Accepting request 245652 from security

1 OBS-URL: https://build.opensuse.org/request/show/245652 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=33
2014-08-25 09:03:47 +00:00 · 2014-08-25 09:03:47 +00:00 · 2edba31972
commit 2edba31972
parent 210a71f8fb baf2add4d9
6 changed files with 340 additions and 40 deletions
--- a/0.8.14.tar.gz
+++ b/0.8.14.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2d579d9f403eb95064781ffb28aca2b258ca55d7a2ba056a8fa2b3e6b79721f2
+size 228121
--- a/fail2ban-0.8.12.tar.bz2
+++ b/fail2ban-0.8.12.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2cdd7cbbf8b770715ce0068aec9dd8857388cd4d690fd5211907d7f2f3bdcde4
-size 169644
--- a/fail2ban-opensuse-locations.patch
+++ b/fail2ban-opensuse-locations.patch
@ -0,0 +1,256 @@
+diff -ur fail2ban-0.8.14.orig/config/jail.conf fail2ban-0.8.14/config/jail.conf
+--- fail2ban-0.8.14.orig/config/jail.conf	2014-08-19 22:23:33.000000000 +0200
+++ fail2ban-0.8.14/config/jail.conf	2014-08-20 17:39:21.428256837 +0200
+@@ -80,7 +80,7 @@
+ enabled = false
+ filter  = pam-generic
+ action  = iptables-allports[name=pam,protocol=all]
+-logpath = /var/log/secure
+logpath =  /var/log/messages
+ 
+ 
+ [xinetd-fail]
+@@ -97,7 +97,7 @@
+ filter   = sshd
+ action   = iptables[name=SSH, port=ssh, protocol=tcp]
+            sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
+-logpath  = /var/log/sshd.log
+logpath  = /var/log/messages
+ maxretry = 5
+ 
+ 
+@@ -106,7 +106,7 @@
+ enabled  = false
+ filter   = sshd-ddos
+ action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
+-logpath  = /var/log/sshd.log
+logpath  =  /var/log/messages
+ maxretry = 2
+ 
+ 
+@@ -135,7 +135,7 @@
+ filter   = gssftpd
+ action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
+            sendmail-whois[name=GSSFTPd, dest=you@example.com]
+-logpath  = /var/log/daemon.log
+logpath  = /var/log/messages
+ maxretry = 6
+ 
+ 
+@@ -144,7 +144,7 @@
+ enabled  = false
+ filter   = pure-ftpd
+ action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
+-logpath  = /var/log/pureftpd.log
+logpath  = /var/log/messages
+ maxretry = 6
+ 
+ 
+@@ -153,7 +153,7 @@
+ enabled  = false
+ filter   = wuftpd
+ action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
+-logpath  = /var/log/daemon.log
+logpath  = /var/log/messages
+ maxretry = 6
+ 
+ 
+@@ -162,7 +162,7 @@
+ enabled  = false
+ filter   = sendmail-auth
+ action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
+-logpath  = /var/log/mail.log
+logpath  = /var/log/mail
+ 
+ 
+ [sendmail-reject]
+@@ -170,7 +170,7 @@
+ enabled  = false
+ filter   = sendmail-reject
+ action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
+-logpath  = /var/log/mail.log
+logpath  = /var/log/mail
+ 
+ 
+ # This jail forces the backend to "polling".
+@@ -181,7 +181,7 @@
+ backend  = polling
+ action   = iptables[name=sasl, port=smtp, protocol=tcp]
+            sendmail-whois[name=sasl, dest=you@example.com]
+-logpath  = /var/log/mail.log
+logpath  = /var/log/mail
+ 
+ 
+ # ASSP SMTP Proxy Jail
+@@ -202,7 +202,7 @@
+ action      = hostsdeny[daemon_list=sshd]
+               sendmail-whois[name=SSH, dest=you@example.com]
+ ignoreregex = for myuser from
+-logpath     = /var/log/sshd.log
+logpath     = /var/log/messages
+ 
+ 
+ # Here we use blackhole routes for not requiring any additional kernel support
+@@ -212,7 +212,7 @@
+ enabled  = false
+ filter   = sshd
+ action   = route
+-logpath  = /var/log/sshd.log
+logpath  = /var/log/messages
+ maxretry = 5
+ 
+ 
+@@ -226,7 +226,7 @@
+ enabled  = false
+ filter   = sshd
+ action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
+-logpath  = /var/log/sshd.log
+logpath  = /var/log/messages
+ maxretry = 5
+ 
+ 
+@@ -235,7 +235,7 @@
+ enabled  = false
+ filter   = sshd
+ action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
+-logpath  = /var/log/sshd.log
+logpath  = /var/log/messages
+ maxretry = 5
+ 
+ 
+@@ -329,7 +329,7 @@
+ enabled = false
+ filter  = cyrus-imap
+ action  = iptables-multiport[name=cyrus-imap,port="143,993"]
+-logpath = /var/log/mail*log
+logpath = /var/log/mail
+ 
+ 
+ [courierlogin]
+@@ -337,7 +337,7 @@
+ enabled = false
+ filter  = courierlogin
+ action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
+-logpath = /var/log/mail*log
+logpath = /var/log/mail
+ 
+ 
+ [couriersmtp]
+@@ -345,7 +345,7 @@
+ enabled = false
+ filter  = couriersmtp
+ action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
+-logpath = /var/log/mail*log
+logpath = /var/log/mail
+ 
+ 
+ [qmail-rbl]
+@@ -361,7 +361,7 @@
+ enabled = false
+ filter  = sieve
+ action  = iptables-multiport[name=sieve,port="25,465,587"]
+-logpath = /var/log/mail*log
