From 346c68ba2961dd0f76f9279e1af4b5fb8aa320e218e97ba76e0c009cdaee0449 Mon Sep 17 00:00:00 2001 From: Johannes Weberhofer Date: Tue, 24 Oct 2017 10:04:00 +0000 Subject: [PATCH] Accepting request 536273 from home:weberho:branches:security - Updated to version 0.10.1. Changelog: https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog - Removed 607568f.patch and 1783.patch - New features: * IPv6 support - IP addresses are now handled as objects rather than strings capable for handling both address types IPv4 and IPv6 - iptables related actions have been amended to support IPv6 specific actions additionally - hostsdeny and route actions have been tested to be aware of v4 and v6 already - pf action for *BSD systems has been improved and supports now also v4 and v6 - name resolution is now working for either address type - new conditional section functionality used in config resp. includes: - [Init?family=inet4] - IPv4 qualified hosts only - [Init?family=inet6] - IPv6 qualified hosts only * Reporting via abuseipdb.com - Bans can now be reported to abuseipdb - Catagories must be set in the config - Relevant log lines included in report * Several commands extended and new commands introduced * Implemented execution of `actionstart` on demand * nftables actions are IPv6-capable now * Introduced new filter option `prefregex` for pre-filtering using single regular expression * Many times faster because of several optimizations * Several filters optimized * Introduced new jail option "ignoreself" - Lots of fixes and internal improvements - Incompatibitilities: * Filter (or `failregex`) internal capture-groups: - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). Of course you can always your own capture-group (like below `_cond_ip_`) to do this. ``` testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" ``` - New internal groups (currently reserved for internal usage): `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if mapping from tag `` used in failregex (e. g. `user` by ``). * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some user configurations resp. `datepattern`. * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are IPv6-capable now. OBS-URL: https://build.opensuse.org/request/show/536273 OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=83 --- 1783.patch | 50 ----------------------------- 607568f.patch | 34 -------------------- fail2ban-0.10.1.tar.gz | 3 ++ fail2ban-0.9.7.tar.gz | 3 -- fail2ban-opensuse-service.patch | 31 +++++++++++------- fail2ban.changes | 56 +++++++++++++++++++++++++++++++++ fail2ban.spec | 25 ++++++--------- 7 files changed, 88 insertions(+), 114 deletions(-) delete mode 100644 1783.patch delete mode 100644 607568f.patch create mode 100644 fail2ban-0.10.1.tar.gz delete mode 100644 fail2ban-0.9.7.tar.gz diff --git a/1783.patch b/1783.patch deleted file mode 100644 index bceea22..0000000 --- a/1783.patch +++ /dev/null @@ -1,50 +0,0 @@ -diff -ur fail2ban-0.9.7-orig/config/filter.d/roundcube-auth.conf fail2ban-0.9.7/config/filter.d/roundcube-auth.conf ---- fail2ban-0.9.7-orig/config/filter.d/roundcube-auth.conf 2017-05-11 03:38:57.000000000 +0200 -+++ fail2ban-0.9.7/config/filter.d/roundcube-auth.conf 2017-06-26 16:57:15.171337942 +0200 -@@ -7,16 +7,30 @@ - # The logpath in your jail can be updated to userlogins if you wish - # - -+ -+[Definition] -+# Fail2Ban configuration file for roundcube web server authentication failures -+# -+# When you enable systemd-logging, this filter needs "$config['log_driver']" set -+# to "syslog" in the roundcube configuration -+# -+ - [INCLUDES] - - before = common.conf - - [Definition] - --failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from (\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ -- ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from in session \w+( \(error: \d\))?$ -+prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: -+ -+failregex = %(prefregex)s (?:FAILED login|Login failed) for (?P.*) from (\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ -+ %(prefregex)s (?:<[\w]+> )?Failed login for (?P.*) from in session \w+( \(error: \d\))?$ -+ -+ignoreregex = -+ -+[Init] -+journalmatch = SYSLOG_IDENTIFIER=roundcube - --ignoreregex = - # DEV Notes: - # - # Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 -diff -ur fail2ban-0.9.7-orig/config/jail.conf fail2ban-0.9.7/config/jail.conf ---- fail2ban-0.9.7-orig/config/jail.conf 2017-05-11 03:38:57.000000000 +0200 -+++ fail2ban-0.9.7/config/jail.conf 2017-06-26 10:37:10.200062390 +0200 -@@ -379,7 +379,8 @@ - - port = http,https - logpath = %(roundcube_errors_log)s -- -+# Use following line in your jail.local if roundcube logs to journal. -+#backend = %(syslog_backend)s - - [openwebmail] - diff --git a/607568f.patch b/607568f.patch deleted file mode 100644 index 7b55c7a..0000000 --- a/607568f.