Added systemd service file and systemd-tmpfiles configuration + +------------------------------------------------------------------- +Thu Jun 13 08:58:53 UTC 2013 - jweberhofer@weberhofer.at + +- Update to version 0.8.10 Primarily bugfix and enhancements release, triggered + by "bugs" in apache- filters. If you are relying on listed below apache- + filters, upgrade asap and seek your distributions to patch their fail2ban + distribution with [6ccd5781]. The bug's decription can be found in + https://vndh.net/note:fail2ban-089-denial-service + +- Fixes + * [6ccd5781] filter.d/apache-{auth,nohome,noscript,overflows} - anchor + failregex at the beginning (and where applicable at the end). + Addresses a possible DoS. Closes gh#fail2ban/fail2ban#248, bnc#824710 + * action.d/{route,shorewall}.conf - blocktype must be defined + within [Init]. Closes gh#fail2ban/fail2ban#232 + +- Enhancements + * jail.conf -- assure all jails have actions and remove unused + ports specifications + * config/filter.d/roundcube-auth.conf -- support roundcube 0.9+ + * files/suse-initd -- update to the copy from stock SUSE + * Updates to asterisk filter. Closes gh#fail2ban/fail2ban#227, + gh#fail2ban/fail2ban#230. + * Updates to asterisk to include AUTH_UNKNOWN_DOMAIN. Closes + gh#fail2ban/fail2ban#244. + +------------------------------------------------------------------ +Tue May 28 06:46:54 UTC 2013 - jweberhofer@weberhofer.at + +- Included logrotate configuration for fail2ban + +------------------------------------------------------------------- +Tue May 14 10:06:35 UTC 2013 - jweberhofer@weberhofer.at + +- Init-Script does no longer require $syslog to be started as file-base logging + is the default. Synced with Debian script. + +- Upgrade to version 0.8.9 + +- Fixes: Yaroslav Halchenko + * [6f4dad46] python-2.4 is the minimal version. + * [1eb23cf8] do not rely on scripts being under /usr -- might differ e.g. + on Fedora. Closes gh#fail2ban/fail2ban#112. Thanks to Camusensei for the + bug report. + * [bf4d4af1] Changes for atomic writes. Thanks to Steven Hiscocks for + insight. Closes gh#fail2ban/fail2ban#103. + * [ab044b75] delay check for the existence of config directory until read. + * [3b4084d4] fixing up for handling of TAI64N timestamps. + * [154aa38e] do not shutdown logging until all jails stop. + * [f2156604] pyinotify -- monitor IN_MOVED_TO events. Closes + gh#fail2ban/fail2ban#184. Thanks to Jon Foster for report and + troubleshooting. Orion Poplawski + * [e4aedfdc00] pyinotify - use bitwise op on masks and do not try tracking + newly created directories. + Nicolas Collignon + * [39667ff6] Avoid leaking file descriptors. Closes gh#fail2ban/fail2ban#167. + Sergey Brester + * [b6bb2f88 and d17b4153] invalid date recognition, irregular because of + sorting template list. + Steven Hiscocks + * [7a442f07] When changing log target with python2.{4,5} handle KeyError. + Closes gh#fail2ban/fail2ban#147, gh#fail2ban/fail2ban#148. + * [b6a68f51] Fix delaction on server side. Closes gh#fail2ban/fail2ban#124. + Daniel Black + * [f0610c01] Allow more that a one word command when changing and Action via + the fail2ban-client. Closes gh#fail2ban/fail2ban#134. + * [945ad3d9] Fix dates on email actions to work in different locals. Closes + gh#fail2ban/fail2ban#70. Thanks to iGeorgeX for the idea. + blotus + * [96eb8986] ' and " should also be escaped in action tags Closes + gh#fail2ban/fail2ban#109 + Christoph Theis, Nick Hilliard, Daniel Black + * [b3bd877d,cde71080] Make syslog -v and syslog -vv formats work on FreeBSD +- New features: + Yaroslav Halchenko + * [9ba27353] Add support for jail.d/{confilefile} and fail2ban.d/{configfile} + to provide additional flexibility to system adminstrators. Thanks to + beilber for the idea. Closes gh#fail2ban/fail2ban#114. + * [3ce53e87] Add exim filter. + Erwan Ben Souiden + * [d7d5228] add nagios integration documentation and script to ensure + fail2ban is running. Closes gh#fail2ban/fail2ban#166. + Artur Penttinen + * [29d0df5] Add mysqld filter. Closes gh#fail2ban/fail2ban#152. + ArndRaphael Brandes + * [bba3fd8] Add Sogo filter. Closes gh#fail2ban/fail2ban#117. + Michael Gebetsriother + * [f9b78ba] Add action route to block at routing level. + Teodor Micu & Yaroslav Halchenko + * [5f2d383] Add roundcube auth filter. Closes Debian bug #699442. + Daniel Black + * [be06b1b] Add action for iptables-ipsets. Closes gh#fail2ban/fail2ban#102. + Nick Munger, Ken Menzel, Daniel Black, Christoph Theis & Fabian Wenk + * [b6d0e8a] Add and enhance the bsd-ipfw action from + FreeBSD ports. + Soulard Morgan + * [f336d9f] Add filter for webmin. Closes gh#fail2ban/fail2ban#99. + Steven Hiscocks + * [..746c7d9] bash interactive shell completions for fail2ban-*'s + Nick Hilliard + * [0c5a9c5] Add pf action. +- Enhancements: + Enrico Labedzki + * [24a8d07] Added new date format for ASSP SMTP Proxy. + Steven Hiscocks + * [3d6791f] Ensure restart of Actions after a check fails occurs + consistently. Closes gh#fail2ban/fail2ban#172. + * [MANY] Improvements to test cases, travis, and code coverage (coveralls). + * [b36835f] Add get cinfo to fail2ban-client. Closes gh#fail2ban/fail2ban#124. + * [ce3ab34] Added ability to specify PID file. + Orion Poplawski + * [ddebcab] Enhance fail2ban.service definition dependencies and Pidfile. + Closes gh#fail2ban/fail2ban#142. + Yaroslav Halchenko + * [MANY] Lots of improvements to log messages, man pages and test cases. + * [91d5736] Postfix filter improvements - empty helo, from and rcpt to. + Closes gh#fail2ban/fail2ban#126. Bug report by Michael Heuberger. + * [40c5a2d] adding more of diagnostic messages into -client while starting + the daemon. + * [8e63d4c] Compare against None with 'is' instead of '=='. + * [6fef85f] Strip CR and LF while analyzing the log line + Daniel Black + * [3aeb1a9] Add jail.conf manual page. Closes gh#fail2ban/fail2ban#143. + * [MANY] man page edits. + * [7cd6dab] Added help command to fail2ban-client. + * [c8c7b0b,23bbc60] Better logging of log file read errors. + * [3665e6d] Added code coverage to development process. + * [41b9f7b,32d10e9,39750b8] More complete ssh filter rules to match openssh + source. Also include BSD changes. + * [1d9abd1] Action files can have tags in definition that refer to other + tags. + * [10886e7,cec5da2,adb991a] Change actions to response with ICMP port + unreachable rather than just a drop of the packet. + Pascal Borreli + * [a2b29b4] Fixed lots of typos in config files and documentation. + hamilton5 + * [7ede1e8] Update dovecot filter config. + Romain Riviere + * [0ac8746] Enhance named-refused filter for views. + James Stout + * [..2143cdf] Solaris support enhancements: + - README.Solaris + - failregex'es tune ups (sshd.conf) + - hostsdeny: do not rely on support of '-i' in sed + +------------------------------------------------------------------- +Thu Dec 6 15:32:02 UTC 2012 - jweberhofer@weberhofer.at + +One of the important changes is escaping of the content -- so if you +crafted some custom action which uses it -- you must upgrade, or you +would be at a significant security risk. + +- Fixes: + Alan Jenkins + * [8c38907] Removed 'POSSIBLE BREAK-IN ATTEMPT' from sshd filter to avoid + banning due to misconfigured DNS. Close gh#fail2ban/fail2ban#64 + Yaroslav Halchenko + * [83109bc] IMPORTANT: escape the content of (if used in + custom action files) since its value could contain arbitrary + symbols. Thanks for discovery go to the NBS System security + team + * [0935566,5becaf8] Various python 2.4 and 2.5 compatibility fixes. + Close gh#fail2ban/fail2ban#83 + * [b159eab] do not enable pyinotify backend if pyinotify < 0.8.3 + * [37a2e59] store IP as a base, non-unicode str to avoid spurious messages + in the console. Close gh#fail2ban/fail2ban#91 + +- New features: + David Engeset + * [2d672d1,6288ec2] 'unbanip' command for the client + avoidance of touching + the log file to take 'banip' or 'unbanip' in effect. + Close gh#fail2ban/fail2ban#81, gh#fail2ban/fail2ban#86 + +- Enhancements: + * [2d66f31] replaced uninformative "Invalid command" message with warning log + exception why command actually failed + * [958a1b0] improved failregex to "support" auth.backend = "htdigest" + * [9e7a3b7] until we make it proper module -- adjusted sys.path only if + system-wide run + * [f52ba99] downgraded "already banned" from WARN to INFO level. + Closes gh#fail2ban/fail2ban#79 + * [f105379] added hints into the log on some failure return codes (e.g. 0x7f00 + for this gh#fail2ban/fail2ban#87) + * Various others: travis-ci integration, script to run tests + against all available Python versions, etc + +------------------------------------------------------------------- +Mon Dec 3 16:06:56 UTC 2012 - jweberhofer@weberhofer.at + +- Fixed initscript as discussed in bnc#790557 + +------------------------------------------------------------------- +Wed Oct 3 09:53:40 UTC 2012 - meissner@suse.com + +- use Source URL pointing to github + +------------------------------------------------------------------- +Tue Oct 2 12:09:08 UTC 2012 - jweberhofer@weberhofer.at + +- Do not longer replace main config-files +- Use variables for directories in spec file + +------------------------------------------------------------------- +Tue Oct 2 10:48:24 UTC 2012 - jweberhofer@weberhofer.at + +- Added dependencies to python-pyinotifyi, python-gamin and iptables + +------------------------------------------------------------------- +Tue Oct 2 08:09:20 UTC 2012 - jweberhofer@weberhofer.at + +- Upgraded to version 0.8.7.1 + +- Yaroslav Halchenko + * [e9762f3] Removed sneaked in comment on sys.path.insert + Tom Hendrikx & Jeremy Olexa + * [0eaa4c2,444e4ac] Fix Gentoo init script: $opts variable is deprecated. + See http://forums.gentoo.org/viewtopic-t-899018.html +- Chris Reffett + * [a018a26] Fixed addBannedIP to add enough failures to trigger a ban, + rather than just one failure. +- Yaroslav Halchenko + * [4c76fb3] allow trailing white-spaces in lighttpd-auth.conf + * [25f1e8d] allow trailing whitespace in few missing it regexes for sshd.conf + * [ed16ecc] enforce "ip" field returned as str, not unicode so that log + message stays non-unicode. Close gh#fail2ban/fail2ban#32 + * [b257be4] added %m-%d-%Y pattern + do not add %Y for Feb 29 fix if + already present in the pattern + * [47e956b] replace "|" with "_" in ipmasq-ZZZzzz|fail2ban.rul to be + friend to developers stuck with Windows (Closes gh#fail2ban/fail2ban#66) + * [80b191c] anchor grep regexp in actioncheck to not match partial names + of the jails (Closes: #672228) (Thanks Szépe Viktor for the report) +- New features: +- François Boulogne + * [a7cb20e..] add lighttpd-auth filter/jail +- Lee Clemens & Yaroslav Halchenko + * [e442503] pyinotify backend (default if backend='auto' and pyinotify + is available) + * [d73a71f,3989d24] usedns parameter for the jails to allow disabling + use of DNS +- Tom Hendrikx + * [f94a121..] 'recidive' filter/jail to monitor fail2ban.conf to ban + repeated offenders. Close gh#fail2ban/fail2ban#19 +- Xavier Devlamynck + * [7d465f9..] Add asterisk support +- Zbigniew Jedrzejewski-Szmek + * [de502cf..] allow running fail2ban as non-root user (disabled by + default) via xt_recent. See doc/run-rootless.txt +- Enhancements +- Lee Clemens + * [47c03a2] files/nagios - spelling/grammar fixes + * [b083038] updated Free Software Foundation's address + * [9092a63] changed TLDs to invalid domains, in accordance with RFC 2606 + * [642d9af,3282f86] reformated printing of jail's name to be consistent + with init's info messages + * [3282f86] uniform use of capitalized Jail in the messages +- Leonardo Chiquitto + * [4502adf] Fix comments in dshield.conf and mynetwatchman.conf + to reflect code + * [a7d47e8] Update Free Software Foundation's address +- Petr Voralek + * [4007751] catch failed ssh logins due to being listed in DenyUsers. + Close gh#fail2ban/fail2ban#47 (Closes: #669063) +- Yaroslav Halchenko + * [MANY] extended and robustified unittests: test different backends + * [d9248a6] refactored Filter's to avoid duplicate functionality + * [7821174] direct users to issues on github + * [d2ffee0..] re-factored fail2ban-regex -- more condensed output by + default with -v to control verbosity + * [b4099da] adjusted header for config/*.conf to mention .local and way + to comment (Thanks Stefano Forli for the note) + * [6ad55f6] added failregex for wu-ftpd to match against syslog instead + of DoS-prone auth.log's rhost (Closes: #514239) + * [2082fee] match possibly present "pam_unix(sshd:auth):" portion for + sshd filter (Closes: #648020) +- Yehuda Katz & Yaroslav Halchenko + * [322f53e,bd40cc7] ./DEVELOP -- documentation for developers + +------------------------------------------------------------------- +Tue Jul 31 16:18:11 CEST 2012 - asemen@suse.de + +- Adding to fail2ban.init remove of pid and sock files on stop + in case not removed before (prevents start fail) + +------------------------------------------------------------------- +Sun Jun 3 13:08:36 UTC 2012 - jweberhofer@weberhofer.at + +- Update to version 0.8.6. containing various fixes and enhancements + +------------------------------------------------------------------- +Fri Nov 18 22:04:03 UTC 2011 - lchiquitto@suse.com + +- Update to version 0.8.5: many bug fixes, enhancements and, as + a bonus, drop two patches that are now upstream +- Update FSF address to silent rpmlint warnings +- Drop stale socket files on startup (bnc#537239, bnc#730044) + +------------------------------------------------------------------- +Sun Sep 18 17:17:12 UTC 2011 - jengelh@medozas.de + +- Apply packaging guidelines (remove redundant/obsolete + tags/sections from specfile, etc.) + +------------------------------------------------------------------- +Thu Sep 1 14:07:28 UTC 2011 - coolo@suse.com + +- Use /var/run/fail2ban instead of /tmp for temp files in + actions: see bugs.debian.org/544232, bnc#690853, + CVE-2009-5023 + +------------------------------------------------------------------- +Thu Jan 6 16:56:30 UTC 2011 - lchiquitto@suse.com + +- Use $FAIL2BAN_OPTIONS when starting (bnc#662495) +- Clean up sysconfig file + +------------------------------------------------------------------- +Tue Jul 27 20:39:41 UTC 2010 - cristian.rodriguez@opensuse.org + +- Use O_CLOEXEC on fds (patch from Fedora) + +------------------------------------------------------------------- +Wed May 5 16:48:46 UTC 2010 - lchiquitto@suse.com + +- Create /var/run/fail2ban during startup to support systems that + mount /var/run as tmpfs +- Build package as noarch +- Spec file cleanup: fix a couple of rpmlint warnings +- Init script: look for fail2ban-server when checking if the + daemon is running + +------------------------------------------------------------------- +Thu Nov 26 16:05:42 CET 2009 - lchiquitto@suse.com + +- Update to version 0.8.4. Important changes: + * New "Ban IP" command + * New filters: lighttpd-fastcgi php-url-fopen cyrus-imap sieve + * Fixed the 'unexpected communication error' problem + * Remove socket file on startup if fail2ban crashed (bnc#537239) + +------------------------------------------------------------------- +Wed Feb 4 18:19:39 CET 2009 - kssingvo@suse.de + +- Initial version: 0.8.3 + diff --git a/fail2ban.keyring b/fail2ban.keyring new file mode 100644 index 0000000..7fcf831 --- /dev/null +++ b/fail2ban.keyring @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT +Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV +lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC +i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO +hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3 +BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl +ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm +NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h +RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n +2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq +GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ +3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX +XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ +uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh +Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a +kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf +awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6 +7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF +AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw +2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs +IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O +ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb +muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c +6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg== +=vqSW +-----END PGP PUBLIC KEY BLOCK----- diff --git a/fail2ban.logrotate b/fail2ban.logrotate new file mode 100644 index 0000000..cbd0e96 --- /dev/null +++ b/fail2ban.logrotate @@ -0,0 +1,13 @@ +/var/log/fail2ban.log { + compress + dateext + maxage 365 + rotate 99 + size=+4096k + notifempty + missingok + create 644 root root + postrotate + fail2ban-client flushlogs 1>/dev/null || true + endscript +} diff --git a/fail2ban.spec b/fail2ban.spec new file mode 100644 index 0000000..6200663 --- /dev/null +++ b/fail2ban.spec @@ -0,0 +1,351 @@ +# +# spec file for package fail2ban +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir %{_localstatedir}/adm/fillup-templates +%endif +Name: fail2ban +Version: 1.0.2 +Release: 0 +Summary: Bans IP addresses that make too many authentication failures +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +URL: https://www.fail2ban.org/ +Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc +Source2: %{name}.sysconfig +Source3: %{name}.logrotate +Source5: %{name}.tmpfiles +Source6: sfw-fail2ban.conf +Source7: f2b-restart.conf +# Path definitions have been submitted to upstream +Source8: paths-opensuse.conf +Source200: fail2ban.keyring +# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles +Patch100: %{name}-opensuse-locations.patch +# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file +Patch101: %{name}-opensuse-service.patch +# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases +Patch200: %{name}-disable-iptables-w-option.patch +# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor +Patch201: %{name}-0.10.4-env-script-interpreter.patch +# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions +Patch300: fail2ban-opensuse-service-sfw.patch +# PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400 +Patch301: harden_fail2ban.service.patch +# PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101 +Patch302: fail2ban-fix-openssh98.patch +BuildRequires: fdupes +BuildRequires: logrotate +BuildRequires: python-rpm-macros +BuildRequires: python3-tools +# timezone package is required to run the tests +BuildRequires: timezone +Requires: cron +Requires: ed +Requires: iptables +Requires: logrotate +Requires: python3 >= 3.2 +Requires: whois +%if 0%{?suse_version} != 1110 +BuildArch: noarch +%endif +%if 0%{?suse_version} >= 1230 +# systemd +BuildRequires: python3-systemd +BuildRequires: pkgconfig(systemd) +Requires: python3-systemd +Requires: systemd > 204 +%{?systemd_requires} +%else +# no systemd (the init-script requires lsof) +Requires: lsof +Requires: syslog +%endif +%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 +BuildRequires: python3-pyinotify >= 0.8.3 +Requires: python3-pyinotify >= 0.8.3 +%endif + +%description +Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP +addresses that makes too many password failures. It updates firewall rules to +reject the IP address, can send e-mails, or set host.deny entries. These rules +can be defined by the user. Fail2Ban can read multiple log files such as sshd +or Apache web server ones. + +%if !0%{?suse_version} > 1500 +%package -n SuSEfirewall2-%{name} +Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd +Group: Productivity/Networking/Security +Requires: SuSEfirewall2 +Requires: fail2ban + +%description -n SuSEfirewall2-%{name} +This package ships systemd files which will cause fail2ban to be ordered in +relation to SuSEfirewall2 such that the two can be run concurrently within +reason, i.e. SFW will always run first because it does a table flush. +%endif + +%package -n monitoring-plugins-%{name} +Summary: Check fail2ban server and how many IPs are currently banned +Group: System/Monitoring +%if 0%{?suse_version} +BuildRequires: nagios-rpm-macros +%else +%define nagios_plugindir %{_libexecdir}/nagios/plugins +%endif +Provides: nagios-plugins-%{name} = %{version} +Obsoletes: nagios-plugins-%{name} < %{version} + +%description -n monitoring-plugins-%{name} +This plugin checks if the fail2ban server is running and how many IPs are +currently banned. You can use this plugin to monitor all the jails or just a +specific jail. + +How to use +---------- +Just have to run the following command: + $ ./check_fail2ban --help + +%prep +%setup -q +install -m644 %{SOURCE8} config/paths-opensuse.conf + +# Use openSUSE paths +sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf + +%patch -P 100 -p1 +%patch -P 101 -p1 +%if 0%{?suse_version} < 1310 +%patch -P 200 -p1 +%endif +%patch -P 201 -p1 +%if !0%{?suse_version} > 1500 +%patch -P 300 -p1 +%endif +%patch -P 301 -p1 +%patch -P 302 -p1 + +rm config/paths-arch.conf \ + config/paths-debian.conf \ + config/paths-fedora.conf \ + config/paths-freebsd.conf \ + config/paths-osx.conf + +# correct doc-path +sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py + +# remove syslogd-logger settings for older distributions +%if 0%{?suse_version} < 1230 +sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf +%endif + +%build +export CFLAGS="%{optflags}" +./fail2ban-2to3 +python3 setup.py build +gzip man/*.{1,5} + +%install +python3 setup.py install \ + --root=%{buildroot} \ + --prefix=%{_prefix} + +install -d -m 755 %{buildroot}%{_mandir}/man{1,5} +install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1 +install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5 + +install -d -m 755 %{buildroot}%{_initddir} +install -d -m 755 %{buildroot}%{_sbindir} + +%if 0%{?suse_version} > 1310 +# use /run directory +install -d -m 755 %{buildroot}/run +touch %{buildroot}/run/%{name} +%else +#use /var/run directory +install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name} +%endif + +%if 0%{?suse_version} >= 1230 +# systemd +install -d -m 755 %{buildroot}%{_unitdir} +install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service + +install -d -m 755 %{buildroot}%{_tmpfilesdir} +install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf + +ln -sf service %{buildroot}%{_sbindir}/rc%{name} + +%else +# without systemd +install -d -m 755 %{buildroot}%{_initddir} +install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name} +ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name} +%endif + +echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local + +install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/ + +install -d -m 755 %{buildroot}%{_fillupdir} +install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name} + +install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} + +%if !0%{?suse_version} > 1500 +%if 0%{?_unitdir:1} +install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \ + "%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf" +install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \ + "%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf" +%endif +%endif +install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name} + +# install docs using the macro +rm -r %{buildroot}%{_docdir}/%{name} + +# remove duplicates +%fdupes -s %{buildroot}%{python3_sitelib} + +%check +#stat /dev/log +#python -c "import platform; print(platform.system())" +# tests require python-pyinotify to be installed, so don't run them on older versions +%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 +# Need a UTF-8 locale to work +export LANG=en_US.UTF-8 +./fail2ban-testcases-all --no-network || true +%endif + +%if 0%{?suse_version} >= 1230 +%pre +%service_add_pre %{name}.service +%endif + +%post +%fillup_only +%if 0%{?suse_version} >= 1230 +%tmpfiles_create %{_tmpfilesdir}/%{name}.conf +# The next line is not workin in Leap 42.1, so keep the old way +#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf +%service_add_post %{name}.service +%endif + +%preun +%if 0%{?suse_version} >= 1230 +%service_del_preun %{name}.service +%else +%stop_on_removal %{name} +%endif + +%postun +%if 0%{?suse_version} >= 1230 +%service_del_postun %{name}.service +%else +%restart_on_update %{name} +%insserv_cleanup +%endif + +%if !0%{?suse_version} > 1500 +%if 0%{?_unitdir:1} +%post -n SuSEfirewall2-%{name} +%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : + +%postun -n SuSEfirewall2-%{name} +%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || : +%endif +%endif + +%files +%dir %{_sysconfdir}/%{name} +%dir %{_sysconfdir}/%{name}/action.d +%dir %{_sysconfdir}/%{name}/%{name}.d +%dir %{_sysconfdir}/%{name}/filter.d +%dir %{_sysconfdir}/%{name}/jail.d +# +%config %{_sysconfdir}/%{name}/action.d/* +%config %{_sysconfdir}/%{name}/filter.d/* +# +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf +%config %{_sysconfdir}/%{name}/jail.conf +%config %{_sysconfdir}/%{name}/paths-common.conf +%config %{_sysconfdir}/%{name}/paths-opensuse.conf +# +%config(noreplace) %{_sysconfdir}/%{name}/jail.local +# +%config %{_sysconfdir}/logrotate.d/%{name} +%dir %{_localstatedir}/lib/%{name}/ +%if 0%{?suse_version} > 1310 +# use /run directory +%ghost /run/%{name} +%else +# use /var/run directory +%dir %ghost %{_localstatedir}/run/%{name} +%endif +%if 0%{?suse_version} >= 1230 +# systemd +%{_unitdir}/%{name}.service +%{_tmpfilesdir}/%{name}.conf +%else +# without-systemd +%{_initddir}/%{name} +%endif +%{_sbindir}/rc%{name} +%{_bindir}/%{name}-server +%{_bindir}/%{name}-client +%{_bindir}/%{name}-python +%{_bindir}/%{name}-regex +%{python3_sitelib}/%{name} +%exclude %{python3_sitelib}/%{name}/tests +%{python3_sitelib}/%{name}-* +%{_fillupdir}/sysconfig.%{name} +%{_mandir}/man1/* +%{_mandir}/man5/* +%license COPYING +%doc README.md TODO ChangeLog doc/*.txt + +# do not include tests as they are executed during the build process +%exclude %{_bindir}/%{name}-testcases +%exclude %{python3_sitelib}/%{name}/tests + +%if !0%{?suse_version} > 1500 +%if 0%{?_unitdir:1} +%files -n SuSEfirewall2-%{name} +%{_unitdir}/SuSEfirewall2.service.d +%{_unitdir}/%{name}.service.d +%endif +%endif + +%files -n monitoring-plugins-%{name} +%license COPYING +%doc files/nagios/README +%if 0%{?suse_version} +%dir %{nagios_libdir} +%else +%dir %{_libexecdir}/nagios +%endif +%dir %{nagios_plugindir} +%{nagios_plugindir}/check_%{name} + +%changelog diff --git a/fail2ban.sysconfig b/fail2ban.sysconfig new file mode 100644 index 0000000..c0560e3 --- /dev/null +++ b/fail2ban.sysconfig @@ -0,0 +1,10 @@ +## Path: System/Security/Fail2ban +## Description: fail2ban options +## Type: string +## Default: "" +## ServiceReload: fail2ban +## ServiceRestart: fail2ban +# +# Options for fail2ban +# +FAIL2BAN_OPTIONS="" diff --git a/fail2ban.tmpfiles b/fail2ban.tmpfiles new file mode 100644 index 0000000..106e114 --- /dev/null +++ b/fail2ban.tmpfiles @@ -0,0 +1 @@ +d /run/fail2ban 0755 root root diff --git a/harden_fail2ban.service.patch b/harden_fail2ban.service.patch new file mode 100644 index 0000000..515729f --- /dev/null +++ b/harden_fail2ban.service.patch @@ -0,0 +1,23 @@ +Index: fail2ban-0.11.2/files/fail2ban.service.in +=================================================================== +--- fail2ban-0.11.2.orig/files/fail2ban.service.in ++++ fail2ban-0.11.2/files/fail2ban.service.in +@@ -5,6 +5,18 @@ After=network.target iptables.service fi + PartOf=firewalld.service + + [Service] ++# added automatically, for details please see ++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort ++ProtectSystem=full ++ProtectHome=true ++PrivateDevices=true ++ProtectHostname=true ++ProtectClock=true ++ProtectKernelTunables=true ++ProtectKernelModules=true ++ProtectControlGroups=true ++RestrictRealtime=true ++# end of automatic additions + Type=simple + EnvironmentFile=-/etc/sysconfig/fail2ban + Environment="PYTHONNOUSERSITE=1" diff --git a/paths-opensuse.conf b/paths-opensuse.conf new file mode 100644 index 0000000..0c029da --- /dev/null +++ b/paths-opensuse.conf @@ -0,0 +1,50 @@ +# openSUSE log-file locations + +[INCLUDES] + +before = paths-common.conf + +after = paths-overrides.local + + +[DEFAULT] + +syslog_local0 = /var/log/messages + +syslog_mail = /var/log/mail + +syslog_mail_warn = %(syslog_mail)s + +syslog_authpriv = %(syslog_local0)s + +syslog_user = %(syslog_local0)s + +syslog_ftp = %(syslog_local0)s + +syslog_daemon = %(syslog_local0)s + +apache_error_log = /var/log/apache2/*error_log + +apache_access_log = /var/log/apache2/*access_log + +pureftpd_log = %(syslog_local0)s + +exim_main_log = /var/log/exim/main.log + +mysql_log = /var/log/mysql/mysqld.log + +roundcube_errors_log = /srv/www/roundcubemail/logs/errors + +solidpop3d_log = %(syslog_mail)s + +# These services will log to the journal via syslog, so use the journal by +# default. +syslog_backend = systemd +sshd_backend = systemd +dropbear_backend = systemd +proftpd_backend = systemd +pureftpd_backend = systemd +wuftpd_backend = systemd +postfix_backend = systemd +dovecot_backend = systemd +mysql_backend = systemd diff --git a/sfw-fail2ban.conf b/sfw-fail2ban.conf new file mode 100644 index 0000000..ed7bf17 --- /dev/null +++ b/sfw-fail2ban.conf @@ -0,0 +1,7 @@ +# This drop-in file extends SuSEfirewall2.service to also start +# fail2ban.service, and to make sure that fail2ban is only (re)started after +# SFW has completed. + +[Unit] +Wants=fail2ban.service +Before=fail2ban.service