rpm/fail2ban
SHA256
1
0
Fork 0
forked from pool/fail2ban
Code Pull Requests Activity

Accepting request 314806 from security

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/314806
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=39
This commit is contained in:
Dominique Leuenberger 2015-07-02 20:51:05 +00:00 committed by Git OBS Bridge
commit 2f86815bf5
12 changed files with 358 additions and 472 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
0.8.14.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2d579d9f403eb95064781ffb28aca2b258ca55d7a2ba056a8fa2b3e6b79721f2
size 228121

3
fail2ban-0.9.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:476687098303bdee8d6b69e05f190ab150e39e64d56ce158d29bbc5924b06f89
size 314902

58
fail2ban-exclude-dev-log-tests.patch Normal file
View File

@ -0,0 +1,58 @@
diff -ur fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py fail2ban-0.9.2/fail2ban/tests/servertestcase.py
--- fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py 2015-04-29 05:52:48.000000000 +0200
+++ fail2ban-0.9.2/fail2ban/tests/servertestcase.py 2015-05-08 15:57:57.021437562 +0200
@@ -778,32 +778,32 @@
self.setGetTest("logtarget", "STDOUT")
self.setGetTest("logtarget", "STDERR")
- def testLogTargetSYSLOG(self):
- if not os.path.exists("/dev/log") and sys.version_info >= (2, 7):
- raise unittest.SkipTest("'/dev/log' not present")
- elif not os.path.exists("/dev/log"):
- return
- self.assertTrue(self.server.getSyslogSocket(), "auto")
- self.setGetTest("logtarget", "SYSLOG")
- self.assertTrue(self.server.getSyslogSocket(), "/dev/log")
+# def testLogTargetSYSLOG(self):
+# if not os.path.exists("/dev/log") and sys.version_info >= (2, 7):
+# raise unittest.SkipTest("'/dev/log' not present")
+# elif not os.path.exists("/dev/log"):
+# return
+# self.assertTrue(self.server.getSyslogSocket(), "auto")
+# self.setGetTest("logtarget", "SYSLOG")
+# self.assertTrue(self.server.getSyslogSocket(), "/dev/log")
def testSyslogSocket(self):
self.setGetTest("syslogsocket", "/dev/log/NEW/PATH")
- def testSyslogSocketNOK(self):
- self.setGetTest("syslogsocket", "/this/path/should/not/exist")
- self.setGetTestNOK("logtarget", "SYSLOG")
- # set back for other tests
- self.setGetTest("syslogsocket", "/dev/log")
- self.setGetTest("logtarget", "SYSLOG",
- **{True: {}, # should work on Linux
- False: dict( # expect to fail otherwise
- outCode=1,
- outValue=Exception('Failed to change log target'),
- repr_=True # Exceptions are not comparable apparently
- )
- }[platform.system() in ('Linux',) and os.path.exists('/dev/log')]
- )
+# def testSyslogSocketNOK(self):
+# self.setGetTest("syslogsocket", "/this/path/should/not/exist")
+# self.setGetTestNOK("logtarget", "SYSLOG")
+# # set back for other tests
+# self.setGetTest("syslogsocket", "/dev/log")
+# self.setGetTest("logtarget", "SYSLOG",
+# **{True: {}, # should work on Linux
+# False: dict( # expect to fail otherwise
+# outCode=1,
+# outValue=Exception('Failed to change log target'),
+# repr_=True # Exceptions are not comparable apparently
+# )
+# }[platform.system() in ('Linux',) and os.path.exists('/dev/log')]
+# )
def testLogLevel(self):
self.setGetTest("loglevel", "HEAVYDEBUG")

12
fail2ban-issue_906-strptime.patch
View File

@ -1,12 +0,0 @@
diff -ur fail2ban-0.8.14.orig/common/__init__.py fail2ban-0.8.14/common/__init__.py
--- fail2ban-0.8.14.orig/common/__init__.py 2014-08-19 22:23:33.000000000 +0200
+++ fail2ban-0.8.14/common/__init__.py 2015-01-21 21:51:13.425141175 +0100
@@ -28,3 +28,7 @@
# Custom debug level
logging.HEAVYDEBUG = 5
+
+from time import strptime
+# strptime thread safety hack-around - http://bugs.python.org/issue7980
+strptime("2012", "%Y")

270
fail2ban-opensuse-locations.patch
View File

@ -1,256 +1,30 @@
diff -ur fail2ban-0.8.14.orig/config/jail.conf fail2ban-0.8.14/config/jail.conf diff -ur fail2ban-0.9.2-orig/config/jail.conf fail2ban-0.9.2/config/jail.conf
--- fail2ban-0.8.14.orig/config/jail.conf 2014-08-19 22:23:33.000000000 +0200 --- fail2ban-0.9.2-orig/config/jail.conf 2015-04-29 05:52:48.000000000 +0200
+++ fail2ban-0.8.14/config/jail.conf 2014-08-20 17:39:21.428256837 +0200 +++ fail2ban-0.9.2/config/jail.conf 2015-05-08 17:03:32.377375630 +0200
@@ -80,7 +80,7 @@ @@ -344,7 +344,7 @@
enabled = false [roundcube-auth]
filter = pam-generic
action = iptables-allports[name=pam,protocol=all] port = http,https
-logpath = /var/log/secure -logpath = /var/log/roundcube/userlogins
+logpath = /var/log/messages +logpath = /srv/www/roundcubemail/logs/errors
[xinetd-fail] [openwebmail]
@@ -97,7 +97,7 @@ @@ -617,7 +617,7 @@
filter = sshd # filter = named-refused
action = iptables[name=SSH, port=ssh, protocol=tcp] # port = domain,953
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] # protocol = udp
-logpath = /var/log/sshd.log -# logpath = /var/log/named/security.log
+logpath = /var/log/messages +# logpath = /var/lib/named/log/security.log
maxretry = 5
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
@@ -625,7 +625,7 @@
[named-refused]
@@ -106,7 +106,7 @@ port = domain,953
enabled = false
filter = sshd-ddos
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 2
@@ -135,7 +135,7 @@
filter = gssftpd
action = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
sendmail-whois[name=GSSFTPd, dest=you@example.com]
-logpath = /var/log/daemon.log
+logpath = /var/log/messages
maxretry = 6
@@ -144,7 +144,7 @@
enabled = false
filter = pure-ftpd
action = iptables[name=pureftpd, port=ftp, protocol=tcp]
-logpath = /var/log/pureftpd.log
+logpath = /var/log/messages
maxretry = 6
@@ -153,7 +153,7 @@
enabled = false
filter = wuftpd
action = iptables[name=wuftpd, port=ftp, protocol=tcp]
-logpath = /var/log/daemon.log
+logpath = /var/log/messages
maxretry = 6
@@ -162,7 +162,7 @@
enabled = false
filter = sendmail-auth
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
[sendmail-reject]
@@ -170,7 +170,7 @@
enabled = false
filter = sendmail-reject
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
# This jail forces the backend to "polling".
@@ -181,7 +181,7 @@
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl, dest=you@example.com]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
# ASSP SMTP Proxy Jail
@@ -202,7 +202,7 @@
action = hostsdeny[daemon_list=sshd]
sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
# Here we use blackhole routes for not requiring any additional kernel support
@@ -212,7 +212,7 @@
enabled = false
filter = sshd
action = route
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -226,7 +226,7 @@
enabled = false
filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -235,7 +235,7 @@
enabled = false
filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -329,7 +329,7 @@
enabled = false
filter = cyrus-imap
action = iptables-multiport[name=cyrus-imap,port="143,993"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
[courierlogin]
@@ -337,7 +337,7 @@
enabled = false
filter = courierlogin
action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
[couriersmtp]
@@ -345,7 +345,7 @@
enabled = false
filter = couriersmtp
action = iptables-multiport[name=couriersmtp,port="25,465,587"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
[qmail-rbl]
@@ -361,7 +361,7 @@
enabled = false
filter = sieve
action = iptables-multiport[name=sieve,port="25,465,587"]
-logpath = /var/log/mail*log
+logpath = /var/log/mail
# Do not ban anybody. Just report information about the remote host.
@@ -396,7 +396,8 @@
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
-logpath = /var/www/*/logs/access_log
+logpath = /var/log/apache/access_log
+ /var/log/apache2/*/access_log
bantime = 172800
maxretry = 1
@@ -466,7 +467,7 @@
enabled = false
action = iptables-multiport[name=php-url-open, port="http,https"]
filter = php-url-fopen
-logpath = /var/www/*/logs/access_log
+logpath = /var/log/apache/access_log
maxretry = 1
@@ -500,7 +501,7 @@
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath = /var/log/auth.log
+logpath = /var/log/messages
ignoreip = 168.192.0.1
@@ -531,7 +532,7 @@
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=you@example.com]
-logpath = /var/log/named/security.log -logpath = /var/log/named/security.log
+logpath = /var/lib/named/log/security.log +logpath = /var/lib/named/log/security.log
ignoreip = 168.192.0.1
@@ -601,7 +602,7 @@
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
-logpath = /var/log/mysqld.log
+logpath = /var/log/mysql/mysqld.log
maxretry = 5
@@ -610,7 +611,7 @@
enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
-logpath = /var/log/daemon.log
+logpath = /var/log/mysql/mysqld.log
maxretry = 5
@@ -637,7 +638,7 @@
enabled = false
filter = sshd
action = pf
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 5
@@ -723,7 +724,7 @@
enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
[dovecot-auth]
@@ -731,7 +732,7 @@
enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
-logpath = /var/log/secure
+logpath = /var/log/mail
[solid-pop3d]
@@ -739,7 +740,7 @@
enabled = false
filter = solid-pop3d
action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
-logpath = /var/log/mail.log
+logpath = /var/log/mail
[selinux-ssh]
@@ -761,7 +762,7 @@
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
-logpath = /var/log/sshd.log
+logpath = /var/log/messages
maxretry = 20
[nsd]

18
fail2ban-opensuse-service.patch Normal file
View File

@ -0,0 +1,18 @@
diff -ur fail2ban-0.9.2-orig/files/fail2ban.service fail2ban-0.9.2/files/fail2ban.service
--- fail2ban-0.9.2-orig/files/fail2ban.service 2015-04-29 05:52:48.000000000 +0200
+++ fail2ban-0.9.2/files/fail2ban.service 2015-05-07 10:52:04.187045581 +0200
@@ -1,11 +1,12 @@
[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service
+After=network.target SuSEfirewall2.service
[Service]
Type=forking
-ExecStart=/usr/bin/fail2ban-client -x start
+EnvironmentFile=-/etc/sysconfig/fail2ban
+ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid

3
fail2ban-rpmlintrc Normal file
View File

@ -0,0 +1,3 @@
addFilter("W: htaccess-file .*tests.*")
addFilter("W: hidden-file-or-dir .*tests.*")
addFilter("W: no-manual-page-for-binary fail2ban-testcases")

77
fail2ban.changes
View File

@ -1,3 +1,80 @@
-------------------------------------------------------------------
Thu Jul 2 06:38:00 UTC 2015 - jweberhofer@weberhofer.at
- Note: fail2ban-issue_906-strptime.patch has been removed as it is already
integrated in the current version.
-------------------------------------------------------------------
Mon Jun 8 13:27:00 UTC 2015 - jweberhofer@weberhofer.at
- Removed "backend" setting from paths-opensuse.conf
-------------------------------------------------------------------
Fri May 8 14:01:31 UTC 2015 - jweberhofer@weberhofer.at
- Update to version 0.9.2 (requested in boo#917818)
Read the full changelog in /usr/share/doc/packages/fail2ban/ChangeLog
Here are some notes to be read when updating existing installations:
The default log-backend for openssue 13.2+ is now systemd
* jail.conf was heavily refactored and now is similar to how it looked on
Debian systems:
- default action could be configured once for all jails
- jails definitions only provide customizations (port, logpath)
- no need to specify 'filter' if name matches jail name
* Added fail2ban persistent database
- default location at /var/lib/fail2ban/fail2ban.sqlite3
- allows active bans to be reinstated on restart
- log files read from last position after restart
* Added systemd journal backend
- Dependency on python-systemd
- New "journalmatch" option added to filter configs files
- New "systemd-journal" option added to fail2ban-regex
* Support %z (Timezone offset) and %f (sub-seconds) support for datedetector.
Enhanced existing date/time have been updated patterns to support these.
ISO8601 now defaults to localtime unless specified otherwise. Some filters
have been change as required to capture these elements in the right
timezone correctly.
* Log levels are now set by Syslog style strings e.g. DEBUG, ERROR.
* Optionally can read log files starting from "head" or "tail". See "logpath"
option in jail.conf(5) man page.
* Can now set log encoding for files per jail.Default uses systemd locale.
* iptables-common.conf replaced iptables-blocktype.conf
(iptables-blocktype.local should still be read) and now also provides