+logpath = /var/log/mail
+ 
+ 
+ # Do not ban anybody. Just report information about the remote host.
+@@ -396,7 +396,8 @@
+ filter   = apache-badbots
+ action   = iptables-multiport[name=BadBots, port="http,https"]
+            sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
+-logpath  = /var/www/*/logs/access_log
+logpath  = /var/log/apache/access_log
+           /var/log/apache2/*/access_log
+ bantime  = 172800
+ maxretry = 1
+ 
+@@ -466,7 +467,7 @@
+ enabled  = false
+ action   = iptables-multiport[name=php-url-open, port="http,https"]
+ filter   = php-url-fopen
+-logpath  = /var/www/*/logs/access_log
+logpath  = /var/log/apache/access_log
+ maxretry = 1
+ 
+ 
+@@ -500,7 +501,7 @@
+ filter   = sshd
+ action   = ipfw[localhost=192.168.0.1]
+            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
+-logpath  = /var/log/auth.log
+logpath  = /var/log/messages
+ ignoreip = 168.192.0.1
+ 
+ 
+@@ -531,7 +532,7 @@
+ filter   = named-refused
+ action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
+            sendmail-whois[name=Named, dest=you@example.com]
+-logpath  = /var/log/named/security.log
+logpath  = /var/lib/named/log/security.log
+ ignoreip = 168.192.0.1
+ 
+ 
+@@ -601,7 +602,7 @@
+ filter   = mysqld-auth
+ action   = iptables[name=mysql, port=3306, protocol=tcp]
+            sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
+-logpath  = /var/log/mysqld.log
+logpath  = /var/log/mysql/mysqld.log
+ maxretry = 5
+ 
+ 
+@@ -610,7 +611,7 @@
+ enabled  = false
+ filter   = mysqld-auth
+ action   = iptables[name=mysql, port=3306, protocol=tcp]
+-logpath  = /var/log/daemon.log
+logpath  = /var/log/mysql/mysqld.log
+ maxretry = 5
+ 
+ 
+@@ -637,7 +638,7 @@
+ enabled  = false
+ filter   = sshd
+ action   = pf
+-logpath  = /var/log/sshd.log
+logpath  = /var/log/messages
+ maxretry = 5
+ 
+ 
+@@ -723,7 +724,7 @@
+ enabled = false
+ filter  = dovecot
+ action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
+-logpath = /var/log/mail.log
+logpath = /var/log/mail
+ 
+ 
+ [dovecot-auth]
+@@ -731,7 +732,7 @@
+ enabled = false
+ filter  = dovecot
+ action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
+-logpath = /var/log/secure
+logpath = /var/log/mail
+ 
+ 
+ [solid-pop3d]
+@@ -739,7 +740,7 @@
+ enabled = false
+ filter  = solid-pop3d
+ action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
+-logpath = /var/log/mail.log
+logpath = /var/log/mail
+ 
+ 
+ [selinux-ssh]
+@@ -761,7 +762,7 @@
+ action   = iptables[name=SSH, port=ssh, protocol=tcp]
+            sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
+            blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
+-logpath  = /var/log/sshd.log
+logpath  = /var/log/messages
+ maxretry = 20
+ 
+ 
--- a/fail2ban.changes
+++ b/fail2ban.changes
@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Thu Aug 21 16:50:20 UTC 2014 - jweberhofer@weberhofer.at
+
+- Fixed check for %_unitdir to make fail2ban build under older systems, too.
+- Changed /usr to %{_prefix} in the spec file
+
+-------------------------------------------------------------------
+Wed Aug 20 15:44:54 UTC 2014 - jweberhofer@weberhofer.at
+
+- update to 0.8.14
+  * minor fixes for claimed Python 2.4 and 2.5 compatibility
+  * Handle case when inotify watch is auto deleted on file deletion to stop
+    error messages
+  * tests - fixed few "leaky" file descriptors when files were not closed while
+    being removed physically
+  * grep in mail*-whois-lines.conf now also matches end of line to work with
+    the recidive filter
+- add fail2ban-opensuse-locations.patch to fix default locations as suggested
+  in bnc#878028
+
+-------------------------------------------------------------------
+Wed Jun 25 15:13:37 UTC 2014 - lars@linux-schulserver.de
+
+- update to 0.8.13:
+  + Fixes:
+  - action firewallcmd-ipset had non-working actioncheck. Removed.
+    redhat bug #1046816.
+  - filter pureftpd - added _daemon which got removed. Added
+
+  + New Features:
+  - filter nagios - detects unauthorized access to the nrpe daemon (Ivo Truxa)
+  - filter sendmail-{auth,reject} (jserrachinha and cepheid666 and fab23).
+
+  + Enhancements:
+  - filter asterisk now supports syslog format
+  - filter pureftpd - added all translations of "Authentication failed for
+    user"
+  - filter dovecot - lip= was optional and extended TLS errors can occur.
+    Thanks Noel Butler.
+- removed fix-for-upstream-firewallcmd-ipset.conf.patch : fixed 
+  upstream
+- split out nagios-plugins-fail2ban package
+
 -------------------------------------------------------------------
 Tue Feb 18 00:03:12 UTC 2014 - jengelh@inai.de

