diff --git a/fail2ban-0.10.4-upstream-pid-file-location.patch b/fail2ban-0.10.4-upstream-pid-file-location.patch deleted file mode 100644 index 4791b66..0000000 --- a/fail2ban-0.10.4-upstream-pid-file-location.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -ur fail2ban-0.10.4-orig/files/fail2ban.service.in fail2ban-0.10.4/files/fail2ban.service.in ---- fail2ban-0.10.4-orig/files/fail2ban.service.in 2019-08-12 11:18:27.754395688 +0200 -+++ fail2ban-0.10.4/files/fail2ban.service.in 2019-08-12 11:18:49.150908423 +0200 -@@ -7,13 +7,13 @@ - [Service] - Type=simple - EnvironmentFile=-/etc/sysconfig/fail2ban --ExecStartPre=/bin/mkdir -p /var/run/fail2ban -+ExecStartPre=/bin/mkdir -p /run/fail2ban - ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start - # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local - # ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start - ExecStop=/usr/bin/fail2ban-client stop - ExecReload=/usr/bin/fail2ban-client reload --PIDFile=/var/run/fail2ban/fail2ban.pid -+PIDFile=/run/fail2ban/fail2ban.pid - Restart=on-failure - RestartPreventExitStatus=0 255 - diff --git a/fail2ban-0.11.1.tar.gz b/fail2ban-0.11.1.tar.gz deleted file mode 100644 index 17c0c49..0000000 --- a/fail2ban-0.11.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:71d2a52b66bb0f87ac3812246bdd3819ec561913cd44afd39130a342f043aa6d -size 538660 diff --git a/fail2ban-0.11.1.tar.gz.asc b/fail2ban-0.11.1.tar.gz.asc deleted file mode 100644 index 3f44fa8..0000000 --- a/fail2ban-0.11.1.tar.gz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCAAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAl4Z0VwACgkQaDvxvr0K -iCwvyQf/WMmE8sJLQYA/mfKkVIRA/2GAsvq44hQD+/DghIU/My5RKfWtjSZO+/II -Tg31w63CQ619PLtf/IKLa2CpckKs5v1IIB6nunjU4Q/jKjruA6kOALAgwMlA0Ymf -HnaFIW4AheXk+DGErLOPwPHWtk2skZI9hAjzuqYc6Ig4Z30dSqmBgxb7UmVRxjba -J8n5DWA2W4VAAb9gBiL6RsBVBPRNPZhiw1Y+ejUWzqD3mqnc0tgJnVfpb5GvG+Xc -4kUEiZb822Phw/vwyBycAhYthNAcVEWI5BIoEFbkYmCe7z7TWsQGLpuJNIT2heSC -mzGOdU0MCwxNCy9/RGSAdctlAi+cFg== -=6cDo ------END PGP SIGNATURE----- diff --git a/fail2ban-0.11.2.tar.gz b/fail2ban-0.11.2.tar.gz new file mode 100644 index 0000000..71d95fc --- /dev/null +++ b/fail2ban-0.11.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:383108e5f8644cefb288537950923b7520f642e7e114efb843f6e7ea9268b1e0 +size 559552 diff --git a/fail2ban-0.11.2.tar.gz.asc b/fail2ban-0.11.2.tar.gz.asc new file mode 100644 index 0000000..d974e80 --- /dev/null +++ b/fail2ban-0.11.2.tar.gz.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEhzhVnib2cd+eLG2eaDvxvr0KiCwFAl+8IJUACgkQaDvxvr0K +iCx3lQf+Ko0DK0UCpcyQMD2eAkOSw9gReD8g6CgqubQe76SmJedUC25AX4BhtbnB +lcWnoNP6txHHe4SglEPDqA2QPp05V7NrC0Jv6EHuIqs/tDYQOrPeHfj9zIdo8Xpm +tuvEdJR9642RR7LRZprAMTMkdJG0DSAPeigpuL54GbbXrRMrZk6oe5JXy5kormYb +X26odhekUOWCh7cSSFkOoc5fKeLQZkjRECMo4zr9TMCuG9q+PCokK2ZlUK2k+FKX +Z82pPzxYn3XH9rOhgVPST2nyeZjb4xSMmsVNTO4FXytq/MwpdZW52cAbpgxMESWV +9ziop+UtjS9z+WcsxKZEmpVJHSxk/Q== +=1dk3 +-----END PGP SIGNATURE----- diff --git a/fail2ban-opensuse-locations.patch b/fail2ban-opensuse-locations.patch index a477437..a6488a1 100644 --- a/fail2ban-opensuse-locations.patch +++ b/fail2ban-opensuse-locations.patch @@ -1,8 +1,7 @@ -Index: config/jail.conf -=================================================================== ---- config/jail.conf.orig -+++ config/jail.conf -@@ -688,7 +688,7 @@ backend = %(syslog_backend)s +diff -ur fail2ban-0.11.2-orig/config/jail.conf fail2ban-0.11.2/config/jail.conf +--- fail2ban-0.11.2-orig/config/jail.conf 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/config/jail.conf 2020-11-29 10:14:13.229200191 +0100 +@@ -731,7 +731,7 @@ # filter = named-refused # port = domain,953 # protocol = udp @@ -11,7 +10,7 @@ Index: config/jail.conf # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. -@@ -696,7 +696,7 @@ backend = %(syslog_backend)s +@@ -739,7 +739,7 @@ [named-refused] port = domain,953 @@ -20,11 +19,11 @@ Index: config/jail.conf [nsd] -Index: config/paths-common.conf -=================================================================== ---- config/paths-common.conf.orig -+++ config/paths-common.conf -@@ -90,7 +90,7 @@ solidpop3d_log = %(syslog_local0)s +Nur in fail2ban-0.11.2/config: jail.conf.orig. +diff -ur fail2ban-0.11.2-orig/config/paths-common.conf fail2ban-0.11.2/config/paths-common.conf +--- fail2ban-0.11.2-orig/config/paths-common.conf 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/config/paths-common.conf 2020-11-29 10:14:13.237200352 +0100 +@@ -90,7 +90,7 @@ mysql_log = %(syslog_daemon)s mysql_backend = %(default_backend)s diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch index ee70c27..a938f5f 100644 --- a/fail2ban-opensuse-service.patch +++ b/fail2ban-opensuse-service.patch @@ -1,23 +1,27 @@ ---- a/files/fail2ban.service.in 2020-01-11 11:01:00.000000000 +0100 -+++ b/files/fail2ban.service.in 2020-05-21 09:48:12.049645909 +0200 -@@ -6,13 +6,14 @@ +diff -ur fail2ban-0.11.2-orig/files/fail2ban.service.in fail2ban-0.11.2/files/fail2ban.service.in +--- fail2ban-0.11.2-orig/files/fail2ban.service.in 2020-11-23 21:43:03.000000000 +0100 ++++ fail2ban-0.11.2/files/fail2ban.service.in 2020-12-05 18:22:01.503018894 +0100 +@@ -2,17 +2,18 @@ + Description=Fail2Ban Service + Documentation=man:fail2ban(1) + After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +-PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service ++PartOf=firewalld.service ipset.service nftables.service [Service] Type=simple --ExecStartPre=/bin/mkdir -p /run/fail2ban --ExecStart=@BINDIR@/fail2ban-server -xf start +EnvironmentFile=-/etc/sysconfig/fail2ban -+ExecStartPre=/bin/mkdir -p /var/run/fail2ban + Environment="PYTHONNOUSERSITE=1" + ExecStartPre=/bin/mkdir -p /run/fail2ban +-ExecStart=@BINDIR@/fail2ban-server -xf start +ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local -# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start -ExecStop=@BINDIR@/fail2ban-client stop -ExecReload=@BINDIR@/fail2ban-client reload --PIDFile=/run/fail2ban/fail2ban.pid +# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start +ExecStop=/usr/bin/fail2ban-client stop +ExecReload=/usr/bin/fail2ban-client reload -+PIDFile=/var/run/fail2ban/fail2ban.pid + PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 - diff --git a/fail2ban.changes b/fail2ban.changes index 77ff5fe..20b359e 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,81 @@ +------------------------------------------------------------------- +Sat Dec 5 17:25:17 UTC 2020 - Johannes Weberhofer + +- Integrate change to resolve bnc#1146856 + +------------------------------------------------------------------- +Sun Nov 29 11:23:09 UTC 2020 - Johannes Weberhofer + +- Update to 0.11.2 + increased stability, filter and action updates + +- New Features and Enhancements + * fail2ban-regex: + - speedup formatted output (bypass unneeded stats creation) + - extended with prefregex statistic + - more informative output for `datepattern` (e. g. set from filter) - pattern : description + * parsing of action in jail-configs considers space between action-names as separator also + (previously only new-line was allowed), for example `action = a b` would specify 2 actions `a` and `b` + * new filter and jail for GitLab recognizing failed application logins (gh#fail2ban/fail2ban#2689) + * new filter and jail for Grafana recognizing failed application logins (gh#fail2ban/fail2ban#2855) + * new filter and jail for SoftEtherVPN recognizing failed application logins (gh#fail2ban/fail2ban#2723) + * `filter.d/guacamole.conf` extended with `logging` parameter to follow webapp-logging if it's configured + (gh#fail2ban/fail2ban#2631) + * `filter.d/bitwarden.conf` enhanced to support syslog (gh#fail2ban/fail2ban#2778) + * introduced new prefix `{UNB}` for `datepattern` to disable word boundaries in regex; + * datetemplate: improved anchor detection for capturing groups `(^...)`; + * datepattern: improved handling with wrong recognized timestamps (timezones, no datepattern, etc) + as well as some warnings signaling user about invalid pattern or zone (gh#fail2ban/fail2ban#2814): + - filter gets mode in-operation, which gets activated if filter starts processing of new messages; + in this mode a timestamp read from log-line that appeared recently (not an old line), deviating too much + from now (up too 24h), will be considered as now (assuming a timezone issue), so could avoid unexpected + bypass of failure (previously exceeding `findtime`); + - better interaction with non-matching optional datepattern or invalid timestamps; + - implements special datepattern `{NONE}` - allow to find failures totally without date-time in log messages, + whereas filter will use now as timestamp (gh#fail2ban/fail2ban#2802) + * performance optimization of `datepattern` (better search algorithm in datedetector, especially for single template); + * fail2ban-client: extended to unban IP range(s) by subnet (CIDR/mask) or hostname (DNS), gh#fail2ban/fail2ban#2791; + * extended capturing of alternate tags in filter, allowing combine of multiple groups to single tuple token with new tag + prefix `` with all value of `` tags (gh#fail2ban/fail2ban#2755) + +- Fixes + * [stability] prevent race condition - no ban if filter (backend) is continuously busy if + too many messages will be found in log, e. g. initial scan of large log-file or journal (gh#fail2ban/fail2ban#2660) + * pyinotify-backend sporadically avoided initial scanning of log-file by start + * python 3.9 compatibility (and Travis CI support) + * restoring a large number (500+ depending on files ulimit) of current bans when using PyPy fixed + * manual ban is written to database, so can be restored by restart (gh#fail2ban/fail2ban#2647) + * `jail.conf`: don't specify `action` directly in jails (use `action_` or `banaction` instead) + * no mails-action added per default anymore (e. g. to allow that `action = %(action_mw)s` should be specified + per jail or in default section in jail.local), closes gh#fail2ban/fail2ban#2357 + * ensure we've unique action name per jail (also if parameter `actname` is not set but name deviates from standard name, gh#fail2ban/fail2ban#2686) + * don't use `%(banaction)s` interpolation because it can be complex value (containing `[...]` and/or quotes), + so would bother the action interpolation + * fixed type conversion in config readers (take place after all interpolations get ready), that allows to + specify typed parameters variable (as substitutions) as well as to supply it in other sections or as init parameters. + * `action.d/*-ipset*.conf`: several ipset actions fixed (no timeout per default anymore), so no discrepancy + between ipset and fail2ban (removal from ipset will be managed by fail2ban only, gh#fail2ban/fail2ban#2703) + * `action.d/cloudflare.conf`: fixed `actionunban` (considering new-line chars and optionally real json-parsing + with `jq`, gh#fail2ban/fail2ban#2140, gh#fail2ban/fail2ban#2656) + * `action.d/nftables.conf` (type=multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2763) + * `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-` (gh#fail2ban/fail2ban#2821) + * `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num` (gh#fail2ban/fail2ban#2836) + * `filter.d/common.conf`: avoid substitute of default values in related `lt_*` section, `__prefix_line` + should be interpolated in definition section (inside the filter-config, gh#fail2ban/fail2ban#2650) + * `filter.d/dovecot.conf`: + - add managesieve and submission support (gh#fail2ban/fail2ban#2795); + - accept messages with more verbose logging (gh#fail2ban/fail2ban#2573); + * `filter.d/courier-smtp.conf`: prefregex extended to consider port in log-message (gh#fail2ban/fail2ban#2697) + * `filter.d/traefik-auth.conf`: filter extended with parameter mode (`normal`, `ddos`, `aggressive`) to handle + the match of username differently (gh#fail2ban/fail2ban#2693): + - `normal`: matches 401 with supplied username only + - `ddos`: matches 401 without supplied username only + - `aggressive`: matches 401 and any variant (with and without username) + * `filter.d/sshd.conf`: normalizing of user pattern in all RE's, allowing empty user (gh#fail2ban/fail2ban#2749) + +- Rebased patches +- Removed upstream patch fail2ban-0.10.4-upstream-pid-file-location.patch + ------------------------------------------------------------------- Wed Aug 19 09:04:12 UTC 2020 - Dominique Leuenberger diff --git a/fail2ban.spec b/fail2ban.spec index 8d06e2a..32d31ab 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -22,13 +22,13 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: fail2ban -Version: 0.11.1 +Version: 0.11.2 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0-or-later Group: Productivity/Networking/Security URL: http://www.fail2ban.org/ -Source0: https://github.com/fail2ban/fail2ban/archive/%{version}/%{name}-%{version}.tar.gz +Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: https://github.com/fail2ban/fail2ban/releases/download/%{version}/%{name}-%{version}.tar.gz.asc Source2: %{name}.sysconfig Source3: %{name}.logrotate @@ -47,8 +47,6 @@ Patch101: %{name}-opensuse-service.patch Patch200: %{name}-disable-iptables-w-option.patch # PATCH-FIX-OPENSUSE fail2ban-0.10.4-env-script-interpreter.patch jweberhofer@weberhofer.at -- use exact path to define interpretor Patch201: %{name}-0.10.4-env-script-interpreter.patch -# PATH-FIX-UPSTREAM fail2ban-0.10.4-upstream-pid-file-location.patch boo#1145181 jweberhofer@weberhofer.at -- changed fail2ban pid file location (gh#fail2ban/fail2ban#2474) -Patch202: %{name}-0.10.4-upstream-pid-file-location.patch # PATCH-FEATURE-OPENSUSE fail2ban-opensuse-service-sfw.patch jweberhofer@weberhofer.at -- start after SuSEfirewall2 only for older distributions Patch300: fail2ban-opensuse-service-sfw.patch BuildRequires: fdupes @@ -126,13 +124,12 @@ install -m644 %{SOURCE8} config/paths-opensuse.conf # Use openSUSE paths sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf -%patch100 +%patch100 -p1 %patch101 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif %patch201 -p1 -%patch202 -p1 %if !0%{?suse_version} > 1500 %patch300 -p1 %endif