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 607568f5da9e6b962c43d59280d72bd678c08afa Mon Sep 17 00:00:00 2001 -From: Filippo Tessarotto -Date: Tue, 7 Feb 2017 12:58:04 +0100 -Subject: [PATCH] Postfix RBL: 554 & SMTP - ---- - config/filter.d/postfix-rbl.conf | 2 +- - fail2ban/tests/files/logs/postfix-rbl | 3 +++ - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf -index c3f8c33..0a9078f 100644 ---- a/config/filter.d/postfix-rbl.conf -+++ b/config/filter.d/postfix-rbl.conf -@@ -12,7 +12,7 @@ before = common.conf - - _daemon = postfix(-\w+)?/smtpd - --failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ -+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b - - ignoreregex = - -diff --git a/fail2ban/tests/files/logs/postfix-rbl b/fail2ban/tests/files/logs/postfix-rbl -index eff01bf..6aeac03 100644 ---- a/fail2ban/tests/files/logs/postfix-rbl -+++ b/fail2ban/tests/files/logs/postfix-rbl -@@ -3,3 +3,6 @@ Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.examp - - # failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" } - Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from= to= proto=ESMTP helo= -+ -+# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" } -+Feb 7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from= to= proto=SMTP helo= diff --git a/fail2ban-0.10.1.tar.gz b/fail2ban-0.10.1.tar.gz new file mode 100644 index 0000000..76c56a8 --- /dev/null +++ b/fail2ban-0.10.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:19bac652e50f35b3b58ea010c2b89b91b945365d37dbf17467e0dc345c058465 +size 465156 diff --git a/fail2ban-0.9.7.tar.gz b/fail2ban-0.9.7.tar.gz deleted file mode 100644 index 7ebfa3a..0000000 --- a/fail2ban-0.9.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2817eb0d4f670bef2a79a5a9cfb824b41a4445f5a92a307a453ac95f497c7440 -size 356374 diff --git a/fail2ban-opensuse-service.patch b/fail2ban-opensuse-service.patch index 53c55cd..918d967 100644 --- a/fail2ban-opensuse-service.patch +++ b/fail2ban-opensuse-service.patch @@ -1,21 +1,28 @@ -Index: files/fail2ban.service -=================================================================== ---- files/fail2ban.service.orig -+++ files/fail2ban.service -@@ -1,12 +1,13 @@ +diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fail2ban.service.in +--- fail2ban-0.10.1.orig/files/fail2ban.service.in 2017-10-12 13:46:46.000000000 +0200 ++++ fail2ban-0.10.1/files/fail2ban.service.in 2017-10-21 07:33:59.289164729 +0200 +@@ -1,17 +1,18 @@ [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) -After=network.target iptables.service firewalld.service -PartOf=iptables.service firewalld.service -+After=network.target SuSEfirewall2.service -+PartOf=SuSEfirewall2.service ++After=network.target iptables.service firewalld.service SuSEfirewall2.service ++PartOf=iptables.service firewalld.service SuSEfirewall2.service [Service] - Type=forking --ExecStart=/usr/bin/fail2ban-client -x start + Type=simple +EnvironmentFile=-/etc/sysconfig/fail2ban -+ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start - ExecStop=/usr/bin/fail2ban-client stop - ExecReload=/usr/bin/fail2ban-client reload + ExecStartPre=/bin/mkdir -p /var/run/fail2ban +-ExecStart=@BINDIR@/fail2ban-server -xf start ++ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start + # if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local +-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=stdout start +-ExecStop=@BINDIR@/fail2ban-client stop +-ExecReload=@BINDIR@/fail2ban-client reload ++# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start ++ExecStop=/usr/bin/fail2ban-client stop ++ExecReload=/usr/bin/fail2ban-client reload PIDFile=/var/run/fail2ban/fail2ban.pid + Restart=on-failure + RestartPreventExitStatus=0 255 diff --git a/fail2ban.changes b/fail2ban.changes index 00256cf..ff6ef82 100644 --- a/fail2ban.changes +++ b/fail2ban.changes @@ -1,3 +1,59 @@ +------------------------------------------------------------------- +Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at + +- Updated to version 0.10.1. Changelog: + https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog + +- Removed 607568f.patch and 1783.patch + +- New features: + * IPv6 support + - IP addresses are now handled as objects rather than strings capable