defaults for the chain, port, protocol and name tags
- Require whois
- Whereever possible, path-definitions have been moved paths-opensuse.conf
which has been submittet upstream
- Use default fail2ban.service including fail2ban-opensuse-service.patch
- Use default suse-initd from upstream
- Run test-cases during build
- run fdupes
- Tests have been moved to a seperate page
- Added rpmlintrc file to ignore some hidden files in the test package
- Must build arch-depended packages for SLES 11
- Removed two tests which can't run on the build server with openSUSE
before 13.3: fail2ban-exclude-dev-log-tests.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com Tue Apr 14 07:10:43 UTC 2015 - mpluskal@suse.com

114
fail2ban.init
View File

@ -1,114 +0,0 @@
#!/bin/sh
#
### BEGIN INIT INFO
# Provides: fail2ban
# Required-Start: $remote_fs $local_fs
# Should-Start: $syslog $time $network iptables
# Required-Stop: $remote_fs $local_fs
# Should-Stop: $syslog $time $network iptables
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Pidfile: /var/run/fail2ban/fail2ban.pid
# Short-Description: Bans IPs with too many authentication failures
# Description: Start fail2ban to scan logfiles and ban IP addresses
# which make too many logfiles failures, and/or sent e-mails about
### END INIT INFO
# Check for missing binaries (stale symlinks should not happen)
FAIL2BAN_CLI=/usr/bin/fail2ban-client
test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_SRV=/usr/bin/fail2ban-server
test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FAIL2BAN_CONFIG="/etc/sysconfig/fail2ban"
FAIL2BAN_SOCKET_DIR="/var/run/fail2ban"
FAIL2BAN_SOCKET="$FAIL2BAN_SOCKET_DIR/fail2ban.sock"
FAIL2BAN_PID="$FAIL2BAN_SOCKET_DIR/fail2ban.pid"
if [ -e $FAIL2BAN_CONFIG ]; then
. $FAIL2BAN_CONFIG
fi
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting fail2ban "
if [ ! -d $FAIL2BAN_SOCKET_DIR ]; then
mkdir -p $FAIL2BAN_SOCKET_DIR
fi
if [ -e $FAIL2BAN_SOCKET ]; then
if ! lsof -n $FAIL2BAN_SOCKET &>/dev/null; then
rm $FAIL2BAN_SOCKET
fi
fi
$FAIL2BAN_CLI -x -q $FAIL2BAN_OPTIONS start &>/dev/null 2>&1
rc_status -v
;;
stop)
echo -n "Shutting down fail2ban "
## Stop daemon with built-in functionality 'stop'
/sbin/startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1
if [ -f $FAIL2BAN_SOCKET ]
then
echo "$FAIL2BAN_SOCKET not removed .. removing .."
rm $FAIL2BAN_SOCKET
fi
if [ -f $FAIL2BAN_PID ]
then
echo "$FAIL2BAN_PID not removed .. removing .."
rm $FAIL2BAN_PID
fi
rc_status -v
;;
try-restart|condrestart)
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
rc_status
;;
restart)
$0 stop
i=60
while [ -e $FAIL2BAN_SOCKET ] && [ $i -gt 0 ]; do
sleep 1
i=$[$i-1]
echo -n "."
done
$0 start
rc_status
;;
reload|force-reload)
echo -n "Reload service Fail2ban "
/sbin/startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1
rc_status -v
;;
status)
echo -n "Checking for service fail2ban "
/sbin/checkproc $FAIL2BAN_SRV
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
exit 1
;;
esac
rc_exit

15
fail2ban.service
View File

@ -1,15 +0,0 @@
[Unit]
Description=Bans IPs with too many authentication failures
After=network.target SuSEfirewall2.service
[Service]
Type=forking
EnvironmentFile=-/etc/sysconfig/fail2ban
PIDFile=/run/fail2ban/fail2ban.pid
ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start
ExecReload=/usr/bin/fail2ban-client reload
ExecStop=/usr/bin/fail2ban-client stop
[Install]
WantedBy=multi-user.target

221
fail2ban.spec
View File

@ -17,44 +17,56 @@
Name: fail2ban Name: fail2ban
Version: 0.8.14 Version: 0.9.2
Release: 0 Release: 0
Url: http://www.fail2ban.org/
Summary: Bans IP addresses that make too many authentication failures Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0+ License: GPL-2.0+
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
Url: http://www.fail2ban.org/
Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz Source0: https://github.com/fail2ban/fail2ban/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
%if 0%{?suse_version} < 1230
# the init-script requires lsof
Requires: lsof
Source1: %{name}.init
%endif
Source2: %{name}.sysconfig Source2: %{name}.sysconfig
Source3: %{name}.logrotate Source3: %{name}.logrotate
Source4: %{name}.service
Source5: %{name}.tmpfiles Source5: %{name}.tmpfiles
Source6: sfw-fail2ban.conf Source6: sfw-fail2ban.conf
Source7: f2b-restart.conf Source7: f2b-restart.conf
# Path definitions have been submitted to upstream
Source8: paths-opensuse.conf
# ignore some rpm-lint messages
Source200: %{name}-rpmlintrc
# PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles # PATCH-FIX-OPENSUSE fail2ban-opensuse-locations.patch bnc#878028 jweberhofer@weberhofer.at -- update default locations for logfiles
Patch100: fail2ban-opensuse-locations.patch Patch100: fail2ban-opensuse-locations.patch
# PATCH-FIX-UPSTREAM fail2ban-issue_906-strptime.patch bnc#914075, gh#fail2ban/fail2ban#906 jweberhofer@weberhofer.at -- Fix strptime thread safety issue # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
Patch101: fail2ban-issue_906-strptime.patch Patch101: fail2ban-opensuse-service.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: fdupes
BuildArch: noarch
%if 0%{?suse_version} >= 1230
%{?systemd_requires}
BuildRequires: systemd
%endif
BuildRequires: logrotate BuildRequires: logrotate
BuildRequires: python-devel BuildRequires: python-devel
# timezone package is required to run the tests
BuildRequires: timezone
Requires: cron Requires: cron
Requires: ed Requires: ed
Requires: iptables Requires: iptables
Requires: logrotate Requires: logrotate
Requires: python >= 2.5 Requires: python >= 2.5
Requires: whois
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} < 1321
# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3
Patch102: fail2ban-exclude-dev-log-tests.patch
%endif
%if 0%{?suse_version} != 1110
BuildArch: noarch
%endif
%if 0%{?suse_version} < 1230
# the init-script requires lsof
Requires: lsof
Requires: syslog Requires: syslog
%if 0%{?suse_version} >= 1140 && 0%{?sles_version} == 0 %else
BuildRequires: systemd
Requires: systemd
%{?systemd_requires}
%endif
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
BuildRequires: python-pyinotify
Requires: python-pyinotify Requires: python-pyinotify
%endif %endif
%if 0%{?suse_version} >= 1220 %if 0%{?suse_version} >= 1220
@ -62,29 +74,35 @@ Requires: python-gamin
%endif %endif
%description %description
Fail2ban scans log files like /var/log/messages and bans IP addresses Fail2ban scans log files like %{_localstatedir}/log/messages and bans IP
that makes too many password failures. It updates firewall rules to addresses that makes too many password failures. It updates firewall rules to
reject the IP address, can send e-mails, or set host.deny entries. reject the IP address, can send e-mails, or set host.deny entries. These rules
These rules can be defined by the user. Fail2Ban can read multiple log can be defined by the user. Fail2Ban can read multiple log files such as sshd
files such as sshd or Apache web server ones. or Apache web server ones.
%package tests
Summary: Test-cases for fail2ban
Group: System/Monitoring
%description tests
This package contains fail2ban's testcases
%package -n SuSEfirewall2-fail2ban %package -n SuSEfirewall2-fail2ban
Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd Summary: Files for integrating fail2ban into SuSEfirewall2 via systemd
Group: Productivity/Networking/Security Group: Productivity/Networking/Security
BuildArch: noarch
Recommends: packageand(SuSEfirewall2:fail2ban)
Requires: SuSEfirewall2 Requires: SuSEfirewall2
Requires: fail2ban Requires: fail2ban
Recommends: packageand(SuSEfirewall2:fail2ban)
%description -n SuSEfirewall2-fail2ban %description -n SuSEfirewall2-fail2ban
This package ships systemd files which will cause fail2ban to be ordered This package ships systemd files which will cause fail2ban to be ordered in
in relation to SuSEfirewall2 such that the two can be run concurrently relation to SuSEfirewall2 such that the two can be run concurrently within
within reason, i.e. SFW will always run first because it does a table flush. reason, i.e. SFW will always run first because it does a table flush.
%package -n nagios-plugins-fail2ban %package -n nagios-plugins-fail2ban
%define nagios_plugindir %{_libexecdir}/nagios/plugins
Summary: Check fail2ban server and how many IPs are currently banned Summary: Check fail2ban server and how many IPs are currently banned
Group: System/Monitoring Group: System/Monitoring
%define nagios_plugindir %{_prefix}/lib/nagios/plugins
%description -n nagios-plugins-fail2ban %description -n nagios-plugins-fail2ban
This plugin checks if the fail2ban server is running and how many IPs are This plugin checks if the fail2ban server is running and how many IPs are
@ -96,54 +114,91 @@ How to use
Just have to run the following command: Just have to run the following command:
$ ./check_fail2ban --help $ ./check_fail2ban --help
%prep %prep
%setup %setup -q
install -m644 %{SOURCE8} config/paths-opensuse.conf
# Use openSUSE paths
sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
%patch100 -p1 %patch100 -p1
%patch101 -p1 %patch101 -p1
%if 0%{?suse_version} < 1321
%patch102 -p1
%endif
rm config/paths-debian.conf \
config/paths-fedora.conf \
config/paths-freebsd.conf \
config/paths-osx.conf
# correct doc-path # correct doc-path
sed -i -e 's|%{_prefix}/share/doc/fail2ban|%{_docdir}/%{name}|' setup.py sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py
%build %build
export CFLAGS="$RPM_OPT_FLAGS" export CFLAGS="%{optflags}"
python setup.py build python setup.py build
gzip man/*.1 gzip man/*.{1,5}
%install %install
python setup.py install \ python setup.py install \
