Accepting request 369600 from home:weberho:branches:security

- Update to version 0.9.4
- Defined services which per default uses systemd logger
- The update to this versions allow to close boo#917818, as the logger-backends for several services are now centrally set in /etc/fail2ban/paths-opensuse.conf

OBS-URL: https://build.opensuse.org/request/show/369600
OBS-URL: https://build.opensuse.org/package/show/security/fail2ban?expand=0&rev=69

fail2ban-0.9.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b3a0793d9ed3b4e341e568388c65bb07a904f77ac8044186376cab3e58e5b2c9
-size 321920

fail2ban-0.9.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:870b99dd0110f10d705d0ca5743d42d358e0b5a0a4de8b69ed1d41b40dd98fa4
+size 335532

fail2ban-exclude-dev-log-tests.patch

@@ -1,58 +0,0 @@
-diff -ur fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py fail2ban-0.9.2/fail2ban/tests/servertestcase.py
---- fail2ban-0.9.2-orig/fail2ban/tests/servertestcase.py	2015-04-29 05:52:48.000000000 +0200
-+++ fail2ban-0.9.2/fail2ban/tests/servertestcase.py	2015-05-08 15:57:57.021437562 +0200
-@@ -778,32 +778,32 @@
- 		self.setGetTest("logtarget", "STDOUT")
- 		self.setGetTest("logtarget", "STDERR")
- 
--	def testLogTargetSYSLOG(self):
--		if not os.path.exists("/dev/log") and sys.version_info >= (2, 7):
--			raise unittest.SkipTest("'/dev/log' not present")
--		elif not os.path.exists("/dev/log"):
--			return
--		self.assertTrue(self.server.getSyslogSocket(), "auto")
--		self.setGetTest("logtarget", "SYSLOG")
--		self.assertTrue(self.server.getSyslogSocket(), "/dev/log")
-+#	def testLogTargetSYSLOG(self):
-+#		if not os.path.exists("/dev/log") and sys.version_info >= (2, 7):
-+#			raise unittest.SkipTest("'/dev/log' not present")
-+#		elif not os.path.exists("/dev/log"):
-+#			return
-+#		self.assertTrue(self.server.getSyslogSocket(), "auto")
-+#		self.setGetTest("logtarget", "SYSLOG")
-+#		self.assertTrue(self.server.getSyslogSocket(), "/dev/log")
- 
- 	def testSyslogSocket(self):
- 		self.setGetTest("syslogsocket", "/dev/log/NEW/PATH")
- 
--	def testSyslogSocketNOK(self):
--		self.setGetTest("syslogsocket", "/this/path/should/not/exist")
--		self.setGetTestNOK("logtarget", "SYSLOG")
--		# set back for other tests
--		self.setGetTest("syslogsocket", "/dev/log")
--		self.setGetTest("logtarget", "SYSLOG",
--			**{True: {},    # should work on Linux
--			   False: dict( # expect to fail otherwise
--				   outCode=1,
--				   outValue=Exception('Failed to change log target'),
--				   repr_=True # Exceptions are not comparable apparently
--                                  )
--			  }[platform.system() in ('Linux',) and os.path.exists('/dev/log')]
--		)
-+#	def testSyslogSocketNOK(self):
-+#		self.setGetTest("syslogsocket", "/this/path/should/not/exist")
-+#		self.setGetTestNOK("logtarget", "SYSLOG")
-+#		# set back for other tests
-+#		self.setGetTest("syslogsocket", "/dev/log")
-+#		self.setGetTest("logtarget", "SYSLOG",
-+#			**{True: {},    # should work on Linux
-+#			   False: dict( # expect to fail otherwise
-+#				   outCode=1,
-+#				   outValue=Exception('Failed to change log target'),
-+#				   repr_=True # Exceptions are not comparable apparently
-+#                                  )
-+#			  }[platform.system() in ('Linux',) and os.path.exists('/dev/log')]
-+#		)
- 
- 	def testLogLevel(self):
- 		self.setGetTest("loglevel", "HEAVYDEBUG")

fail2ban-opensuse-locations.patch

@@ -1,16 +1,7 @@
-diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf
---- fail2ban-0.9.3-orig/config/jail.conf	2015-08-01 03:32:13.000000000 +0200
-+++ fail2ban-0.9.3/config/jail.conf	2015-08-26 14:39:57.561851833 +0200
-@@ -348,7 +348,7 @@
- [roundcube-auth]
- 
- port     = http,https
--logpath  = logpath = %(roundcube_errors_log)s
-+logpath  = %(roundcube_errors_log)s
- 
- 
- [openwebmail]
-@@ -628,7 +628,7 @@
+diff -Nur fail2ban-0.9.4-orig/config/jail.conf fail2ban-0.9.4/config/jail.conf
+--- fail2ban-0.9.4-orig/config/jail.conf	2016-03-08 03:50:10.000000000 +0100
++++ fail2ban-0.9.4/config/jail.conf	2016-03-10 09:38:46.382071358 +0100
+@@ -669,7 +669,7 @@
  # filter   = named-refused
  # port     = domain,953
  # protocol = udp
@@ -19,7 +10,7 @@ diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf
  
  # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  # This jail blocks TCP traffic for DNS requests.
-@@ -636,7 +636,7 @@
+@@ -677,7 +677,7 @@
  [named-refused]
  
  port     = domain,953
@@ -28,12 +19,12 @@ diff -ur fail2ban-0.9.3-orig/config/jail.conf fail2ban-0.9.3/config/jail.conf
  
  
  [nsd]
-diff -ur fail2ban-0.9.3-orig/config/paths-common.conf fail2ban-0.9.3/config/paths-common.conf
---- fail2ban-0.9.3-orig/config/paths-common.conf	2015-08-01 03:32:13.000000000 +0200
-+++ fail2ban-0.9.3/config/paths-common.conf	2015-08-26 14:40:58.187091888 +0200
-@@ -62,7 +62,7 @@
- 
+diff -Nur fail2ban-0.9.4-orig/config/paths-common.conf fail2ban-0.9.4/config/paths-common.conf
+--- fail2ban-0.9.4-orig/config/paths-common.conf	2016-03-08 03:50:10.000000000 +0100
++++ fail2ban-0.9.4/config/paths-common.conf	2016-03-10 09:36:00.690852425 +0100
+@@ -74,7 +74,7 @@
  mysql_log = %(syslog_daemon)s
+ mysql_backend = %(default_backend)s
  
 -roundcube_errors_log = /var/log/roundcube/errors
 +roundcube_errors_log = /srv/www/roundcubemail/logs/errors

fail2ban-opensuse-service.patch

@@ -1,12 +1,14 @@
-diff -ur fail2ban-0.9.2-orig/files/fail2ban.service fail2ban-0.9.2/files/fail2ban.service
---- fail2ban-0.9.2-orig/files/fail2ban.service	2015-04-29 05:52:48.000000000 +0200
-+++ fail2ban-0.9.2/files/fail2ban.service	2015-05-07 10:52:04.187045581 +0200
-@@ -1,11 +1,12 @@
+diff -Nur fail2ban-0.9.4-orig/files/fail2ban.service fail2ban-0.9.4/files/fail2ban.service
+--- fail2ban-0.9.4-orig/files/fail2ban.service	2016-03-08 03:50:10.000000000 +0100
++++ fail2ban-0.9.4/files/fail2ban.service	2016-03-10 10:33:48.834063007 +0100
+@@ -1,12 +1,13 @@
  [Unit]
  Description=Fail2Ban Service
  Documentation=man:fail2ban(1)
 -After=network.target iptables.service firewalld.service
+-PartOf=iptables.service firewalld.service
 +After=network.target SuSEfirewall2.service
++PartOf=SuSEfirewall2.service
  
  [Service]
  Type=forking

fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch

@@ -1,120 +0,0 @@
-Only in fail2ban-0.9.3/: ChangeLog.orig
-diff -ur fail2ban-0.9.3.orig/fail2ban/server/action.py fail2ban-0.9.3/fail2ban/server/action.py
---- fail2ban-0.9.3.orig/fail2ban/server/action.py	2015-08-01 03:32:13.000000000 +0200
-+++ fail2ban-0.9.3/fail2ban/server/action.py	2015-09-23 11:54:38.066927465 +0200
-@@ -560,32 +560,33 @@
- 			return True
- 
- 		_cmd_lock.acquire()
--		try: # Try wrapped within another try needed for python version < 2.5
-+		try:
-+			retcode = None  # to guarantee being defined upon early except
- 			stdout = tempfile.TemporaryFile(suffix=".stdout", prefix="fai2ban_")
- 			stderr = tempfile.TemporaryFile(suffix=".stderr", prefix="fai2ban_")
--			try:
--				popen = subprocess.Popen(
--					realCmd, stdout=stdout, stderr=stderr, shell=True,
--					preexec_fn=os.setsid  # so that killpg does not kill our process
--				)
--				stime = time.time()
-+
-+			popen = subprocess.Popen(
-+				realCmd, stdout=stdout, stderr=stderr, shell=True,
-+				preexec_fn=os.setsid  # so that killpg does not kill our process
-+			)
-+			stime = time.time()
-+			retcode = popen.poll()
-+			while time.time() - stime <= timeout and retcode is None:
-+				time.sleep(0.1)
- 				retcode = popen.poll()
--				while time.time() - stime <= timeout and retcode is None:
--					time.sleep(0.1)
--					retcode = popen.poll()
--				if retcode is None:
--					logSys.error("%s -- timed out after %i seconds." %
--						(realCmd, timeout))
--					pgid = os.getpgid(popen.pid)
--					os.killpg(pgid, signal.SIGTERM)  # Terminate the process
-+			if retcode is None:
-+				logSys.error("%s -- timed out after %i seconds." %
-+				    (realCmd, timeout))
-+				pgid = os.getpgid(popen.pid)
-+				os.killpg(pgid, signal.SIGTERM)  # Terminate the process
-+				time.sleep(0.1)
-+				retcode = popen.poll()
-+				if retcode is None:  # Still going...
-+					os.killpg(pgid, signal.SIGKILL)  # Kill the process
- 					time.sleep(0.1)
- 					retcode = popen.poll()
--					if retcode is None: # Still going...
--						os.killpg(pgid, signal.SIGKILL)  # Kill the process
--						time.sleep(0.1)
--						retcode = popen.poll()
--			except OSError, e:
--				logSys.error("%s -- failed with %s" % (realCmd, e))
-+		except OSError as e:
-+			logSys.error("%s -- failed with %s" % (realCmd, e))
- 		finally:
- 			_cmd_lock.release()
- 
-@@ -603,15 +604,16 @@
- 			return True
- 		elif retcode is None:
- 			logSys.error("%s -- unable to kill PID %i" % (realCmd, popen.pid))
--		elif retcode < 0:
--			logSys.error("%s -- killed with %s" %
--				(realCmd, signame.get(-retcode, "signal %i" % -retcode)))
-+		elif retcode < 0 or retcode > 128:
-+			# dash would return negative while bash 128 + n
-+			sigcode = -retcode if retcode < 0 else retcode - 128
-+			logSys.error("%s -- killed with %s (return code: %s)" %
-+				(realCmd, signame.get(sigcode, "signal %i" % sigcode), retcode))
- 		else:
- 			msg = _RETCODE_HINTS.get(retcode, None)
- 			logSys.error("%s -- returned %i" % (realCmd, retcode))
- 			if msg:
- 				logSys.info("HINT on %i: %s"
- 							% (retcode, msg % locals()))
--			return False
--		raise RuntimeError("Command execution failed: %s" % realCmd)
-+		return False
- 
-diff -ur fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py fail2ban-0.9.3/fail2ban/tests/actiontestcase.py
---- fail2ban-0.9.3.orig/fail2ban/tests/actiontestcase.py	2015-08-01 03:32:13.000000000 +0200
-+++ fail2ban-0.9.3/fail2ban/tests/actiontestcase.py	2015-09-23 11:54:38.074927626 +0200
-@@ -196,11 +196,10 @@
- 	def testExecuteTimeout(self):
- 		stime = time.time()
- 		# Should take a minute
--		self.assertRaises(
--			RuntimeError, CommandAction.executeCmd, 'sleep 60', timeout=2)
-+		self.assertFalse(CommandAction.executeCmd('sleep 60', timeout=2))
- 		# give a test still 1 second, because system could be too busy
- 		self.assertTrue(time.time() >= stime + 2 and time.time() <= stime + 3)
--		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds') 
-+		self.assertTrue(self._is_logged('sleep 60 -- timed out after 2 seconds')
- 			or self._is_logged('sleep 60 -- timed out after 3 seconds'))
- 		self.assertTrue(self._is_logged('sleep 60 -- killed with SIGTERM'))
- 
-@@ -222,17 +221,16 @@
- 				return int(f.read())
- 
- 		# First test if can kill the bastard
--		self.assertRaises(
--			RuntimeError, CommandAction.executeCmd, 'bash %s' % tmpFilename, timeout=.1)
-+		self.assertFalse(CommandAction.executeCmd(
-+		                 'bash %s' % tmpFilename, timeout=.1))
- 		# Verify that the proccess itself got killed
- 		self.assertFalse(pid_exists(getnastypid()))  # process should have been killed
- 		self.assertTrue(self._is_logged('timed out'))
- 		self.assertTrue(self._is_logged('killed with SIGTERM'))
- 
- 		# A bit evolved case even though, previous test already tests killing children processes
--		self.assertRaises(
--			RuntimeError, CommandAction.executeCmd, 'out=`bash %s`; echo ALRIGHT' % tmpFilename,
--			timeout=.2)
-+		self.assertFalse(CommandAction.executeCmd(
-+			'out=`bash %s`; echo ALRIGHT' % tmpFilename, timeout=.2))
- 		# Verify that the proccess itself got killed
- 		self.assertFalse(pid_exists(getnastypid()))
- 		self.assertTrue(self._is_logged('timed out'))

fail2ban.changes

@@ -1,3 +1,99 @@
+-------------------------------------------------------------------
+Thu Mar 10 10:58:53 UTC 2016 - jweberhofer@weberhofer.at
+
+- Removed patch: fail2ban-exclude-dev-log-tests.patch
+- Removed patch: fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
+- rebased other patches
+- Defined services which per default uses systemd logger
+- Provide /usr/sbin/rcfail2ban also on systemd based distros
+
+- All files in /etc/fail2ban/ except jail.local are now automatically replaced
+  upon installation of fail2ban
+
+- The update to this versions allow to close boo#917818, as the logger-backends for
+  several services are now centrally set in /etc/fail2ban/paths-opensuse.conf
+
+- Update to version 0.9.4
+  New Features:
+   * New interpolation feature for definition config readers - `<known/parameter>`
+     (means last known init definition of filters or actions with name `parameter`).
+     This interpolation makes possible to extend a parameters of stock filter or 
+     action directly in jail inside jail.local file, without creating a separately
+     filter.d/*.local file.
+     As extension to interpolation `%(known/parameter)s`, that does not works for
+     filter and action init parameters
+   * New actions:
+     - nftables-multiport and nftables-allports - filtering using nftables
+       framework. Note: it requires a pre-existing chain for the filtering rule.
+   * New filters:
+     - openhab - domotic software authentication failure with the
+       rest api and web interface (gh-1223)
+     - nginx-limit-req - ban hosts, that were failed through nginx by limit
+       request processing rate (ngx_http_limit_req_module)
+     - murmur - ban hosts that repeatedly attempt to connect to
+       murmur/mumble-server with an invalid server password or certificate.
+     - haproxy-http-auth - filter to match failed HTTP Authentications against a
+       HAProxy server
+   * New jails:
+     - murmur - bans TCP and UDP from the bad host on the default murmur port.
+   * sshd filter got new failregex to match "maximum authentication
+     attempts exceeded" (introduced in openssh 6.8)
+   * Added filter for Mac OS screen sharing (VNC) daemon
+
+  Enhancements:
+   * Do not rotate empty log files
+   * Added new date pattern with year after day (e.g. Sun Jan 23 2005 21:59:59)
+     http://bugs.debian.org/798923
+   * Added openSUSE path configuration (Thanks Johannes Weberhofer)
+   * Allow to split ignoreip entries by ',' as well as by ' ' (gh-1197)
+   * Added a timeout (3 sec) to urlopen within badips.py action
+     (Thanks M. Maraun)
+   * Added check against atacker's Googlebot PTR fake records
+     (Thanks Pablo Rodriguez Fernandez)
+   * Enhance filter against atacker's Googlebot PTR fake records
+     (gh-1226)
+   * Nginx log paths extended (prefixed with "*" wildcard) (gh-1237)
+   * Added filter for openhab domotic software authentication failure with the
+     rest api and web interface (gh-1223)
+   * Add *_backend options for services to allow distros to set the default
+     backend per service, set default to systemd for Fedora as appropriate
+   * Performance improvements while monitoring large number of files (gh-1265).
+     Use associative array (dict) for monitored log files to speed up lookup 
+     operations. Thanks @kshetragia
+   * Specified that fail2ban is PartOf iptables.service firewalld.service in
+     .service file -- would reload fail2ban if those services are restarted
+   * Provides new default `fail2ban_version` and interpolation variable
+     `fail2ban_agent` in jail.conf
+   * Enhance filter 'postfix' to ban incoming SMTP client with no fqdn hostname,
+     and to support multiple instances of postfix having varying suffix (gh-1331)
+     (Thanks Tom Hendrikx)
+   * files/gentoo-initd to use start-stop-daemon to robustify restarting the service
+
+  Fixes:
+   * roundcube-auth jail typo for logpath
+   * Fix dnsToIp resolver for fqdn with large list of IPs (gh-1164)
+   * filter.d/apache-badbots.conf
+     - Updated useragent string regex adding escape for `+`
+   * filter.d/mysqld-auth.conf
+ gg  - Updated "Access denied ..." regex for MySQL 5.6 and later (gh-1211, gh-1332)
+   * filter.d/sshd.conf
+     - Updated "Auth fail" regex for OpenSSH 5.9 and later
+   * Treat failed and killed execution of commands identically (only
+     different log messages), which addresses different behavior on different
+     exit codes of dash and bash (gh-1155)
+   * Fix jail.conf.5 man's section (gh-1226)
+   * Fixed default banaction for allports jails like pam-generic, recidive, etc
+     with new default variable `banaction_allports` (gh-1216)
+   * Fixed `fail2ban-regex` stops working on invalid (wrong encoded) character
+     for python version < 3.x (gh-1248)
+   * Use postfix_log logpath for postfix-rbl jail
+   * filters.d/postfix.conf - add 'Sender address rejected: Domain not found' failregex
+   * use `fail2ban_agent` as user-agent in actions badips, blocklist_de, etc (gh-1271)
+   * Fix ignoring the sender option by action_mw, action_mwl and action_c_mwl
+   * Changed filter.d/asterisk regex for "Call from ..." (few vulnerable now)
+   * Removed compression and rotation count from logrotate (inherit them from
+     the global logrotate config)
+
 -------------------------------------------------------------------
 Thu Feb  4 15:50:38 UTC 2016 - jweberhofer@weberhofer.at
 

fail2ban.spec

@@ -17,7 +17,7 @@
 
 
 Name:           fail2ban
-Version:        0.9.3
+Version:        0.9.4
 Release:        0
 Summary:        Bans IP addresses that make too many authentication failures
 License:        GPL-2.0+
@@ -37,12 +37,8 @@ Source200:      %{name}-rpmlintrc
 Patch100:       fail2ban-opensuse-locations.patch
 # PATCH-FIX-OPENSUSE fail2ban-opensuse-service.patch jweberhofer@weberhofer.at -- openSUSE modifications to the service file
 Patch101:       fail2ban-opensuse-service.patch
-# PATCH-FIX-UPSTREAM fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch jweberhofer@weberhofer.at -- fix failing test
-Patch102:       fail2ban-upstream-fix-ExecuteTimeoutWithNastyChildren-test.patch
 # PATCH-FIX-OPENSUSE fail2ban-disable-iptables-w-option.patch jweberhofer@weberhofer.at -- disable iptables "-w" option for older releases
 Patch200:       fail2ban-disable-iptables-w-option.patch
-# PATCH-FIX-OPENSUSE fail2ban-exclude-dev-log-tests.patch jweberhofer@weberhofer.at -- remove tests that can't work on opensuse < 13.3
-Patch201:       fail2ban-exclude-dev-log-tests.patch
 BuildRequires:  fdupes
 BuildRequires:  logrotate
 BuildRequires:  python-devel
@@ -121,13 +117,9 @@ sed -i -e 's/^before = paths-.*/before = paths-opensuse.conf/' config/jail.conf
 
 %patch100 -p1
 %patch101 -p1
-%patch102 -p1
 %if 0%{?suse_version} < 1310
 %patch200 -p1
 %endif
-%if 0%{?suse_version} < 1321
-%patch201 -p1
-%endif
 
 rm 	config/paths-debian.conf \
 	config/paths-fedora.conf \
@@ -137,6 +129,11 @@ rm 	config/paths-debian.conf \
 # correct doc-path
 sed -i -e 's|%{_datadir}/doc/fail2ban|%{_docdir}/%{name}|' setup.py
 
+# remove syslogd-logger settings for older distributions
+%if 0%{?suse_version} < 1230
+sed -i -e 's|^\([^_]*_backend = systemd\)|#\1|' config/paths-opensuse.conf
+%endif
+
 %build
 export CFLAGS="%{optflags}"
 python setup.py build
@@ -171,7 +168,7 @@ install -p -m 644 files/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
 install -d -m 755 %{buildroot}%{_libexecdir}/tmpfiles.d/
 install -p -m 644 %{SOURCE5} %{buildroot}%{_libexecdir}/tmpfiles.d/%{name}.conf
 
-sed -i -e 's/^backend = auto/backend = systemd/' %{buildroot}%{_sysconfdir}/%{name}/paths-opensuse.conf
+ln -sf service %{buildroot}%{_sbindir}/rc%{name}
 
 %else
 # without systemd
@@ -180,6 +177,8 @@ install -m 755 files/suse-initd %{buildroot}%{_initddir}/%{name}
 ln -sf %{_initddir}/%{name} %{buildroot}%{_sbindir}/rc%{name}
 %endif
 
+echo "# Do all your modifications to the jail's configuration in jail.local!" > %{buildroot}%{_sysconfdir}/%{name}/jail.local
+
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 
 install -d -m 755 %{buildroot}%{_localstatedir}/adm/fillup-templates
@@ -220,7 +219,9 @@ export LANG=en_US.UTF-8
 %post
 %fillup_only
 %if 0%{?suse_version} >= 1230
-systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
+systemd-tmpfiles --create %{_tmpfilesdir}/%{name}.conf
+# The next line is not workin in Leap 42.1, so keep the old way
+#%%tmpfiles_create %%{_tmpfilesdir}/%%{name}.conf
 %service_add_post %{name}.service
 %endif
 
@@ -249,7 +250,22 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 
 %files
 %defattr(-, root, root)
-%config(noreplace) %{_sysconfdir}/%{name}
+%dir %{_sysconfdir}/%{name}
+%dir %{_sysconfdir}/%{name}/action.d
+%dir %{_sysconfdir}/%{name}/fail2ban.d
+%dir %{_sysconfdir}/%{name}/filter.d
+%dir %{_sysconfdir}/%{name}/jail.d
+#
+%config %{_sysconfdir}/%{name}/action.d/*
+%config %{_sysconfdir}/%{name}/filter.d/*
+#
+%config %{_sysconfdir}/%{name}/fail2ban.conf
+%config %{_sysconfdir}/%{name}/jail.conf
+%config %{_sysconfdir}/%{name}/paths-common.conf
+%config %{_sysconfdir}/%{name}/paths-opensuse.conf
+#
+%config(noreplace) %{_sysconfdir}/%{name}/jail.local
+#
 %config %{_sysconfdir}/logrotate.d/fail2ban
 %dir %{_localstatedir}/lib/fail2ban/
 %if 0%{?suse_version} > 1310
@@ -262,12 +278,12 @@ systemd-tmpfiles --create %{_libexecdir}/tmpfiles.d/%{name}.conf
 %if 0%{?suse_version} >= 1230
 # systemd
 %{_unitdir}/%{name}.service
-%{_libexecdir}/tmpfiles.d/%{name}.conf
+%{_tmpfilesdir}/%{name}.conf
 %else
 # without-systemd
 %{_initddir}/%{name}
-%{_sbindir}/rc%{name}
 %endif
+%{_sbindir}/rc%{name}
 %{_bindir}/fail2ban-server
 %{_bindir}/fail2ban-client
 %{_bindir}/fail2ban-regex

paths-opensuse.conf

@@ -36,3 +36,15 @@ mysql_log = /var/log/mysql/mysqld.log
 roundcube_errors_log = /srv/www/roundcubemail/logs/errors
 
 solidpop3d_log = %(syslog_mail)s
+
+# These services will log to the journal via syslog, so use the journal by
+# default.
+syslog_backend = systemd
+sshd_backend = systemd
+dropbear_backend = systemd
+proftpd_backend = systemd
+pureftpd_backend = systemd
+wuftpd_backend = systemd
+postfix_backend = systemd
+dovecot_backend = systemd
+mysql_backend = systemd