--- a/fail2ban.spec
+++ b/fail2ban.spec
@ -17,14 +17,14 @@


 Name:           fail2ban
-Version:        0.8.12
+Version:        0.8.14
 Release:        0
 Url:            http://www.fail2ban.org/
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0+
 Group:          Productivity/Networking/Security

-Source0:        https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.bz2
+Source0:        https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz
 %if 0%{?suse_version} < 1230
 # the init-script requires lsof
 Requires:       lsof
@ -36,8 +36,8 @@ Source4:        %{name}.service
 Source5:        %{name}.tmpfiles
 Source6:        sfw-fail2ban.conf
 Source7:        f2b-restart.conf
-# PATCH-FIX-UPSTREAM fix-for-upstream-firewallcmd-ipset.conf.patch rh#1046816
-Patch0:         fix-for-upstream-firewallcmd-ipset.conf.patch
+# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhoferat -- update default locations for logfiles
+Patch100:       fail2ban-opensuse-locations.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 %if 0%{?suse_version} >= 1230
@ -65,7 +65,7 @@ These rules can be defined by the user. Fail2Ban can read multiple log
 files such as sshd or Apache web server ones.

 %package -n SuSEfirewall2-fail2ban
-Summary:        systemd files for integrating fail2ban into SuSEfirewall2
+Summary:        Files for integrating fail2ban into SuSEfirewall2 via systemd
 Group:          Productivity/Networking/Security
 BuildArch:      noarch
 Requires:       SuSEfirewall2
@ -76,11 +76,27 @@ This package ships systemd files which will cause fail2ban to be ordered
 in relation to SuSEfirewall2 such that the two can be run concurrently
 within reason, i.e. SFW will always run first because it does a table flush.

+%package -n nagios-plugins-fail2ban
+Summary:        Check fail2ban server and how many IPs are currently banned
+Group:          System/Monitoring
+%define         nagios_plugindir %{_prefix}/lib/nagios/plugins
+
+%description -n nagios-plugins-fail2ban
+This plugin checks if the fail2ban server is running and how many IPs are
+currently banned.  You can use this plugin to monitor all the jails or just a
+specific jail.
+
+How to use
+----------
+Just have to run the following command:
+  $ ./check_fail2ban --help
+
+
 %prep
 %setup
-%patch0 -p1
+%patch100 -p1
 # correct doc-path
-sed -i -e 's|/usr/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py
+sed -i -e 's|%{_prefix}/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py

 %build
 export CFLAGS="$RPM_OPT_FLAGS"
@ -111,15 +127,16 @@ install -m 644 %{SOURCE3}  $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/fail2ban
 install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
 install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service

-install -d -m755 $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/
-install -m644 %{SOURCE5} $RPM_BUILD_ROOT/usr/lib/tmpfiles.d/%{name}.conf
+install -d -m755 $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/
+install -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf
 %endif
-%if "%_unitdir" != ""
+%if 0%{?_unitdir:1}
 install -Dm0644 "%_sourcedir/sfw-fail2ban.conf" \
 	"%buildroot/%_unitdir/SuSEfirewall2.service.d/fail2ban.conf"
 install -Dm0644 "%_sourcedir/f2b-restart.conf" \
 	"%buildroot/%_unitdir/fail2ban.service.d/SuSEfirewall2.conf"
 %endif
+install -Dm755 files/nagios/check_fail2ban %{buildroot}/%{nagios_plugindir}/check_fail2ban

 %pre
 %if 0%{?suse_version} >= 1230
@ -129,7 +146,7 @@ install -Dm0644 "%_sourcedir/f2b-restart.conf" \
 %post
 %{fillup_only}
 %if 0%{?suse_version} >= 1230
-systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf
+systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
 %service_add_post %{name}.service
 %endif

@ -148,7 +165,7 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf
 %insserv_cleanup
 %endif

-%if "%_unitdir" != ""
+%if 0%{?_unitdir:1}
 %post -n SuSEfirewall2-fail2ban
 %_bindir/systemctl daemon-reload >/dev/null 2>&1 || :

@ -167,7 +184,7 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf
 %config %{_sysconfdir}/logrotate.d/fail2ban
 %if 0%{?suse_version} >= 1230
 %{_unitdir}/%{name}.service
-/usr/lib/tmpfiles.d/%{name}.conf
+%{_prefix}/lib/tmpfiles.d/%{name}.conf
 %else
 %{_initrddir}/%{name}
 %{_sbindir}/rc%{name}
@ -179,11 +196,18 @@ systemd-tmpfiles --create /usr/lib/tmpfiles.d/%{name}.conf
 %doc %{_mandir}/man1/*
 %doc COPYING ChangeLog DEVELOP README.md TODO files/cacti

-%if "%{?_unitdir}" != ""
+%if 0%{?_unitdir:1}
 %files -n SuSEfirewall2-fail2ban
 %defattr(-,root,root)
 %_unitdir/SuSEfirewall2.service.d
 %_unitdir/fail2ban.service.d
 %endif

+%files -n nagios-plugins-fail2ban
+%defattr(-,root,root)
+%doc files/nagios/README COPYING
+%dir %{_prefix}/lib/nagios
+%dir %{nagios_plugindir}
+%{nagios_plugindir}/check_fail2ban
+
 %changelog
--- a/fix-for-upstream-firewallcmd-ipset.conf.patch
+++ b/fix-for-upstream-firewallcmd-ipset.conf.patch
@ -1,23 +0,0 @@
-diff -ur fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf
--- fail2ban-0.8.12.orig/config/action.d/firewallcmd-ipset.conf	2014-01-16 09:20:14.000000000 +0100
-+++ fail2ban-0.8.12/config/action.d/firewallcmd-ipset.conf	2014-01-23 22:43:53.115263616 +0100
-@@ -25,8 +25,6 @@
-              ipset flush fail2ban-<name>
-              ipset destroy fail2ban-<name>
- 
-actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q '^fail2ban-<name>$'
-
- actionban = ipset add fail2ban-<name> <ip> timeout <bantime> -exist
- 
- actionunban = ipset del fail2ban-<name> <ip> -exist
-diff -ur fail2ban-0.8.12.orig/THANKS fail2ban-0.8.12/THANKS
--- fail2ban-0.8.12.orig/THANKS	2014-01-21 21:59:49.000000000 +0100
-+++ fail2ban-0.8.12/THANKS	2014-01-23 22:43:53.115263616 +0100
-@@ -30,6 +30,7 @@
- Daniel B.
- Daniel Black
- David Nutter
-+Derek Atkins
- Eric Gerbier
- Enrico Labedzki
- ftoppi