--root=$RPM_BUILD_ROOT \ --root=%{buildroot} \
--prefix=%{_prefix} --prefix=%{_prefix}
install -d -m755 $RPM_BUILD_ROOT/%{_mandir}/man1
for i in fail2ban-client fail2ban-regex fail2ban-server; do
install -m644 man/${i}.1.gz $RPM_BUILD_ROOT/%{_mandir}/man1
done
install -d -m755 $RPM_BUILD_ROOT/%{_initrddir}
install -d -m755 $RPM_BUILD_ROOT/%{_sbindir}
%if 0%{?suse_version} < 1230
install -m755 %{SOURCE1} $RPM_BUILD_ROOT/%{_initrddir}/%{name}
ln -sf %{_initrddir}/%{name} ${RPM_BUILD_ROOT}%{_sbindir}/rc%{name}
%endif
install -d -m755 $RPM_BUILD_ROOT/var/adm/fillup-templates
install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/var/adm/fillup-templates/sysconfig.%{name}
install -d -m755 $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d install -d -m 755 %{buildroot}%{_mandir}/man{1,5}
install -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/logrotate.d/fail2ban install -p -m 644 man/fail2ban-*.1.gz %{buildroot}%{_mandir}/man1
install -p -m 644 man/jail.conf.5.gz %{buildroot}%{_mandir}/man5
install -d -m 755 %{buildroot}%{_initrddir}
install -d -m 755 %{buildroot}%{_sbindir}
%if 0%{?suse_version} >= 1230 %if 0%{?suse_version} >= 1230
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/%{name}.service
install -d -m755 $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/ install -d -m 755 %{buildroot}%{_unitdir}
install -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d/%{name}.conf install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/
install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf
sed -i -e 's/^backend = auto/backend = systemd/' %{buildroot}%{_sysconfdir}/%{name}/paths-opensuse.conf
%else
install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
%endif %endif
install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates
install -p -m 644 %{SOURCE2} %{buildroot}%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/fail2ban
%if 0%{?_unitdir:1} %if 0%{?_unitdir:1}
install -Dm0644 "%_sourcedir/sfw-fail2ban.conf" \ install -Dm 0644 "%{_sourcedir}/sfw-fail2ban.conf" \
"%buildroot/%_unitdir/SuSEfirewall2.service.d/fail2ban.conf" "%{buildroot}%{_unitdir}/SuSEfirewall2.service.d/fail2ban.conf"
install -Dm0644 "%_sourcedir/f2b-restart.conf" \ install -D -m 0644 "%{_sourcedir}/f2b-restart.conf" \
"%buildroot/%_unitdir/fail2ban.service.d/SuSEfirewall2.conf" "%{buildroot}%{_unitdir}/fail2ban.service.d/SuSEfirewall2.conf"
%endif
install -D -m 755 files/nagios/check_fail2ban %{buildroot}%{nagios_plugindir}/check_fail2ban
# install docs using the macro
rm -r %{buildroot}%{_docdir}/%{name}
# remove duplicates
%fdupes -s %{buildroot}%{python_sitelib}
%check
#stat /dev/log
#python -c "import platform; print(platform.system())"
# tests require python-pyinotify to be installed, so don't run them on older versions
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
# Need a UTF-8 locale to work
export LANG=en_US.UTF-8
./fail2ban-testcases-all --no-network
%endif %endif
install -Dm755 files/nagios/check_fail2ban %{buildroot}/%{nagios_plugindir}/check_fail2ban
%pre %pre
%if 0%{?suse_version} >= 1230 %if 0%{?suse_version} >= 1230
@ -151,9 +206,9 @@ install -Dm755 files/nagios/check_fail2ban %{buildroot}/%{nagios_plugindir}/chec
%endif %endif
%post %post
%{fillup_only} %fillup_only
%if 0%{?suse_version} >= 1230 %if 0%{?suse_version} >= 1230
systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
%service_add_post %{name}.service %service_add_post %{name}.service
%endif %endif
@ -174,46 +229,52 @@ systemd-tmpfiles --create %{_prefix}/lib/tmpfiles.d/%{name}.conf
%if 0%{?_unitdir:1} %if 0%{?_unitdir:1}
%post -n SuSEfirewall2-fail2ban %post -n SuSEfirewall2-fail2ban
%_bindir/systemctl daemon-reload >/dev/null 2>&1 || : %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
%postun -n SuSEfirewall2-fail2ban %postun -n SuSEfirewall2-fail2ban
%_bindir/systemctl daemon-reload >/dev/null 2>&1 || : %{_bindir}/systemctl daemon-reload >/dev/null 2>&1 || :
%endif %endif
%files %files
%defattr(-, root, root) %defattr(-, root, root)
%dir %{_sysconfdir}/%{name} %config(noreplace) %{_sysconfdir}/%{name}
%dir %{_sysconfdir}/%{name}/action.d
%dir %{_sysconfdir}/%{name}/filter.d
%config(noreplace) %{_sysconfdir}/%{name}/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/action.d/*.conf
%config(noreplace) %{_sysconfdir}/%{name}/filter.d/*.conf
%config %{_sysconfdir}/logrotate.d/fail2ban %config %{_sysconfdir}/logrotate.d/fail2ban
%dir %{_localstatedir}/lib/fail2ban/
%if 0%{?suse_version} >= 1230 %if 0%{?suse_version} >= 1230
%{_unitdir}/%{name}.service %{_unitdir}/%{name}.service
%{_prefix}/lib/tmpfiles.d/%{name}.conf %{_libexecdir}/tmpfiles.d/%{name}.conf
%else %else
%{_initrddir}/%{name} %{_initddir}/%{name}
%{_sbindir}/rc%{name} %{_sbindir}/rc%{name}
%dir %ghost /var/run/%{name} %dir %ghost %{_localstatedir}/run/%{name}
%endif %endif
%{_bindir}/%{name}* %{_bindir}/fail2ban-server
%{_datadir}/%{name} %{_bindir}/fail2ban-client
/var/adm/fillup-templates/sysconfig.%{name} %{_bindir}/fail2ban-regex
%doc %{_mandir}/man1/* %{python_sitelib}/%{name}
%doc COPYING ChangeLog DEVELOP README.md TODO files/cacti %exclude %{python_sitelib}/%{name}/tests
%{python_sitelib}/%{name}-*
%{_localstatedir}/adm/fillup-templates/sysconfig.%{name}
%{_mandir}/man1/*
%{_mandir}/man5/*
%doc README.md TODO ChangeLog COPYING doc/*.txt
%if 0%{?_unitdir:1} %if 0%{?_unitdir:1}
%files -n SuSEfirewall2-fail2ban %files -n SuSEfirewall2-fail2ban
%defattr(-,root,root) %defattr(-,root,root)
%_unitdir/SuSEfirewall2.service.d %{_unitdir}/SuSEfirewall2.service.d
%_unitdir/fail2ban.service.d %{_unitdir}/fail2ban.service.d
%endif %endif
%files tests
%defattr(-,root,root)
%{_bindir}/fail2ban-testcases
%{python_sitelib}/%{name}/tests
%files -n nagios-plugins-fail2ban %files -n nagios-plugins-fail2ban
%defattr(-,root,root) %defattr(-,root,root)
%doc files/nagios/README COPYING %doc files/nagios/README COPYING
%dir %{_prefix}/lib/nagios %dir %{_libexecdir}/nagios
%dir %{nagios_plugindir} %dir %{nagios_plugindir}
%{nagios_plugindir}/check_fail2ban %{nagios_plugindir}/check_fail2ban

36
paths-opensuse.conf Normal file
View File

@ -0,0 +1,36 @@
# openSUSE log-file locations
[INCLUDES]
before = paths-common.conf
after = paths-overrides.local
[DEFAULT]
syslog_local0 = /var/log/messages
syslog_mail = /var/log/mail
syslog_mail_warn = %(syslog_mail)s
syslog_authpriv = %(syslog_local0)s
syslog_user = %(syslog_local0)s
syslog_ftp = %(syslog_local0)s
syslog_daemon = %(syslog_local0)s
apache_error_log = /var/log/apache2/*error_log
apache_access_log = /var/log/apache2/*access_log
pureftpd_log = %(syslog_local0)s
exim_main_log = /var/log/exim/main.log
mysql_log = /var/log/mysql/mysqld.log
solidpop3d_log = %(syslog_mail)s