for + handling both address types IPv4 and IPv6 + - iptables related actions have been amended to support IPv6 specific actions + additionally + - hostsdeny and route actions have been tested to be aware of v4 and v6 already + - pf action for *BSD systems has been improved and supports now also v4 and v6 + - name resolution is now working for either address type + - new conditional section functionality used in config resp. includes: + - [Init?family=inet4] - IPv4 qualified hosts only + - [Init?family=inet6] - IPv6 qualified hosts only + * Reporting via abuseipdb.com + - Bans can now be reported to abuseipdb + - Catagories must be set in the config + - Relevant log lines included in report + * Several commands extended and new commands introduced + * Implemented execution of `actionstart` on demand + * nftables actions are IPv6-capable now + * Introduced new filter option `prefregex` for pre-filtering using single regular expression + * Many times faster because of several optimizations + * Several filters optimized + * Introduced new jail option "ignoreself" + + +- Lots of fixes and internal improvements + +- Incompatibitilities: + * Filter (or `failregex`) internal capture-groups: + - If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should + rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)` + (or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings). + + Of course you can always your own capture-group (like below `_cond_ip_`) to do this. + ``` + testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1" + fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_>): bad host (?P=_cond_ip_)$" + ``` + - New internal groups (currently reserved for internal usage): + `ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if + mapping from tag `` used in failregex (e. g. `user` by ``). + + * v.0.10 uses more precise date template handling, that can be theoretically incompatible to some + user configurations resp. `datepattern`. + + * Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are + IPv6-capable now. + ------------------------------------------------------------------- Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at diff --git a/fail2ban.spec b/fail2ban.spec index f085075..3c47af3 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -18,7 +18,7 @@ %{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} Name: fail2ban -Version: 0.9.7 +Version: 0.10.1 Release: 0 Summary: Bans IP addresses that make too many authentication failures License: GPL-2.0+ @@ -38,10 +38,6 @@ Source200: %{name}-rpmlintrc Patch100: %{name}-opensuse-locations.patch # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file Patch101: %{name}-opensuse-service.patch -# PATCH-UPSTREAM 607568f.patch bnc#1036928 jweberhofer@weberhofer.at -- Postfix RBL: 554 & SMTP -Patch102: 607568f.patch -# PATCH-UPSTREAM 1783.patch jweberhofer@weberhofer.at -- Updated roundcube authentication filter -Patch103: 1783.patch # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases Patch200: %{name}-disable-iptables-w-option.patch BuildRequires: fdupes @@ -53,7 +49,7 @@ Requires: cron Requires: ed Requires: iptables Requires: logrotate -Requires: python >= 2.5 +Requires: python >= 2.6 Requires: whois BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} != 1110 @@ -64,7 +60,7 @@ BuildArch: noarch BuildRequires: python-systemd BuildRequires: systemd Requires: python-systemd -Requires: systemd +Requires: systemd > 204 %{?systemd_requires} %else # no systemd (the init-script requires lsof) @@ -72,11 +68,11 @@ Requires: lsof Requires: syslog %endif %if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 -BuildRequires: python-pyinotify -Requires: python-pyinotify +BuildRequires: python-pyinotify >= 0.8.3 +Requires: python-pyinotify >= 0.8.3 %endif %if 0%{?suse_version} >= 1220 -Requires: python-gamin +Requires: python-gamin >= 0.0.21 %endif %description @@ -126,14 +122,13 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py %patch100 -%patch101 -%patch102 -p1 -%patch103 -p1 +%patch101 -p1 %if 0%{?suse_version} < 1310 %patch200 -p1 %endif -rm config/paths-debian.conf \ +rm config/paths-arch.conf \ + config/paths-debian.conf \ config/paths-fedora.conf \ config/paths-freebsd.conf \ config/paths-osx.conf @@ -175,7 +170,7 @@ install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name} %if 0%{?suse_version} >= 1230 # systemd install -d -m 755 %{buildroot}%{_unitdir} -install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service +install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf