rpm/fail2ban
SHA256
1
0
Fork 0
forked from pool/fail2ban
Code Pull Requests Activity

Accepting request 537301 from security

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/537301
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/fail2ban?expand=0&rev=50
This commit is contained in:
Dominique Leuenberger 2017-10-29 19:24:39 +00:00 committed by Git OBS Bridge
commit 34326b1e39
7 changed files with 88 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
1783.patch
View File

@ -1,50 +0,0 @@
diff -ur fail2ban-0.9.7-orig/config/filter.d/roundcube-auth.conf fail2ban-0.9.7/config/filter.d/roundcube-auth.conf
--- fail2ban-0.9.7-orig/config/filter.d/roundcube-auth.conf 2017-05-11 03:38:57.000000000 +0200
+++ fail2ban-0.9.7/config/filter.d/roundcube-auth.conf 2017-06-26 16:57:15.171337942 +0200
@@ -7,16 +7,30 @@
# The logpath in your jail can be updated to userlogins if you wish
#
+
+[Definition]
+# Fail2Ban configuration file for roundcube web server authentication failures
+#
+# When you enable systemd-logging, this filter needs "$config['log_driver']" set
+# to "syslog" in the roundcube configuration
+#
+
[INCLUDES]
before = common.conf
[Definition]
-failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
- ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
+prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?:
+
+failregex = %(prefregex)s (?:FAILED login|Login failed) for (?P<user>.*) from <HOST>(\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
+ %(prefregex)s (?:<[\w]+> )?Failed login for (?P<user>.*) from <HOST> in session \w+( \(error: \d\))?$
+
+ignoreregex =
+
+[Init]
+journalmatch = SYSLOG_IDENTIFIER=roundcube
-ignoreregex =
# DEV Notes:
#
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
diff -ur fail2ban-0.9.7-orig/config/jail.conf fail2ban-0.9.7/config/jail.conf
--- fail2ban-0.9.7-orig/config/jail.conf 2017-05-11 03:38:57.000000000 +0200
+++ fail2ban-0.9.7/config/jail.conf 2017-06-26 10:37:10.200062390 +0200
@@ -379,7 +379,8 @@
port = http,https
logpath = %(roundcube_errors_log)s
-
+# Use following line in your jail.local if roundcube logs to journal.
+#backend = %(syslog_backend)s
[openwebmail]

34
607568f.patch
View File

@ -1,34 +0,0 @@
From 607568f5da9e6b962c43d59280d72bd678c08afa Mon Sep 17 00:00:00 2001
From: Filippo Tessarotto <zoeslam@gmail.com>
Date: Tue, 7 Feb 2017 12:58:04 +0100
Subject: [PATCH] Postfix RBL: 554 & SMTP
---
config/filter.d/postfix-rbl.conf | 2 +-
fail2ban/tests/files/logs/postfix-rbl | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/config/filter.d/postfix-rbl.conf b/config/filter.d/postfix-rbl.conf
index c3f8c33..0a9078f 100644
--- a/config/filter.d/postfix-rbl.conf
+++ b/config/filter.d/postfix-rbl.conf
@@ -12,7 +12,7 @@ before = common.conf
_daemon = postfix(-\w+)?/smtpd
-failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
+failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[<HOST>\]: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
ignoreregex =
diff --git a/fail2ban/tests/files/logs/postfix-rbl b/fail2ban/tests/files/logs/postfix-rbl
index eff01bf..6aeac03 100644
--- a/fail2ban/tests/files/logs/postfix-rbl
+++ b/fail2ban/tests/files/logs/postfix-rbl
@@ -3,3 +3,6 @@ Dec 30 18:19:15 xxx postfix/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.examp
# failJSON: { "time": "2004-12-30T18:19:15", "match": true , "host": "93.184.216.34" }
Dec 30 18:19:15 xxx postfix-incoming/smtpd[1574]: NOQUEUE: reject: RCPT from badguy.example.com[93.184.216.34]: 454 4.7.1 Service unavailable; Client host [93.184.216.34] blocked using rbl.example.com; http://www.example.com/query?ip=93.184.216.34; from=<spammer@example.com> to=<goodguy@example.com> proto=ESMTP helo=<badguy.example.com>
+
+# failJSON: { "time": "2005-02-07T12:25:45", "match": true , "host": "87.236.233.182" }
+Feb 7 12:25:45 xxx12345 postfix/smtpd[13275]: NOQUEUE: reject: RCPT from unknown[87.236.233.182]: 554 5.7.1 Service unavailable; Client host [87.236.233.182] blocked using rbl.example.com; https://www.example.com/query/ip/87.236.233.182; from=<spammer@example.com> to=<goodguy@example.com> proto=SMTP helo=<WIN-5N8GBBS0R5I>

3
fail2ban-0.10.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:19bac652e50f35b3b58ea010c2b89b91b945365d37dbf17467e0dc345c058465
size 465156

3
fail2ban-0.9.7.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2817eb0d4f670bef2a79a5a9cfb824b41a4445f5a92a307a453ac95f497c7440
size 356374

31
fail2ban-opensuse-service.patch
View File

@ -1,21 +1,28 @@
Index: files/fail2ban.service diff -ur fail2ban-0.10.1.orig/files/fail2ban.service.in fail2ban-0.10.1/files/fail2ban.service.in
=================================================================== --- fail2ban-0.10.1.orig/files/fail2ban.service.in 2017-10-12 13:46:46.000000000 +0200
--- files/fail2ban.service.orig +++ fail2ban-0.10.1/files/fail2ban.service.in 2017-10-21 07:33:59.289164729 +0200
+++ files/fail2ban.service @@ -1,17 +1,18 @@
@@ -1,12 +1,13 @@
[Unit] [Unit]
Description=Fail2Ban Service Description=Fail2Ban Service
Documentation=man:fail2ban(1) Documentation=man:fail2ban(1)
-After=network.target iptables.service firewalld.service -After=network.target iptables.service firewalld.service
-PartOf=iptables.service firewalld.service -PartOf=iptables.service firewalld.service
+After=network.target SuSEfirewall2.service +After=network.target iptables.service firewalld.service SuSEfirewall2.service
+PartOf=SuSEfirewall2.service +PartOf=iptables.service firewalld.service SuSEfirewall2.service
[Service] [Service]
Type=forking Type=simple
-ExecStart=/usr/bin/fail2ban-client -x start
+EnvironmentFile=-/etc/sysconfig/fail2ban +EnvironmentFile=-/etc/sysconfig/fail2ban
+ExecStart=/usr/bin/fail2ban-client -x $FAIL2BAN_OPTIONS start ExecStartPre=/bin/mkdir -p /var/run/fail2ban
ExecStop=/usr/bin/fail2ban-client stop -ExecStart=@BINDIR@/fail2ban-server -xf start
ExecReload=/usr/bin/fail2ban-client reload +ExecStart=/usr/bin/fail2ban-server -xf $FAIL2BAN_OPTIONS start
# if should be logged in systemd journal, use following line or set logtarget to stdout in fail2ban.local
-# ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=stdout start
-ExecStop=@BINDIR@/fail2ban-client stop
-ExecReload=@BINDIR@/fail2ban-client reload
+# ExecStart=/usr/bin/fail2ban-server -xf --logtarget=stdout start
+ExecStop=/usr/bin/fail2ban-client stop
+ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=on-failure
RestartPreventExitStatus=0 255

56
fail2ban.changes
View File

@ -1,3 +1,59 @@
-------------------------------------------------------------------
Sat Oct 21 04:43:44 UTC 2017 - jweberhofer@weberhofer.at
- Updated to version 0.10.1. Changelog:
https://github.com/fail2ban/fail2ban/blob/0.10/ChangeLog
- Removed 607568f.patch and 1783.patch
- New features:
* IPv6 support
- IP addresses are now handled as objects rather than strings capable for
handling both address types IPv4 and IPv6
- iptables related actions have been amended to support IPv6 specific actions
additionally
- hostsdeny and route actions have been tested to be aware of v4 and v6 already
- pf action for *BSD systems has been improved and supports now also v4 and v6
- name resolution is now working for either address type
- new conditional section functionality used in config resp. includes:
- [Init?family=inet4] - IPv4 qualified hosts only
- [Init?family=inet6] - IPv6 qualified hosts only
* Reporting via abuseipdb.com
- Bans can now be reported to abuseipdb
- Catagories must be set in the config
- Relevant log lines included in report
* Several commands extended and new commands introduced
* Implemented execution of `actionstart` on demand
* nftables actions are IPv6-capable now
* Introduced new filter option `prefregex` for pre-filtering using single regular expression
* Many times faster because of several optimizations
* Several filters optimized
* Introduced new jail option "ignoreself"
- Lots of fixes and internal improvements
- Incompatibitilities:
* Filter (or `failregex`) internal capture-groups:
- If you've your own `failregex` or custom filters using conditional match `(?P=host)`, you should
rewrite the regex like in example below resp. using `(?:(?P=ip4)|(?P=ip6)` instead of `(?P=host)`
(or `(?:(?P=ip4)|(?P=ip6)|(?P=dns))` corresponding your `usedns` and `raw` settings).
Of course you can always your own capture-group (like below `_cond_ip_`) to do this.
```
testln="1500000000 failure from 192.0.2.1: bad host 192.0.2.1"
fail2ban-regex "$testln" "^\s*failure from (?P<_cond_ip_><HOST>): bad host (?P=_cond_ip_)$"
```
- New internal groups (currently reserved for internal usage):
`ip4`, `ip6`, `dns`, `fid`, `fport`, additionally `user` and another captures in lower case if
mapping from tag `<F-*>` used in failregex (e. g. `user` by `<F-USER>`).
* v.0.10 uses more precise date template handling, that can be theoretically incompatible to some
user configurations resp. `datepattern`.
* Since v0.10 fail2ban supports the matching of the IPv6 addresses, but not all ban actions are
IPv6-capable now.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at Mon Jun 26 07:23:57 UTC 2017 - jweberhofer@weberhofer.at

25
fail2ban.spec
View File

@ -18,7 +18,7 @@
%{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create} %{!?tmpfiles_create:%global tmpfiles_create systemd-tmpfiles --create}
Name: fail2ban Name: fail2ban
Version: 0.9.7 Version: 0.10.1
Release: 0 Release: 0
Summary: Bans IP addresses that make too many authentication failures Summary: Bans IP addresses that make too many authentication failures
License: GPL-2.0+ License: GPL-2.0+
@ -38,10 +38,6 @@ Source200: %{name}-rpmlintrc
Patch100: %{name}-opensuse-locations.patch Patch100: %{name}-opensuse-locations.patch
# PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
Patch101: %{name}-opensuse-service.patch Patch101: %{name}-opensuse-service.patch
# PATCH-UPSTREAM 607568f.patch bnc#1036928 jweberhofer@weberhofer.at -- Postfix RBL: 554 & SMTP
Patch102: 607568f.patch
# PATCH-UPSTREAM 1783.patch jweberhofer@weberhofer.at -- Updated roundcube authentication filter
Patch103: 1783.patch
# PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
Patch200: %{name}-disable-iptables-w-option.patch Patch200: %{name}-disable-iptables-w-option.patch
BuildRequires: fdupes BuildRequires: fdupes
@ -53,7 +49,7 @@ Requires: cron
Requires: ed Requires: ed
Requires: iptables Requires: iptables
Requires: logrotate Requires: logrotate
Requires: python >= 2.5 Requires: python >= 2.6
Requires: whois Requires: whois
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if 0%{?suse_version} != 1110 %if 0%{?suse_version} != 1110
@ -64,7 +60,7 @@ BuildArch: noarch
BuildRequires: python-systemd BuildRequires: python-systemd
BuildRequires: systemd BuildRequires: systemd
Requires: python-systemd Requires: python-systemd
Requires: systemd Requires: systemd > 204
%{?systemd_requires} %{?systemd_requires}
%else %else
# no systemd (the init-script requires lsof) # no systemd (the init-script requires lsof)
@ -72,11 +68,11 @@ Requires: lsof
Requires: syslog Requires: syslog
%endif %endif
%if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315 %if 0%{?suse_version} >= 1140 && 0%{?suse_version} != 1010 && 0%{?suse_version} != 1110 && 0%{?suse_version} != 1315
BuildRequires: python-pyinotify BuildRequires: python-pyinotify >= 0.8.3
Requires: python-pyinotify Requires: python-pyinotify >= 0.8.3
%endif %endif
%if 0%{?suse_version} >= 1220 %if 0%{?suse_version} >= 1220
Requires: python-gamin Requires: python-gamin >= 0.0.21
%endif %endif
%description %description
@ -126,14 +122,13 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py sed -i -e '/^#!\/usr\/bin\/python$/d' fail2ban/client/fail2banregex.py
%patch100 %patch100
%patch101 %patch101 -p1
%patch102 -p1
%patch103 -p1
%if 0%{?suse_version} < 1310 %if 0%{?suse_version} < 1310
%patch200 -p1 %patch200 -p1
%endif %endif
rm config/paths-debian.conf \ rm config/paths-arch.conf \
config/paths-debian.conf \
config/paths-fedora.conf \ config/paths-fedora.conf \
config/paths-freebsd.conf \ config/paths-freebsd.conf \
config/paths-osx.conf config/paths-osx.conf
@ -175,7 +170,7 @@ install -d -m 755 %{buildroot}%{_localstatedir}/run/%{name}
%if 0%{?suse_version} >= 1230 %if 0%{?suse_version} >= 1230
# systemd # systemd
install -d -m 755 %{buildroot}%{_unitdir} install -d -m 755 %{buildroot}%{_unitdir}
install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service install -p -m 644 files/%{name}.service.in %{buildroot}%{_unitdir}/%{name}.service
install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/ install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/
install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf