- fail2ban-fix-openssh98.patch: fix to work with openssh 9.8 (bsc#1230101)

OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=120

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

f2b-restart.conf

@@ -0,0 +1,5 @@
+# When a restart is issued for SuSEfirewall2, fail2ban.service too must be
+# restarted, which is what this drop-in file does.
+
+[Unit]
+PartOf=SuSEfirewall2.service

fail2ban-0.10.4-env-script-interpreter.patch

@@ -0,0 +1,9 @@
+diff -ur fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot
+--- fail2ban-0.10.4-orig/config/filter.d/ignorecommands/apache-fakegooglebot	2018-10-04 11:26:22.000000000 +0200
++++ fail2ban-0.10.4/config/filter.d/ignorecommands/apache-fakegooglebot	2019-08-12 10:46:05.067842214 +0200
+@@ -1,4 +1,4 @@
+-#!/usr/bin/env fail2ban-python
++#!/usr/bin/fail2ban-python
+ # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
+ #
+ # Written in Python to reuse built-in Python batteries and not depend on

fail2ban-1.0.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ae8b0b41f27a7be12d40488789d6c258029b23a01168e3c0d347ee80b325ac23
+size 583295

fail2ban-1.0.2.tar.gz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAmNr0KgACgkQaDvxvr0K
+iCyG4Af/eP5ZQvTiGjo/f1oOuBH8wOo7ARlFOcQIbdhXy10vk3bqDjYHVWzXh12Q
+EdfyJVMXFI3XnDQkdXulOjnhX6YK3qYruudl0oDE7jyIWbHETFUpY7y00uxjTD+A
+aBk4XqBym67BtBR/5dfnhXOBYZ9EXcbopvEQXq1Lm4jRSurSQCiVpMY44psW60Rb
+dt1fdIg/GTjhsYNWO2L6DCObV1qdJcdk8Zw7rvk9aHe7iZ+PZW7htG8erTzzV9LV
+Lq6Bcwz6tEFInTvDBZXIhBimYrquWp97qwEC3d1cNbv9pjN69czgLtRaq5EiVu4R
+e8+y9LLToHFjKeji436S6985hBQnEA==
+=jGOy
+-----END PGP SIGNATURE-----

fail2ban-disable-iptables-w-option.patch

@@ -0,0 +1,14 @@
+--- fail2ban-1.0.1/config/action.d/iptables.conf.orig	2022-10-12 11:35:25.789327341 +0200
++++ fail2ban-1.0.1/config/action.d/iptables.conf	2022-10-12 11:35:40.585449861 +0200
+@@ -138,8 +138,10 @@
+ #          running concurrently and causing irratic behavior.  -w was introduced
+ #          in iptables 1.4.20, so might be absent on older systems
+ #          See https://github.com/fail2ban/fail2ban/issues/1122
++#          The default option "-w" can be used for openSUSE versions 13.2+ and
++#          for updated versions of openSUSE 13.1; SLE 12 supports this option.
+ # Values:  STRING
+-lockingopt = -w
++lockingopt =
+ 
+ # Option:  iptables
+ # Notes.:  Actual command to be executed, including common to all calls options

fail2ban-fix-openssh98.patch

@@ -0,0 +1,13 @@
+Index: fail2ban-1.0.2/config/filter.d/sshd.conf
+===================================================================
+--- fail2ban-1.0.2.orig/config/filter.d/sshd.conf
++++ fail2ban-1.0.2/config/filter.d/sshd.conf
+@@ -16,7 +16,7 @@ before = common.conf
+ 
+ [DEFAULT]
+ 
+-_daemon = sshd
++_daemon = sshd(?:-session)?
+ 
+ # optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+ __pref = (?:(?:error|fatal): (?:PAM: )?)?

fail2ban-opensuse-locations.patch

@@ -0,0 +1,32 @@
+Index: fail2ban-1.0.1/config/jail.conf
+===================================================================
+--- fail2ban-1.0.1.orig/config/jail.conf
++++ fail2ban-1.0.1/config/jail.conf
+@@ -731,7 +731,7 @@ backend = %(syslog_backend)s
+ # filter   = named-refused
+ # port     = domain,953
+ # protocol = udp
+-# logpath  = /var/log/named/security.log
++# logpath  = /var/lib/named/log/security.log
+ 
+ # IMPORTANT: see filter.d/named-refused for instructions to enable logging
+ # This jail blocks TCP traffic for DNS requests.
+@@ -739,7 +739,7 @@ backend = %(syslog_backend)s
+ [named-refused]
+ 
+ port     = domain,953
+-logpath  = /var/log/named/security.log
++logpath  = /var/lib/named/log/security.log
+ 
+ 
+ [nsd]
+Index: fail2ban-1.0.1/config/paths-common.conf
+===================================================================
+--- fail2ban-1.0.1.orig/config/paths-common.conf
++++ fail2ban-1.0.1/config/paths-common.conf
+@@ -90,4 +90,4 @@ solidpop3d_log = %(syslog_local0)s
+ mysql_log = %(syslog_daemon)s
+ mysql_backend = %(default_backend)s
+ 
+-roundcube_errors_log = /var/log/roundcube/errors
++roundcube_errors_log = /srv/www/roundcubemail/logs/errors

fail2ban-opensuse-service-sfw.patch

@@ -0,0 +1,14 @@
+diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in
+--- fail2ban-0.10.4-orig/files/fail2ban.service.in	2019-08-12 11:27:18.175106400 +0200
++++ fail2ban-0.10.4/files/fail2ban.service.in	2019-08-12 11:28:42.045116215 +0200
+@@ -1,8 +1,8 @@
+ [Unit]
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+-After=network.target iptables.service firewalld.service ip6tables.service ipset.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service
++After=network.target iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
++PartOf=iptables.service firewalld.service ip6tables.service ipset.service SuSEfirewall2.service
+ 
+ [Service]
+ Type=simple

fail2ban-opensuse-service.patch

@@ -0,0 +1,27 @@
+diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in
+--- fail2ban-0.11.2-orig/files/fail2ban.service.in	2020-11-23 21:43:03.000000000 +0100
++++ fail2ban-0.11.2/files/fail2ban.service.in	2020-12-05 18:22:01.503018894 +0100
+@@ -2,17 +2,18 @@
+ Description=Fail2Ban Service
+ Documentation=man:fail2ban(1)
+ After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service
++PartOf=firewalld.service
+ 
+ [Service]
+ Type=simple
++EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"
+ ExecStartPre=/bin/mkdir -p /run/fail2ban
+-ExecStart=@BINDIR@/fail2ban-server -xf start
++ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
+ # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local
+-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start
+-ExecStop=@BINDIR@/fail2ban-client stop
+-ExecReload=@BINDIR@/fail2ban-client reload
++# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
++ExecStop=/usr/bin/fail2ban-client stop
++ExecReload=/usr/bin/fail2ban-client reload
+ PIDFile=/run/fail2ban/fail2ban.pid
+ Restart=on-failure
+ RestartPreventExitStatus=0 255

fail2ban.keyring

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFeHbzIBCACWgr54J4t2fpI7EIrMTqso5kqPRTSY7eO2T0965JW6Zl4C0HZT
+Wz+9c5aGlKeotf4Fv7zOhpUwULFSGAq3tVbxAxW9++LAXPGad6uE4aPsXoQ6+0RV
+lJozNclURRal46vz3uuGLiSJ5+VQ1WD1sFLuw2/bMzE4GFR0z4w4UOc3ufAQ3obC
+i5szSy5JWtCsmvCdNlhXTxa66aUddN8/8IHJSB6QZabGEcG4WfsfhUiH38KUuqrO
+hYvT9ROY74pwSsHuWEzVRE00eJB4uxngsKHAGMYhkNxdKCG7Blu2IbJRcBE8QAs3
+BGqJR8FBify86COZYUZ7CuAyLyo1U6BZd7ohABEBAAG0KVNlcmcgRy4gQnJlc3Rl
+ciAoc2VicmVzKSA8aW5mb0BzZWJyZXMuZGU+iQE4BBMBAgAiBQJXh28yAhsDBgsJ
+CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBoO/G+vQqILMThB/0YUr7Y+urJChgm
+NG9exjjmTayoNb+XiMR5T2+A919NrKulEaH2mb51B7XBmFuCj8x5O1wA3xYo7B6h
+RVuNyb2eI3+bRD33QsKcs6NsgK/I1xLD15NrEftPckWqYypR6//u9Tmz5o9n9+/n
+2dH7SU7UPW468/bRUhFp+SQ70B0XLdyDgGLEN9TNsAvnEi30Vtjbia4Lp/NXYRkq
+GEzvpgZ7Dt9YhT+qdSs6AwyN0ZhnvX+zqXi+Q18xlbnuq2ZZkwK8Es/HdEDu2HNJ
+3nn3l15pyMe/OxYhg646NcqGR6j1rEZ7jXyN2i5sEdspXfwv0lGtLr7ANElWqOvX
+XYBAspRvuQENBFeHbzIBCACyCMv4CQ+blzj53ZLPyBMnj38oQ7bbpAtDThfB8hEZ
+uk6Kmo799Zo2rLG2iqvy8SEuN/bLQKyzFTiB4UYWvRxne792N0nWLU24/bd7j/Gh
+Q4EHUhs38WRSYtu93XCKzvyzn5s3504luOBF6czNrLeDfWXGVGosBsBoASY7de7a
+kiXb7a28dNDSG0JaR+QwONjmde9hAzqOX0iOYHvJeu68UKaUp4IrJ+nTMHFhwUbf
+awCmz+NPPrm360j4BuvYSWhS06tM7c6+gfvXHOTtJ5TEGbrm+I8d2q7nhxg3nku6
+7qnddkW2OS8EQVlw7XFox929mTLzw0MEmjqmSRTx2Qk3ABEBAAGJAR8EGAECAAkF
+AleHbzICGwwACgkQaDvxvr0KiCwdxQf7BM7jo6v7uU7324ZkLQmtZndcXnXZMbSw
+2pDzR2h01Vx7dHppzNOkyv8DvUWttwaMaTU57cdzThTkQPk8Lx8sCvi40RmWS2vs
+IArgTS1HNStprPUg4sk99JOZg2y4LBqkLUxZveDsH+rXdFA/fp8048/M4ss6qj4O
+ySe4crABbbv5yRADBJZt4LQdFoNGEpSaOtcxJmwJ7hrV+wQhVMm9m+/JpgzNT4rb
+muPgveqzmSiTGJ6Yy2bEKyY0dCyPuWbWWPt4mCcT+9emZC1O8EjST0i9f9EUUU6c
+6UCy7zi5EQ9CVv1Dlz1qefm/5/iFAAFQ5DtYC3cwDq8CqgqzoHMtNg==
+=vqSW
+-----END PGP PUBLIC KEY BLOCK-----

fail2ban.logrotate

@@ -0,0 +1,13 @@
+/var/log/fail2ban.log {
+    compress
+    dateext
+    maxage 365
+    rotate 99
+    size=+4096k
+    notifempty
+    missingok
+    create 644 root root
+    postrotate
+      fail2ban-client flushlogs  1>/dev/null || true
+    endscript
+}

fail2ban.spec

@@ -0,0 +1,351 @@
+#
+# spec file for package fail2ban
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir %{_localstatedir}/adm/fillup-templates
+%endif
+Name:           fail2ban
+Version:        1.0.2
+Release:        0
+Summary:        Bans IP addresses that make too many authentication failures
+License:        GPL-2.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.fail2ban.org/
+Source0:        https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Source1:        https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
+Source2:        %{name}.sysconfig
+Source3:        %{name}.logrotate
+Source5:        %{name}.tmpfiles
+Source6:        sfw-fail2ban.conf
+Source7:        f2b-restart.conf
+# Path definitions have been submitted to upstream
+Source8:        paths-opensuse.conf
+Source200:      fail2ban.keyring
+# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
+Patch100:       %{name}-opensuse-locations.patch
+# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
+Patch101:       %{name}-opensuse-service.patch
+# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
+Patch200:       %{name}-disable-iptables-w-option.patch
+# PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor
+Patch201:       %{name}-0.10.4-env-script-interpreter.patch
+# PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions
+Patch300:       fail2ban-opensuse-service-sfw.patch
+# PATCH-FEATURE-OPENSUSE harden_fail2ban.service.patch jsegitz@suse.com -- Added hardening to systemd service(s) bsc#1181400
+Patch301:       harden_fail2ban.service.patch
+# PATCH-FIX-OPENSUSE fail2ban-fix-openssh98.patch meissner@suse.com -- support openssh9.8 bsc#1230101
+Patch302:       fail2ban-fix-openssh98.patch
+BuildRequires:  fdupes
+BuildRequires:  logrotate
+BuildRequires:  python-rpm-macros
+BuildRequires:  python3-tools
+# timezone package is required to run the tests
+BuildRequires:  timezone
+Requires:       cron
+Requires:       ed
+Requires:       iptables
+Requires:       logrotate
+Requires:       python3 >= 3.2
+Requires:       whois
+%if 0%{?suse_version} != 1110
+BuildArch:      noarch
+%endif
+%if 0%{?suse_version} >= 1230
+# systemd
+BuildRequires:  python3-systemd
+BuildRequires:  pkgconfig(systemd)
+Requires:       python3-systemd
+Requires:       systemd > 204
+%{?systemd_requires}
+%else
+# no systemd (the init-script requires lsof)
+Requires:       lsof
+Requires:       syslog
+%endif
+%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
+BuildRequires:  python3-pyinotify >= 0.8.3
+Requires:       python3-pyinotify >= 0.8.3
+%endif
+
+%description
+Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP
+addresses that makes too many password failures. It updates firewall rules to
+reject the IP address, can send e-mails, or set host.deny entries.  These rules
+can be defined by the user. Fail2Ban can read multiple log files such as sshd
+or Apache web server ones.
+
+%if !0%{?suse_version} > 1500
+%package -n SuSEfirewall2-%{name}
+Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
+Group:          Productivity/Networking/Security
+Requires:       SuSEfirewall2
+Requires:       fail2ban
+
+%description -n SuSEfirewall2-%{name}
+This package ships systemd files which will cause fail2ban to be ordered in
+relation to SuSEfirewall2 such that the two can be run concurrently within
+reason, i.e. SFW will always run first because it does a table flush.
+%endif
+
+%package -n monitoring-plugins-%{name}
+Summary:        Check fail2ban server and how many IPs are currently banned
+Group:          System/Monitoring
+%if 0%{?suse_version}
+BuildRequires:  nagios-rpm-macros
+%else
+%define         nagios_plugindir %{_libexecdir}/nagios/plugins
+%endif
+Provides:       nagios-plugins-%{name} = %{version}
+Obsoletes:      nagios-plugins-%{name} < %{version}
+
+%description -n monitoring-plugins-%{name}
+This plugin checks if the fail2ban server is running and how many IPs are
+currently banned.  You can use this plugin to monitor all the jails or just a
+specific jail.
+
+How to use
+----------
+Just have to run the following command:
+  $ ./check_fail2ban --help
+
+%prep
+%setup -q
+install -m644 %{SOURCE8} config/paths-opensuse.conf
+
+# Use openSUSE paths
+sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
+
+%patch -P 100 -p1
+%patch -P 101 -p1
+%if 0%{?suse_version} < 1310
+%patch -P 200 -p1
+%endif
+%patch -P 201 -p1
+%if !0%{?suse_version} > 1500
+%patch -P 300 -p1
+%endif
+%patch -P 301 -p1
+%patch -P 302 -p1
+
+rm 	config/paths-arch.conf \
+	config/paths-debian.conf \
+	config/paths-fedora.conf \
+	config/paths-freebsd.conf \
+	config/paths-osx.conf
+
+# correct doc-path
+sed -i -e 's|%{_datadir}/doc/%{name}|%{_docdir}/%{name}|' setup.py
+
+# remove syslogd-logger settings for older distributions
+%if 0%{?suse_version} < 1230
+sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
+%endif
+
+%build
+export CFLAGS="%{optflags}"
+./fail2ban-2to3
+python3 setup.py build
+gzip man/*.{1,5}
+
+%install
+python3 setup.py install \
+	--root=%{buildroot} \
+	--prefix=%{_prefix}
+
+install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
+install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
+install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
+
+install -d -m 755 %{buildroot}%{_initddir}
+install -d -m 755 %{buildroot}%{_sbindir}
+
+%if 0%{?suse_version} > 1310
+# use /run directory
+install -d -m 755 %{buildroot}/run
+touch %{buildroot}/run/%{name}
+%else
+#use /var/run directory
+install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
+%endif
+
+%if 0%{?suse_version} >= 1230
+# systemd
+install -d -m 755 %{buildroot}%{_unitdir}
+install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service
+
+install -d -m 755 %{buildroot}%{_tmpfilesdir}
+install -p -m 644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/%{name}.conf
+
+ln -sf service %{buildroot}%{_sbindir}/rc%{name}
+
+%else
+# without systemd
+install -d -m 755 %{buildroot}%{_initddir}
+install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
+ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
+%endif
+
+echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
+
+install -d -m 0755 %{buildroot}%{_localstatedir}/lib/%{name}/
+
+install -d -m 755 %{buildroot}%{_fillupdir}
+install -p -m 644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.%{name}
+
+install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m 644 %{SOURCE3}  %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
+
+%if !0%{?suse_version} > 1500
+%if 0%{?_unitdir:1}
+install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
+	"%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
+install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
+	"%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
+%endif
+%endif
+install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_%{name}
+
+# install docs using the macro
+rm -r %{buildroot}%{_docdir}/%{name}
+
+# remove duplicates
+%fdupes -s %{buildroot}%{python3_sitelib}
+
+%check
+#stat /dev/log
+#python -c "import platform; print(platform.system())"
+# tests require python-pyinotify to be installed, so don't run them on older versions
+%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010  && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
+# Need a UTF-8 locale to work
+export LANG=en_US.UTF-8
+./fail2ban-testcases-all --no-network || true
+%endif
+
+%if 0%{?suse_version} >= 1230
+%pre
+%service_add_pre %{name}.service
+%endif
+
+%post
+%fillup_only
+%if 0%{?suse_version} >= 1230
+%tmpfiles_create %{_tmpfilesdir}/%{name}.conf
+# The next line is not workin in Leap 42.1, so keep the old way
+#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf
+%service_add_post %{name}.service
+%endif
+
+%preun
+%if 0%{?suse_version} >= 1230
+%service_del_preun %{name}.service
+%else
+%stop_on_removal %{name}
+%endif
+
+%postun
+%if 0%{?suse_version} >= 1230
+%service_del_postun %{name}.service
+%else
+%restart_on_update %{name}
+%insserv_cleanup
+%endif
+
+%if !0%{?suse_version} > 1500
+%if 0%{?_unitdir:1}
+%post -n SuSEfirewall2-%{name}
+%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
+
+%postun -n SuSEfirewall2-%{name}
+%{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
+%endif
+%endif
+
+%files
+%dir %{_sysconfdir}/%{name}
+%dir %{_sysconfdir}/%{name}/action.d
+%dir %{_sysconfdir}/%{name}/%{name}.d
+%dir %{_sysconfdir}/%{name}/filter.d
+%dir %{_sysconfdir}/%{name}/jail.d
+#
+%config %{_sysconfdir}/%{name}/action.d/*
+%config %{_sysconfdir}/%{name}/filter.d/*
+#
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%config %{_sysconfdir}/%{name}/jail.conf
+%config %{_sysconfdir}/%{name}/paths-common.conf
+%config %{_sysconfdir}/%{name}/paths-opensuse.conf
+#
+%config(noreplace) %{_sysconfdir}/%{name}/jail.local
+#
+%config %{_sysconfdir}/logrotate.d/%{name}
+%dir %{_localstatedir}/lib/%{name}/
+%if 0%{?suse_version} > 1310
+# use /run directory
+%ghost /run/%{name}
+%else
+# use /var/run directory
+%dir %ghost %{_localstatedir}/run/%{name}
+%endif
+%if 0%{?suse_version} >= 1230
+# systemd
+%{_unitdir}/%{name}.service
+%{_tmpfilesdir}/%{name}.conf
+%else
+# without-systemd
+%{_initddir}/%{name}
+%endif
+%{_sbindir}/rc%{name}
+%{_bindir}/%{name}-server
+%{_bindir}/%{name}-client
+%{_bindir}/%{name}-python
+%{_bindir}/%{name}-regex
+%{python3_sitelib}/%{name}
+%exclude %{python3_sitelib}/%{name}/tests
+%{python3_sitelib}/%{name}-*
+%{_fillupdir}/sysconfig.%{name}
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%license COPYING
+%doc README.md TODO ChangeLog doc/*.txt
+
+# do not include tests as they are executed during the build process
+%exclude %{_bindir}/%{name}-testcases
+%exclude %{python3_sitelib}/%{name}/tests
+
+%if !0%{?suse_version} > 1500
+%if 0%{?_unitdir:1}
+%files -n SuSEfirewall2-%{name}
+%{_unitdir}/SuSEfirewall2.service.d
+%{_unitdir}/%{name}.service.d
+%endif
+%endif
+
+%files -n monitoring-plugins-%{name}
+%license COPYING
+%doc files/nagios/README
+%if 0%{?suse_version}
+%dir %{nagios_libdir}
+%else
+%dir %{_libexecdir}/nagios
+%endif
+%dir %{nagios_plugindir}
+%{nagios_plugindir}/check_%{name}
+
+%changelog

fail2ban.sysconfig

@@ -0,0 +1,10 @@
+## Path:	System/Security/Fail2ban
+## Description:	fail2ban options
+## Type:	string
+## Default:	""
+## ServiceReload: fail2ban
+## ServiceRestart: fail2ban
+#
+# Options for fail2ban
+#
+FAIL2BAN_OPTIONS=""

fail2ban.tmpfiles

@@ -0,0 +1 @@
+d /run/fail2ban 0755 root root

harden_fail2ban.service.patch

@@ -0,0 +1,23 @@
+Index: fail2ban-0.11.2/files/fail2ban.service.in
+===================================================================
+--- fail2ban-0.11.2.orig/files/fail2ban.service.in
++++ fail2ban-0.11.2/files/fail2ban.service.in
+@@ -5,6 +5,18 @@ After=network.target iptables.service fi
+ PartOf=firewalld.service
+ 
+ [Service]
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectControlGroups=true
++RestrictRealtime=true
++# end of automatic additions 
+ Type=simple
+ EnvironmentFile=-/etc/sysconfig/fail2ban
+ Environment="PYTHONNOUSERSITE=1"

paths-opensuse.conf

@@ -0,0 +1,50 @@
+# openSUSE log-file locations
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after  = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_local0  = /var/log/messages
+
+syslog_mail = /var/log/mail
+
+syslog_mail_warn = %(syslog_mail)s
+
+syslog_authpriv = %(syslog_local0)s
+
+syslog_user =  %(syslog_local0)s
+
+syslog_ftp  = %(syslog_local0)s
+
+syslog_daemon  = %(syslog_local0)s
+
+apache_error_log = /var/log/apache2/*error_log
+
+apache_access_log = /var/log/apache2/*access_log
+
+pureftpd_log = %(syslog_local0)s
+
+exim_main_log = /var/log/exim/main.log
+
+mysql_log = /var/log/mysql/mysqld.log
+
+roundcube_errors_log = /srv/www/roundcubemail/logs/errors
+
+solidpop3d_log = %(syslog_mail)s
+
+# These services will log to the journal via syslog, so use the journal by
+# default.
+syslog_backend = systemd
+sshd_backend = systemd
+dropbear_backend = systemd
+proftpd_backend = systemd
+pureftpd_backend = systemd
+wuftpd_backend = systemd
+postfix_backend = systemd
+dovecot_backend = systemd
+mysql_backend = systemd

sfw-fail2ban.conf

@@ -0,0 +1,7 @@
+# This drop-in file extends SuSEfirewall2.service to also start
+# fail2ban.service, and to make sure that fail2ban is only (re)started after
+# SFW has completed.
+
+[Unit]
+Wants=fail2ban.service
+Before=fail2ban.service