diff --git a/f2b-restart.conf b/f2b-restart.conf new file mode 100644 index 0000000..5b1b2e0 --- /dev/null +++ b/f2b-restart.conf @@ -0,0 +1,5 @@ +# When a restart is issued for SuSEfirewall2, fail2ban.service too must be +# restarted, which is what this drop-in file does. + +[Unit] +PartOf=SuSEfirewall2.service diff --git a/fail2ban.changes b/fail2ban.changes index e39fd22..92b7ba0 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de + +- Add a new subpackage to install systemd drop-ins that couple + SuSEfirewall2 and fail2ban. Added sfw-fail2ban.conf, + f2b-restart.conf. + ------------------------------------------------------------------- Wed Jan 29 13:48:38 UTC 2014 - jweberhofer@weberhofer.at diff --git a/fail2ban.spec b/fail2ban.spec index f4ae0c1..58dfd11 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -20,11 +20,10 @@ Name: fail2ban Version: 0.8.12 Release: 0 Url: http://www.fail2ban.org/ -BuildRoot: %{_tmppath}/%{name}-%{version}-build -BuildArch: noarch Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ Group: Productivity/Networking/Security + Source0: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2 %if 0%{?suse_version} < 1230 # the init-script requires lsof @@ -33,12 +32,20 @@ Source1: %{name}.init %endif Source2: %{name}.sysconfig Source3: %{name}.logrotate -%if 0%{?suse_version} >= 1230 Source4: %{name}.service Source5: %{name}.tmpfiles -%endif +Source6: sfw-fail2ban.conf +Source7: f2b-restart.conf # PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816 Patch0: fix-for-upstream-firewallcmd-ipset.conf.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-build +BuildArch: noarch +%if 0%{?suse_version} >= 1230 +%{?systemd_requires} +BuildRequires: systemd +%endif +BuildRequires: logrotate +BuildRequires: python-devel Requires: cron Requires: iptables Requires: logrotate @@ -49,12 +56,6 @@ Requires: python-pyinotify %if 0%{?suse_version} >= 1220 Requires: python-gamin %endif -%if 0%{?suse_version} >= 1230 -%{?systemd_requires} -BuildRequires: systemd -%endif -BuildRequires: logrotate -BuildRequires: python-devel %description Fail2ban scans log files like /var/log/messages and bans IP addresses @@ -63,6 +64,18 @@ reject the IP address, can send e-mails, or set host.deny entries. These rules can be defined by the user. Fail2Ban can read multiple log files such as sshd or Apache web server ones. +%package -n SuSEfirewall2-fail2ban +Summary: systemd files for integrating fail2ban into SuSEfirewall2 +Group: Productivity/Networking/Security +BuildArch: noarch +Requires: SuSEfirewall2 +Requires: fail2ban + +%description -n SuSEfirewall2-fail2ban +This package ships systemd files which will cause fail2ban to be ordered +in relation to SuSEfirewall2 such that the two can be run concurrently +within reason, i.e. SFW will always run first because it does a table flush. + %prep %setup %patch0 -p1 @@ -101,6 +114,12 @@ install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service install -d -m755 $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/ install -m644 %{SOURCE5} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/%{name}.conf %endif +%if "%_unitdir" != "" +install -Dm0644 "%_sourcedir/sfw-fail2ban.conf" \ + "%buildroot/%_unitdir/SuSEfirewall2.service.d/fail2ban.conf" +install -Dm0644 "%_sourcedir/f2b-restart.conf" \ + "%buildroot/%_unitdir/fail2ban.service.d/SuSEfirewall2.conf" +%endif %pre %if 0%{?suse_version} >= 1230 @@ -129,6 +148,14 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf %insserv_cleanup %endif +%if "%_unitdir" != "" +%post -n SuSEfirewall2-fail2ban +%_bindir/systemctl daemon-reload >/dev/null 2>&1 || : + +%postun -n SuSEfirewall2-fail2ban +%_bindir/systemctl daemon-reload >/dev/null 2>&1 || : +%endif + %files %defattr(-, root, root) %dir %{_sysconfdir}/%{name} @@ -152,4 +179,11 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf %doc %{_mandir}/man1/* %doc COPYING ChangeLog DEVELOP README.md TODO files/cacti +%if "%{?_unitdir}" != "" +%files -n SuSEfirewall2-fail2ban +%defattr(-,root,root) +%_unitdir/SuSEfirewall2.service.d +%_unitdir/fail2ban.service.d +%endif + %changelog diff --git a/sfw-fail2ban.conf b/sfw-fail2ban.conf new file mode 100644 index 0000000..ed7bf17 --- /dev/null +++ b/sfw-fail2ban.conf @@ -0,0 +1,7 @@ +# This drop-in file extends SuSEfirewall2.service to also start +# fail2ban.service, and to make sure that fail2ban is only (re)started after +# SFW has completed. + +[Unit] +Wants=fail2ban.service +Before=fail2ban.service